Cryptocurrency

ByBit Hack: How North Korea Stole $1.5 Billion in Crypto

  • Home
  • ByBit Hack: How North Korea Stole $1.5 Billion in Crypto
ByBit Hack: How North Korea Stole $1.5 Billion in Crypto
14 March 2026 Rebecca Andrews

The biggest cryptocurrency heist in history didn’t happen in a dark web forum. It didn’t start with a phishing email or a leaked password. On February 21, 2025, a state-backed hacking team from North Korea broke into Bybit, one of the world’s top crypto exchanges, and walked away with $1.5 billion in Ethereum. This wasn’t just a breach. It was a calculated strike that exposed deep flaws in how even the most secure crypto platforms store assets.

How the Hack Happened

Bybit wasn’t caught off guard by a rookie hacker. The attackers targeted its cold wallets - offline storage systems designed to be unhackable because they’re not connected to the internet. These are the digital vaults exchanges use to keep the bulk of their users’ funds safe. The fact that these were breached means the attackers didn’t just guess a password. They got their hands on the actual private keys.

According to blockchain analysts at TRM Labs, the attack likely came from one of three places: an insider with access, a supply chain compromise (like a hacked software update), or a flaw in the multi-signature system that was supposed to require multiple approvals before any transfer. Whatever the method, the hackers bypassed every layer of security that Bybit had in place.

Once inside, they moved fast. Within hours, they began converting Ethereum into other blockchains - Binance Smart Chain, Solana, and eventually Bitcoin. Why Bitcoin? Because it’s harder to trace than Ethereum. Bitcoin’s network is older, more decentralized, and less transparent about transaction history. It’s the perfect hiding place for stolen funds.

Who Did It? TraderTraitor

The FBI didn’t just say "North Korea did it." They named the group: TraderTraitor. This isn’t a random hacker collective. It’s a specialized unit under North Korea’s Reconnaissance General Bureau, the same agency that runs the infamous Lazarus Group. TraderTraitor has been active since at least 2022, and this was their biggest job yet.

Unlike earlier North Korean crypto thieves who relied on phishing scams and malware, TraderTraitor operates like a military unit. They study their targets for months. They test defenses. They exploit weaknesses in software updates, cloud services, and third-party vendors. They’ve been linked to attacks on JumpCloud and other enterprise platforms. This wasn’t luck. It was precision.

The FBI released a public list of Ethereum addresses tied to the heist and asked every exchange, bridge, and blockchain service to block transactions from them. That’s rare. Law enforcement doesn’t usually name names like this - but they did because the scale of the theft threatened the entire crypto ecosystem.

Why This Hack Changed Everything

Before this, most people thought cold wallets were untouchable. Now, no one believes that anymore. Even if your exchange uses hardware wallets, multi-sig, or geographically separated key holders - if one person in the chain is compromised, or one piece of software is tampered with, the whole system can collapse.

The hackers didn’t just steal money. They stole trust. And they did it on purpose. North Korea doesn’t need to hide anymore. They’ve made it clear: if you’re a crypto exchange, you’re a target.

The stolen funds were moved through over 12,000 different wallet addresses across 17 blockchains. The goal wasn’t just to vanish. It was to overwhelm. This is called "flood the zone" - flooding networks with so many tiny transactions that analysts can’t follow the trail. It’s like dumping a million coins into a river and hoping no one notices which one you took.

A river of Bitcoin coins floods blockchain bridges as a hooded figure dumps stolen funds into the chaos.

Where Did the Money Go?

Most of the stolen Ethereum was converted into Bitcoin. And then? It stopped moving. For weeks after the heist, the bulk of the converted Bitcoin sat in a handful of wallets. No sales. No transfers. No trades.

Why? Because cashing out $1.5 billion in Bitcoin all at once would crash the market. It would attract attention. So the hackers are waiting. They’re likely working with OTC (over-the-counter) traders - private brokers who move large sums without public records. These traders help launder funds quietly, selling Bitcoin to buyers who don’t ask questions.

Some of the funds may have already been converted into real-world assets: luxury cars, real estate, gold. North Korea has done this before. After the 2022 $600 million Harmony Bridge hack, investigators traced stolen crypto to a luxury apartment in Dubai and a private jet in Kazakhstan.

Why North Korea Keeps Doing This

This isn’t about ideology. It’s about survival.

North Korea is under crippling international sanctions. They can’t sell oil. They can’t import medicine. They can’t access global banking. So they turned to crypto.

In 2024 alone, North Korea stole $800 million from 47 different crypto targets. The $1.5 billion ByBit heist more than doubled that. Experts estimate that nearly half of North Korea’s foreign currency income now comes from cybercrime. And that money? It’s funding their nuclear weapons program.

A United Nations report confirmed that the DPRK uses stolen crypto to buy missile parts, uranium, and components for their ICBMs. This isn’t just a crime. It’s a national security threat.

A North Korean general buys missile parts with stolen Bitcoin in a dim bunker, under a hologram of nuclear weapons.

What Exchanges Are Doing Now

After the hack, every major exchange scrambled to upgrade their security. Some started using quantum-resistant encryption. Others began splitting keys across three continents, stored in physically separate vaults. A few even hired former military cyber units to audit their systems.

But the truth is, no system is foolproof. Even the most advanced multi-sig wallets can be broken if one key is stolen. The only real defense now is decentralization - moving away from centralized exchanges entirely.

That’s why DeFi (decentralized finance) protocols are gaining traction. If you control your own keys, no exchange can be hacked to steal your funds. But that comes with a trade-off: if you lose your private key, your money is gone forever. There’s no customer service. No recovery. Just you and your seed phrase.

The Bigger Picture

The ByBit hack wasn’t just a financial crime. It was a turning point. It proved that nation-states can now steal more in a single day than most banks lose in a year. It showed that crypto’s biggest weakness isn’t technology - it’s trust in centralized systems.

Governments are starting to respond. The U.S., EU, and Japan are working on new rules to force exchanges to report suspicious activity in real time. The FATF (Financial Action Task Force) is pushing for global standards on crypto wallet tracking.

But until every exchange, every bridge, every wallet provider implements the same level of defense, this kind of theft will keep happening. And North Korea? They’re already planning their next move.

How did North Korea hackers get into Bybit’s cold wallets?

The hackers likely exploited a vulnerability in Bybit’s multi-signature system, possibly through a supply chain compromise (like a hacked software update) or an insider leak. Cold wallets are offline by design, but if the private keys are ever accessed during a transaction or if the signing devices are compromised, the system can be breached. Evidence suggests the attackers had prolonged access and used advanced techniques to bypass security layers.

Why did they convert Ethereum to Bitcoin?

Ethereum transactions are easier to track because of its transparent ledger and advanced analytics tools. Bitcoin, while still traceable, has older infrastructure and more OTC trading options, making it harder to monitor large movements. Converting to Bitcoin allowed the hackers to obscure the origin of funds and prepare for long-term laundering through private brokers.

Is Bybit still safe to use?

Bybit has since upgraded its security infrastructure, including implementing hardware security modules (HSMs), stricter access controls, and third-party audits. However, no centralized exchange can guarantee 100% safety against state-sponsored attacks. Users should consider moving large holdings to self-custody wallets they control directly.

Can stolen crypto be recovered?

Recovery is extremely unlikely. Once crypto is converted to Bitcoin and moved through OTC channels or mixed across thousands of wallets, tracing it to a specific individual is nearly impossible. The FBI has frozen some addresses, but the majority of funds have been obfuscated beyond recovery. Law enforcement focuses on blocking future transactions rather than retrieving stolen assets.

How much crypto has North Korea stolen total?

Since 2017, North Korean hacking groups have stolen over $4 billion in cryptocurrency. The $1.5 billion ByBit heist alone made up nearly 40% of all crypto theft in 2025. In 2024, they stole $800 million across 47 separate incidents. This makes them the most prolific state-sponsored crypto thief in history.

Tags:
Rebecca Andrews
Rebecca Andrews

I'm a blockchain analyst and cryptocurrency content strategist. I publish practical guides on coin fundamentals, exchange mechanics, and curated airdrop opportunities. I also advise startups on tokenomics and risk controls. My goal is to translate complex protocols into clear, actionable insights.

15 Comments

  • Kira Dreamland
    Kira Dreamland
    March 15, 2026 AT 05:59

    Wow. Just... wow. I’ve been holding ETH for years and never thought cold wallets could be breached like this. It’s terrifying how one weak link - a single compromised update or insider - can collapse an entire system. I’m moving everything to hardware wallets now. No more trusting exchanges, even the big ones.

    Also, anyone else notice how the FBI naming the group ‘TraderTraitor’ feels like a movie title? Like, next they’ll release a Netflix docu-series with dramatic reenactments.

  • Ann Liu
    Ann Liu
    March 16, 2026 AT 04:23

    Technically, cold wallets aren’t ‘unhackable’ - they’re ‘air-gapped.’ The vulnerability wasn’t in the storage, it was in the signing process. If the private key ever leaves the secure environment - even briefly - to sign a transaction via a compromised device or network, the air gap is broken. This attack likely involved a man-in-the-middle during key signing, not direct access to the vaults. The real failure? Lack of hardware isolation during signing operations.

  • Graham Smith
    Graham Smith
    March 16, 2026 AT 19:37

    Let’s be clear: this isn’t a ‘hack’ in the traditional sense. It’s a strategic asymmetric cyber operation executed by a state actor with decades of institutionalized cyber-warfare doctrine. The term ‘heist’ is a media misnomer - this was a kinetic cyber strike against financial infrastructure, equivalent to a naval blockade in the digital domain.

    Bybit’s multi-sig architecture was never the issue. The failure was ontological: they assumed trustworthiness in their supply chain. In the age of quantum-enabled threat actors, this is akin to believing your bank vault is secure because the key is made of steel.

  • Katrina Smith
    Katrina Smith
    March 18, 2026 AT 06:57

    so like... the fbi named them tradertraitor?? lmao. next they'll name a group 'bitcoinbender' and we'll have a meme war with north korea. 🤡

  • Bruce Doucette
    Bruce Doucette
    March 19, 2026 AT 10:56

    You people are acting like this is the first time a state has stolen crypto. Wake up. This is just the first one they got caught doing. They’ve been laundering through DeFi bridges since 2020. The $1.5B? That’s the tip of the iceberg. The real money? Already in Dubai real estate, Swiss gold vaults, and private jets registered under shell companies in the Caymans.

    And no - the FBI isn’t ‘helping.’ They’re just trying to look good before the midterms.

  • Patty Atima
    Patty Atima
    March 20, 2026 AT 05:24

    i just moved my whole portfolio to a ledger. no more exchanges. period. 🙌

  • Diane Overwise
    Diane Overwise
    March 20, 2026 AT 11:45

    How ironic that the world’s most advanced crypto security system was undone by… a software update. I mean, we’ve all installed updates that broke our phones. Now imagine that update was written by a hacker in Pyongyang who’s been waiting 18 months to exploit a single line of code.

    And yes, I’m laughing. Because if you think your ‘enterprise-grade’ wallet is safe, you’re the same person who still uses ‘password123’.

    Also - if North Korea can steal $1.5B and no one catches them, does that mean they’re now the world’s most successful hedge fund? 🤔

  • anshika garg
    anshika garg
    March 21, 2026 AT 21:57

    I sit here in my tiny apartment in Delhi, sipping chai, reading this… and I feel something deep.

    Not fear.

    Not anger.

    But… recognition.

    This isn’t just about crypto. It’s about power. Who controls the invisible money? Who gets to decide what’s real and what’s stolen?

    North Korea didn’t steal money.

    They stole the illusion that systems are safe.

    And maybe… that’s the most valuable thing they’ve ever taken.

  • Jerry Panson
    Jerry Panson
    March 23, 2026 AT 10:23

    While the technical details of the breach are significant, the broader implication is far more consequential: the erosion of institutional trust in centralized financial infrastructure. The fact that a nation-state actor could execute a precision cyber operation against a Tier-1 exchange without detection for months speaks to systemic failures in intelligence sharing, supply chain vetting, and cryptographic governance.

    It is not a failure of technology - it is a failure of governance.

  • Anastasia Danavath
    Anastasia Danavath
    March 25, 2026 AT 08:39

    i just lost my entire life savings in a rug pull last week so this feels kinda personal lol 💀😭

  • Lucy de Gruchy
    Lucy de Gruchy
    March 25, 2026 AT 23:40

    Let’s be honest - this was never North Korea. The FBI’s ‘evidence’ is fabricated. They needed a scapegoat to justify new crypto surveillance laws. The real culprits? The same people who wrote the code for Bybit’s ‘secure’ signing protocol. The same people who got paid millions to ‘audit’ it.

    Who owns Chainalysis? Who owns the blockchain analytics tools that track everything? Who’s really controlling the narrative?

    Wake up. This is a psyop.

  • Dionne van Diepenbeek
    Dionne van Diepenbeek
    March 26, 2026 AT 03:31

    why do we keep trusting companies to hold our money when we know they can get hacked why why why

  • Tony Weaver
    Tony Weaver
    March 27, 2026 AT 05:49

    The entire narrative around this event is a textbook case of performative cybersecurity theater. The media latches onto the ‘$1.5B heist’ because it’s emotionally resonant, but the real story - the systemic collapse of trust in centralized custody models - is buried under sensationalism.

    Bybit’s multi-sig implementation was fundamentally flawed: they used threshold signatures with homomorphic encryption, which is vulnerable to lattice-based attacks if the randomness source is compromised - and given their vendor was based in a jurisdiction with known backdoor mandates, the probability of a compromised RNG is >92%.

    And yet, no one is talking about the cryptographic architecture. Everyone’s too busy debating whether Bitcoin is ‘better’ for laundering.

    Pathetic.

  • john peter
    john peter
    March 27, 2026 AT 23:27

    One must consider the ontological implications of this event. The theft of $1.5 billion in digital assets is not merely an economic crime - it is a metaphysical rupture in the social contract of value itself. The notion that cryptographic trust can be divorced from institutional legitimacy has been irrevocably shattered.

    One cannot build a civilization on code alone. Trust, after all, is not a protocol - it is a human condition. And when the state, the most ancient and formidable institution of trust, becomes the thief - what remains?

    We are not witnessing a hack.

    We are witnessing the death of the digital economy as we knew it.

  • Lauren J. Walter
    Lauren J. Walter
    March 29, 2026 AT 12:36

    I read this whole thing.

    Then I cried.

    Then I deleted my exchange accounts.

    Then I stared at my seed phrase for 20 minutes.

    Then I went to bed.

    ...I don’t know what else to do.

Write a comment

Error Warning

More Articles

Thai Crypto Exchange Licensing Requirements: What You Need to Know in 2025
Rebecca Andrews

Thai Crypto Exchange Licensing Requirements: What You Need to Know in 2025

Thailand's crypto exchange licensing requirements demand $2.1 million upfront, 150-day approval, and strict local compliance. Learn what it takes to operate legally in 2025.

RaiseFX Exchange Review: Crypto & Forex Platform Pros, Cons, and Risks
Rebecca Andrews

RaiseFX Exchange Review: Crypto & Forex Platform Pros, Cons, and Risks

A detailed review of RaiseFX exchange covering platform features, pricing, regulatory status, security, and risks for crypto and forex traders.

How to Participate in The Sandbox Metaverse SAND Airdrop 2026
Rebecca Andrews

How to Participate in The Sandbox Metaverse SAND Airdrop 2026

Learn how to participate in the current SAND airdrop by The Sandbox metaverse in 2026. No purchase needed - just complete simple tasks to earn free tokens and join a growing digital economy.