Article

Suspected North Korean Actors Pull off the Largest Crypto Heist in History

On February 21st, 2025, approximately $1.4 billion USD in Ethereum was stolen from cryptocurrency exchange Bybit. Ethereum held a price of $2600 per token as of February 21st and is one of many cryptocurrencies the exchange holds. Some quick division shows that at least 500,000 Ethereum coins were stolen, making this the largest crypto heist to date in value. Both TRM Labs and Chainalysis have assessed the threat actor to be associated with North Korea with high confidence due to an overlap in crypto wallets tracked as belonging to North Korea.

What’s notable and unique?

North Korea has a long history of financial fraud, money laundering, and other illicit activity. Members of the Democratic People’s Republic of Korea (DPRK) military regularly participate in illicit activities, including remote worker fraud, cryptocurrency hijacking and mining, money mules, wire fraud, and even ransomware. These cybercriminal activities allow DPRK to bypass international sanctions to raise funds for their military.
The threat actors compromised one of Bybit’s offline cold wallets, digital wallets that store private keys needed to access other cryptocurrency wallets completely offline. Due to the wallet being disconnected from the internet, the most likely sources of the compromise were a supply chain attack, insider threat, or a private key compromise.
The alleged North Korean threat actors may not be able to fully monetize the theft. The funds must now be laundered before being taken out at another exchange, as most of the initial wallets to which funds were transferred have been marked as having stolen funds on legitimate cryptocurrency exchanges. The laundering will likely be a two-step process. First, the funds will be exchanged for a native cryptocurrency, such as Ether or BTC, as it is difficult to track stolen funds across cryptocurrency blockchain transfers. Next, the actors will attempt to cover their tracks further by layering the funds to throw investigators off their trail. Shortly after the compromise the actor used 50 wallets and placed 10,000 coins in each, further supporting the alleged theft of 500,000 coins in total.
Bybit has offered a 10% bounty on the stolen coins, leading to a potential purse of $140 million. So far, $42.89 million of the stolen funds have been frozen. However, it is unclear whether this is the work of bounty hunters, law enforcement, or Bybit.

Conclusion

While crypto-related attacks may seem like a new concept at face value, this is the most recent heist in a string traversing ten years. In 2024 alone, North Korean threat actors were associated with $1.5 billion out of $2.2 billion in theft. With North Korea conducting these thefts, the funds enter a broader cybercriminal ecosystem, increasingly invading the insurance ecosystem. Most recently, these threats have expanded into North Koreans fraudulently joining North American and European companies, stealing their source code, and then extorting the companies. Funds stolen in cryptocurrency thefts like the Bybit thefts are funding infrastructure supporting this increasingly stealthy form of extortion, consequently resulting in funds supporting the North Korean military.

Fortunately, as threat actors and money launderers strengthen their ability to hide stolen money, blockchain analytic techniques and toolsets have also evolved. Often, the best way to prevent crypto heists and cybercrime is to implement sound security principles, including password management, vulnerability patching, and end user training.