The biggest cryptocurrency heist in history didn’t happen in a dark web forum. It didn’t start with a phishing email or a leaked password. On February 21, 2025, a state-backed hacking team from North Korea broke into Bybit, one of the world’s top crypto exchanges, and walked away with $1.5 billion in Ethereum. This wasn’t just a breach. It was a calculated strike that exposed deep flaws in how even the most secure crypto platforms store assets.
How the Hack Happened
Bybit wasn’t caught off guard by a rookie hacker. The attackers targeted its cold wallets - offline storage systems designed to be unhackable because they’re not connected to the internet. These are the digital vaults exchanges use to keep the bulk of their users’ funds safe. The fact that these were breached means the attackers didn’t just guess a password. They got their hands on the actual private keys. According to blockchain analysts at TRM Labs, the attack likely came from one of three places: an insider with access, a supply chain compromise (like a hacked software update), or a flaw in the multi-signature system that was supposed to require multiple approvals before any transfer. Whatever the method, the hackers bypassed every layer of security that Bybit had in place. Once inside, they moved fast. Within hours, they began converting Ethereum into other blockchains - Binance Smart Chain, Solana, and eventually Bitcoin. Why Bitcoin? Because it’s harder to trace than Ethereum. Bitcoin’s network is older, more decentralized, and less transparent about transaction history. It’s the perfect hiding place for stolen funds.Who Did It? TraderTraitor
The FBI didn’t just say "North Korea did it." They named the group: TraderTraitor. This isn’t a random hacker collective. It’s a specialized unit under North Korea’s Reconnaissance General Bureau, the same agency that runs the infamous Lazarus Group. TraderTraitor has been active since at least 2022, and this was their biggest job yet. Unlike earlier North Korean crypto thieves who relied on phishing scams and malware, TraderTraitor operates like a military unit. They study their targets for months. They test defenses. They exploit weaknesses in software updates, cloud services, and third-party vendors. They’ve been linked to attacks on JumpCloud and other enterprise platforms. This wasn’t luck. It was precision. The FBI released a public list of Ethereum addresses tied to the heist and asked every exchange, bridge, and blockchain service to block transactions from them. That’s rare. Law enforcement doesn’t usually name names like this - but they did because the scale of the theft threatened the entire crypto ecosystem.Why This Hack Changed Everything
Before this, most people thought cold wallets were untouchable. Now, no one believes that anymore. Even if your exchange uses hardware wallets, multi-sig, or geographically separated key holders - if one person in the chain is compromised, or one piece of software is tampered with, the whole system can collapse. The hackers didn’t just steal money. They stole trust. And they did it on purpose. North Korea doesn’t need to hide anymore. They’ve made it clear: if you’re a crypto exchange, you’re a target. The stolen funds were moved through over 12,000 different wallet addresses across 17 blockchains. The goal wasn’t just to vanish. It was to overwhelm. This is called "flood the zone" - flooding networks with so many tiny transactions that analysts can’t follow the trail. It’s like dumping a million coins into a river and hoping no one notices which one you took.
Where Did the Money Go?
Most of the stolen Ethereum was converted into Bitcoin. And then? It stopped moving. For weeks after the heist, the bulk of the converted Bitcoin sat in a handful of wallets. No sales. No transfers. No trades. Why? Because cashing out $1.5 billion in Bitcoin all at once would crash the market. It would attract attention. So the hackers are waiting. They’re likely working with OTC (over-the-counter) traders - private brokers who move large sums without public records. These traders help launder funds quietly, selling Bitcoin to buyers who don’t ask questions. Some of the funds may have already been converted into real-world assets: luxury cars, real estate, gold. North Korea has done this before. After the 2022 $600 million Harmony Bridge hack, investigators traced stolen crypto to a luxury apartment in Dubai and a private jet in Kazakhstan.Why North Korea Keeps Doing This
This isn’t about ideology. It’s about survival. North Korea is under crippling international sanctions. They can’t sell oil. They can’t import medicine. They can’t access global banking. So they turned to crypto. In 2024 alone, North Korea stole $800 million from 47 different crypto targets. The $1.5 billion ByBit heist more than doubled that. Experts estimate that nearly half of North Korea’s foreign currency income now comes from cybercrime. And that money? It’s funding their nuclear weapons program. A United Nations report confirmed that the DPRK uses stolen crypto to buy missile parts, uranium, and components for their ICBMs. This isn’t just a crime. It’s a national security threat.
What Exchanges Are Doing Now
After the hack, every major exchange scrambled to upgrade their security. Some started using quantum-resistant encryption. Others began splitting keys across three continents, stored in physically separate vaults. A few even hired former military cyber units to audit their systems. But the truth is, no system is foolproof. Even the most advanced multi-sig wallets can be broken if one key is stolen. The only real defense now is decentralization - moving away from centralized exchanges entirely. That’s why DeFi (decentralized finance) protocols are gaining traction. If you control your own keys, no exchange can be hacked to steal your funds. But that comes with a trade-off: if you lose your private key, your money is gone forever. There’s no customer service. No recovery. Just you and your seed phrase.The Bigger Picture
The ByBit hack wasn’t just a financial crime. It was a turning point. It proved that nation-states can now steal more in a single day than most banks lose in a year. It showed that crypto’s biggest weakness isn’t technology - it’s trust in centralized systems. Governments are starting to respond. The U.S., EU, and Japan are working on new rules to force exchanges to report suspicious activity in real time. The FATF (Financial Action Task Force) is pushing for global standards on crypto wallet tracking. But until every exchange, every bridge, every wallet provider implements the same level of defense, this kind of theft will keep happening. And North Korea? They’re already planning their next move.How did North Korea hackers get into Bybit’s cold wallets?
The hackers likely exploited a vulnerability in Bybit’s multi-signature system, possibly through a supply chain compromise (like a hacked software update) or an insider leak. Cold wallets are offline by design, but if the private keys are ever accessed during a transaction or if the signing devices are compromised, the system can be breached. Evidence suggests the attackers had prolonged access and used advanced techniques to bypass security layers.
Why did they convert Ethereum to Bitcoin?
Ethereum transactions are easier to track because of its transparent ledger and advanced analytics tools. Bitcoin, while still traceable, has older infrastructure and more OTC trading options, making it harder to monitor large movements. Converting to Bitcoin allowed the hackers to obscure the origin of funds and prepare for long-term laundering through private brokers.
Is Bybit still safe to use?
Bybit has since upgraded its security infrastructure, including implementing hardware security modules (HSMs), stricter access controls, and third-party audits. However, no centralized exchange can guarantee 100% safety against state-sponsored attacks. Users should consider moving large holdings to self-custody wallets they control directly.
Can stolen crypto be recovered?
Recovery is extremely unlikely. Once crypto is converted to Bitcoin and moved through OTC channels or mixed across thousands of wallets, tracing it to a specific individual is nearly impossible. The FBI has frozen some addresses, but the majority of funds have been obfuscated beyond recovery. Law enforcement focuses on blocking future transactions rather than retrieving stolen assets.
How much crypto has North Korea stolen total?
Since 2017, North Korean hacking groups have stolen over $4 billion in cryptocurrency. The $1.5 billion ByBit heist alone made up nearly 40% of all crypto theft in 2025. In 2024, they stole $800 million across 47 separate incidents. This makes them the most prolific state-sponsored crypto thief in history.
Rebecca Andrews
I'm a blockchain analyst and cryptocurrency content strategist. I publish practical guides on coin fundamentals, exchange mechanics, and curated airdrop opportunities. I also advise startups on tokenomics and risk controls. My goal is to translate complex protocols into clear, actionable insights.
More Articles
EvmoSwap Review: Fees, Security, and How It Stacks Up in 2025
A detailed EvmoSwap crypto exchange review covering fees, security, supported assets, user experience, and how it compares to Binance, MEXC and other top platforms in 2025.
Spectrum Finance Crypto Exchange Review: Cross-Chain Trading Without Wraps
Spectrum Finance is a non-custodial cross-chain DEX that lets you swap native Cardano and Ergo assets without wrapping. No intermediaries, no bridge risks - just direct trades. Ideal for DeFi users in the Cardano and Ergo ecosystems.
