North Korea was responsible for the theft of approximately $1.5 billion in virtual assets from cryptocurrency exchange Bybit this month, the US's Federal Bureau of Investigation said on Thursday.
The agency said it refers to this specific North Korean malicious cyber activity as "TraderTraitor", where cyber actors from the Asian nation are targeting organisations in the blockchain technology and cryptocurrency industry.
"TraderTraitor actors are proceeding rapidly and have converted some of the stolen assets to Bitcoin and other virtual assets dispersed across thousands of addresses on multiple blockchains," the FBI said in a public service announcement.
Also read: How $1.5bn Bybit hack has affected sentiment in crypto sector
"It is expected these assets will be further laundered and eventually converted to fiat currency."
Bybit, which has more than 60 million users worldwide, said it was hit by what was the biggest cryptocurrency robbery ever recorded on Friday, in which 401,000 Ethereum worth more than $1.5 billion was stolen.
The crime was carried out through a "manipulation of the transfer process, during a planned routine transfer" on one of its cold wallets, the company said. A cold wallet is cryptocurrency storage that is not connected to the internet, shielding it from the possibility of theft or hacks.
The exchange said it guaranteed after the attack that client funds were safe and available for withdrawal and also processed more than 350,000 withdrawal requests within 12 hours of the hack.
Ben Zhou, who is chief executive and co-founder of the exchange, said in a live-stream that Bybit has secured a bridge loan from its partners, which has enabled it to secure nearly 80 per cent of the stolen Ethereum.
The cryptocurrency industry has increasingly become a target for cyber criminals. About $2.2 billion was stolen from crypto platforms in 2024, latest data from blockchain company Chainalysis shows.
The Bybit attack "was a highly sophisticated hack that targeted cold wallets via a blind signing type of exploit, whereby the attackers create a fake interface that deceives users, since it is a near identical copy of the trusted platform", Manuel Villegas, next generation research analyst at Julius Baer, said in a note on Tuesday.
"The management of the exchange handled it relatively well, facing the market fronton and reassuring clients regarding their assets under custody," he said. "This is a big change from the crisis management we saw back in 2022 after the unfortunate series of events that started with Terra Luna and Three Arrows Capital and ended up with the infamous FTX."
Also, with higher prices and increased activity, crypto users might see a growing number of scams and hacks, where even well-rounded professional traders could be in harm’s way, paving the way for additional investments in cybersecurity, Mr Villegas said.
"The situation, although relatively immaterial for Ethereum prices despite the almost 500,000 capsized tokens, is certainly painful for ByBit’s customers and will likely raise additional regulatory scrutiny."
The FBI on Thursday also urged private sector entities including exchanges, blockchain analytics firms, DeFi services, and other virtual asset service providers to block transactions with or derived from addresses TraderTraitor actors are using to launder the stolen assets.
It said it will continue to protect the virtual asset community "by identifying, mitigating, and disrupting North Korea's illicit cybercrime and virtual asset theft activities".
