Summary:
On February 21, 2025, cryptocurrency exchange Bybit revealed that a cyberattack resulted in the theft of over $1.5 billion worth of cryptocurrency from one of its Ethereum cold wallets, marking the largest single crypto heist in history. According to Bybit, the incident occurred when their ETH multisig cold wallet executed a transfer to their warm wallet. The transaction was manipulated through a sophisticated attack that masked the signing interface, displaying the correct address while altering the underlying smart contract logic, allowing the attacker to take control of the cold wallet and transfer its holdings to an unidentified address.

In a recent update, the FBI linked the Bybit hack to North Korea, attributing it to a specific cluster known as TraderTraitor, also referred to as Jade Sleet, Slow Pisces, and UNC4899. TraderTraitor is known for targeting Web3 companies, often using malware-laced cryptocurrency apps or job-themed social engineering campaigns to deploy malicious npm packages for theft. The FBI noted that TraderTraitor actors are quickly converting some of the stolen assets into Bitcoin and other virtual assets, dispersing them across thousands of addresses on multiple blockchains. These assets are expected to be further laundered and eventually converted into fiat currency.

Security Officer Comments:
The latest development underscores a growing trend in cyber campaigns initiated by North Korean threat actors, focused on stealing cryptocurrency from both organizations and individuals. The stolen assets are often funneled to fund North Korea's military programs, including its submarine and missile development efforts. These operations typically involve sophisticated tactics such as exploiting known vulnerabilities, or in some cases zero-days, as well as luring victims into downloading malicious apps and software. To obscure the origin of the stolen funds, the attackers commonly rely on cryptocurrency mixers, which obscure the transaction trails by blending stolen cryptocurrency with other funds across multiple wallets and blockchain networks. This tactic significantly complicates the work of law enforcement agencies trying to trace the illicit funds back to the perpetrators, enabling the actors to move assets around without detection while simultaneously supporting the regime's covert operations.

Suggested Corrections:
The FBI urges private sector organizations, including RPC node operators, exchanges, bridges, blockchain analytics firms, DeFi services, and other virtual asset service providers, to block transactions associated with the addresses used by TraderTraitor actors to launder stolen assets. In its advisory, the agency identified approximately 50 Ethereum addresses that it notes are holding or have held assets from the theft, and are operated by or closely connected to North Korean TraderTraitor actors.

Link(s):
https://www.ic3.gov/PSA/2025/PSA250226

https://thehackernews.com/2025/02/bybit-hack-traced-to-safewallet-supply.html