According to cybersecurity researchers, north Korean hackers executed the largest cryptocurrency heist in history, stealing $1.5 billion (£1.2bn) in just two minutes.
A post-mortem investigation commissioned by cryptocurrency exchange Bybit—recently targeted by a Pyongyang-linked group that stole hundreds of millions in Ethereum—has revealed how the attackers infiltrated its systems.
The hackers compromised a so-called cold wallet, a hardware-based storage system designed to keep cryptocurrency secure by remaining offline. These wallets, similar to encrypted USB drives, are considered highly secure.
However, when Bybit attempted to transfer funds from its cold wallet to an online account, the attackers struck within seconds, exploiting the transaction window.
Cybersecurity firms Sygnia and Verichains determined that the breach stemmed from a vulnerability in Safe Wallet, a technology used for secure transactions, after reconstructing the attack from digital records.
Two days before the attack, North Korean hackers—believed to be part of the notorious Lazarus Group—embedded malicious code into the online infrastructure of Safe Wallet, the system used to communicate with Bybit’s account upon activation.
Safe Global, the company behind Safe Wallet, revealed that the hackers had successfully “compromised the machine of a Safe Wallet developer,” attributing the breach to the group’s “sophisticated social engineering attacks.”
The injected code was specifically crafted to exploit Bybit’s wallet. It was designed to mimic the coded “signature” of three key accounts, including that of Bybit’s chief executive, allowing the attackers to bypass security checks.
At 2:15 PM last Friday, when Bybit attempted to transfer funds, the hackers activated their backdoor function, instantly draining 400,000 Ethereum coins from the exchange’s wallets.
According to a report by Sygnia, “two minutes after the malicious transaction was executed and published,” the hackers deleted their code and exited the system before Bybit even detected the theft.
Following the heist, the North Korean group has been rapidly laundering the stolen funds through multiple cryptocurrency exchanges.
On Wednesday, the FBI officially attributed the heist to North Korea, identifying the hacking group responsible under the codename TraderTraitor.
The agency warned that the hackers are “moving quickly,” having already converted a portion of the stolen assets into Bitcoin and other cryptocurrencies, dispersing them across thousands of addresses on multiple blockchains.
