On February 21, 2025, a group of pirates in North Korea succeeded in the greatest robbery of cryptocurrency in history after having stolen $ 1.5 billion in Ethereum tokens of the Bybit of the exchange of cryptocurrency based in Dubai. The hackers have exploited a free storage software product by Bybit to move to move Ethereum to another location, most likely coupled with phishing attacks to access the control and download of malware. It is estimated that at least 160 million dollars of the stolen funds from Bybit were laundered in the first 48 hours of the attack. Although Bybit does not offer services or products in the United States, the hack training effects harm the global cryptography market. The Bitcoin price experienced a decrease of 20% compared to its summit of all time in January and renewed concerns concerning the security of these decentralized transactions.
The Trump administration makes cryptocurrency a bell tower of its technological policies portfolio. He implemented a series of decrees and meetings to achieve his goal of making the United States the “cryptographic capital of the planet”. However, bybt’s attack highlights concerns about crypto exchanges and their prevalence among the North Korean criminal hacking groups.
Q1: Who is responsible for the robbery of the Bybit cryptocurrency?
A1: The flight was awarded to Lazarus Group, a sadly famous North Korean criminal piracy group which was also responsible for the 2014 attack on Sony Pictures which published emails and personal information from employees and destroyed 70% of the Sony laptops and computers. The North Korean government regularly uses the Lazare group, probably under its general recognition office, to commit large-scale ransomware attacks to generate funds for the country’s nuclear and ballistic missile program. North Korean pirates have become prolific to steal cryptocurrency; In 2024, more than a dozen cryptographic companies were infiltrated by North Korean pirates who presented themselves as legitimate information of information technology (TI) to access information and internal systems. It is estimated that the Lazarus group has stolen at least $ 3.4 billion in cryptocurrencies since its emergence in 2007, creating a significant source of income for the North Korean government.
Pirates use a variety of techniques in their operations ranging from more sophisticated cyber attacks by identifying zero-day vulnerabilities and deploying malware to steal funds, and thanks to social engineering techniques that attack human vulnerabilities to deceive people to put sensitive information. A common technique includes pirates who present themselves as recruiters on LinkedIn and targeting security researchers, creating relationships with them before attracting them to phishing attacks. This level of sophistication has evolved from traditional e-mail phishing attacks, because an increase in cybersecurity measures and awareness made these cyber attacks more difficult to achieve successfully. North Korea has increased its campaigns against cryptographic industry after heavy sanctions continued to paralyze their already isolated economy. The flight of crypto offers a funding opportunity that has a low entrance barrier with extremely reduced opportunities. It is also more difficult for the police to follow, invoice and stop the authors of these hacks than the traditional modes of spying and human intelligence.
Q2: How did the hack occur?
A2: When the CEO of Bybit, Ben Zhou, went to sign on what seemed to be a routine transaction, the hackers intercepted the request, changed the code to reveal the legitimate transaction and redirected the funds to their portfolio instead of the planned recipient. The Lazarus group hackers obtained the stolen currency when it moved between a cold portfolio, which stores digital assets while keeping private keys identifying the user of their offline digital assets, and a hot wallet, which stores private keys to a server connected to the Internet. During a transfer of routine funds, hackers exploited a vulnerability in the source code of the user interface of Safe Walllet, a free software platform used in its transaction and multi-signature signature process (Multisig). The use by bybit of Multisig was intended to protect users from a single failure and demanded that several people, including Zhou, to sign with each transaction. The pirates integrated malicious code into the frontend software to make the transaction legitimate.
This sophisticated social engineering attack has shaken members of the cryptographic industry, which have long -standing beliefs according to which cold portfolios and the multisig are among the most secure methods to protect digital assets. While industry experts admitted that hot and cold wallets had safety risks, many thought that cold wallets were safer from online attacks since they are not connected to the Internet. Some companies have even nicknamed them “the best cryptographic portfolio”. Bybit had also continued to use the SAFE portfolio despite the prior knowledge that the software was not compatible with another of the security services of Bybit, according to reports New York Times. Bybit’s hacking has reaffirmed the importance of assessing third parties for safety defects and transparency at all stages of the transaction process to catch the signals according to which a transaction can be malicious.
Q3: How can the police react to these hacks?
A3: Cryptocurrencies present a unique challenge to the police, with the volume of global cryptocurrency markets, the ability to follow, grasp and condemn criminal activity becomes more difficult. In the wake of the bybit’s attack, the Federal Bureau of Investigation awarded the attack on the Lazare group and identified Ethereum addresses linked to stolen money, urging the platforms to prevent fundraising, and therefore to allow money to be bleached. Despite the possibility of identifying the group and these addresses, hundreds of millions of dollars have been bleached in the days which followed the attack, stressing the problems that the application of laws has to effectively stop these activities. One of the biggest problems in the fight against crimes that use cryptocurrency is the volume and the scale that submerges the resources of national and international law enforcement agencies. However, there could be solutions with its underlying technology – Blockchain – which could allow surveys to follow and follow the stolen money.
Blockchain provides investigators with a multitude of data to analyze transactions and follow where illicit funds are moved. Blockchain transactions are generally public, providing investigators with evidence to follow stolen fund perpetrators. This is particularly true for transactions that take place on cryptocurrency exchanges based on the United States which must respect the laws “know your customer” which require financial institutions to verify customer identities and reduce the risk of fraud by anonymity. However, the global cryptocurrency scale makes it difficult to coordinate between the courts when these crimes take place, in particular those who have no verification requirements similar to the United States. Several needs have been identified which hinder effective laws of law application in these crimes, and some of the highest priorities include a lack of information sharing between the courts once a crime has been identified. These problems repeat how the decentralized nature of cryptocurrencies offers unique challenges to which national and international agencies must overcome the police must overcome to mitigate the challenges associated with this growing technology.
Q4: Why do malicious actors use cryptocurrencies for money laundering?
A4: The decentralized nature of cryptocurrencies makes them attractive to criminal activity. The current absence of a coordinated global regulatory framework supervising cryptographic transactions allows criminals to escape the police more easily when they move large quantities of illicit transactions.
The current structure of cryptographic industry also allows malicious actors such as the Lazare group to easily whitewash money, and there are few current incentives in place to encourage cryptographic trading platforms to prevent an exchange or exchange of suspected funds when the platform could benefit financially. Take the Hack bybit: After having successfully stolen the funds, the Lazarus group hackers bleached the money by exchanging the stolen tokens for Ether by a decentralized exchange, then by sending the funds to more than 50 different wallets to complicate the capacity of the investigators to use the transparent nature of the blockchains to retrace the money. They then used anonymous trading platforms, such as Exch and Thorchain, to exchange funds. Despite Bebit requests to block the activity, the exchange allowed Swaps, generating hundreds of thousands of dollars in the process.
Q5: What effect will this have on the future of cryptographic policy in the United States?
A5: President Trump expressed his interest in building a strong American cryptography market. During its first weeks in power, the Trump administration held a White House cryptography summit and published an executive decree establishing a strategic bitcoin reserve and a stock for other digital currencies. Despite these initiatives, Bitcoin fell into a lowering market just a few weeks after reaching a record summit of $ 109,071 in January. This drop in the market is not solely due to fears that have been the subject of bybit’s hacking: factors such as Trump refusing to engage in a Bitcoin federal purchasing strategy as well as prices, recession problems and fears of a technological sale have saved risk appetite in crypto and larger financial markets.
A combination of stronger cryptographic regulations and improving security measures in cryptographic companies could arouse consumer confidence in digital assets. The volatility of the stock market following the attack raised questions about the appetite of investors for increased use of digital assets. Despite the Trump administration’s actions to bring crypto to US markets and American financial arenas, hacking could delay the increase in investments given the security concerns that this attack has displayed. The increase in cryptographic activity will depend on the amount that investors trust these digital assets. The best avenue to increase this confidence is to regulate the disadvantages of the crypto so that investors can benefit from the advantages.
Taylar Rajic is a associate member of the Strategic Technologies program at the Center for Strategic and International Studies (CSIS) in Washington, DC Julia Brock is a program manager and a research partner in the Strategic Technologies program at CSIS.
