On February 21, 2025, Bybit, one of the world’s largest cryptocurrency exchanges, suffered a cyberattack resulting in the theft of approximately $1.5 billion in Ethereum tokens. This attack marked a new pinnacle in the criminal efforts of cyber actors tied to the Democratic People’s Republic of Korea (“North Korea” or the “DPRK”). In recent years, these malicious actors have increasingly targeted the cryptocurrency industry, leveraging sophisticated tactics to steal and launder digital assets for the ultimate benefit of funding the North Korean government. These high-profile and high-dollar-value exploits underscore the ongoing risk from the DPRK cyber threat and the need for private sector actors to implement appropriate cybersecurity measures to combat these threats. The threat is particularly acute since most interactions with these actors raise the additional risk of committing a violation of U.S. sanctions, with corresponding civil and criminal legal exposure.
This blog post delves into the details of recent cybercriminal activity attributed to actors tied to North Korea, their impact on the cryptocurrency sector, and the steps organizations should consider to mitigate those risks.
Bybit, TraderTraitor, and the DPRK Cyberthreat
The Bybit theft has been attributed by the Federal Bureau of Investigation to the DPRK cyber actors using a series of malware-laced cryptocurrency applications known as “TraderTraitor.” The theft was wildly successful: the amount stolen nearly doubles the amount attributed to cybercrime by DPRK-affiliated actors in the entirety of 2024.
These North Korean cyber actors are known across the cybersecurity community as Lazarus Group, APT38, BlueNoroff, and Stardust Chollima, and have been active for years. According to a 2022 Joint Cybersecurity Advisory from the U.S. government (the “Joint Advisory”), these actors have targeted a variety of organizations associated with cryptocurrency, including cryptocurrency exchanges, decentralized finance (DeFi) protocols, cryptocurrency trading companies, venture capital funds, and individual holders of large amounts of digital current or non-fungible tokens (NFTs).
Their methods often involve social engineering, phishing campaigns, and exploitation of software vulnerabilities to gain unauthorized access to digital assets. As explained in the same Joint Advisory—which includes substantial technical information and computer code for cybersecurity experts—the actors use a multi-step process to achieve their criminal objective:
- Engage in a spear phishing message campaign targeting system administrators, software developers, and IT professionals. The messages are designed to look like employment recruiting efforts and encourage the targets to download a cryptocurrency application laced with malware (the “TraderTraiter applications”).
- The TraderTraitor applications purport to be cryptocurrency trading or price prediction tools, and the campaigns feature websites with modern designs and advertisements to make it appear legitimate.
- Once downloaded and used by the target, the TraderTraitor applications often deploy a remote access trojan (RAT) that can collect system information, execute commands, and download additional payloads.
- Once compromised, the actors are able to steal private keys and other information that allows them to gain access to and steal cryptocurrency.
The Bybit hack also highlights the alarming speed and efficiency at which North Korean hackers have been able to launder stolen funds. It has been reported that, within 48 hours of the hack, at least $160 million had been funneled through illicit channels, surpassing $400 million by February 26, 2025. Security experts and law enforcement have observed that the rapid laundering process involves multiple intermediary wallets, conversion into different cryptocurrencies, and the use of decentralized exchanges, cross-chain bridges and cryptocurrency mixers to obfuscate the digital trail.
The DPRK, Bounty Programs & Sanctions
One of the more unique issues with DPRK cybercrime is its interaction with the U.S. sanctions regime. The U.S. government’s North Korea Sanctions Program, primarily administered by the Office of Foreign Assets Control (OFAC), prohibits virtually all transactions with an individual or entity affiliated with the DPRK government absent a license. There are criminal penalties for willful violations of these sanctions, but even inadvertent violations create a risk of civil enforcement and significant financial penalties. In this context, U.S. persons engaging in cryptocurrency transactions with actors tied to the Lazarus Group and TraderTraitor may risk violating U.S. sanctions, whether or not they are aware of their ties to the DPRK.
How to Mitigate Risk
As recommended by experts including the FBI and CISA, the private sector should consider a number of steps to mitigate the risk of being targeted and successfully attacked by the DPRK:
- Stay apprised of cybersecurity advisories from law enforcement and incorporate the information they provide—such as the list of Ethetereum addresses released by the FBI related to the ByBit hack—into your security program.
- Applying “defense-in-depth security,” including security principles such as least access models and network segmentation to prevent lateral movement.
- Maintaining a timely vulnerability and patch management program.
- Enforcing credential requirements and multi-factor authentication (MFA) (but note that MFA vulnerabilities have been exploited by sophisticated cyber actors).
- Educate your employees to recognize and reject social engineering techniques and phishing attempts.
- Disable HTML in emails, scan email attachments, and monitor or restrict access to newly registered domains.
- If you are hacked, be mindful of the additional risk of a potential sanctions violation and seek expert legal counsel to assist with both the incident mitigation efforts and strategic decisions surrounding any potential response to the threat actors.