On February 21, a significant and unprecedented cryptocurrency heist unfolded, marking one of the largest cyber thefts in history. Hackers managed to compromise a digital wallet associated with Bybit, the world’s second-largest cryptocurrency exchange, resulting in the theft of approximately $1.5 billion in digital tokens. The perpetrators quickly transferred the stolen assets across multiple cryptocurrency wallets and platforms to obfuscate their actions, before progressing to cashing out the illicit gains.
This audacious digital breach is believed to have been executed by a sophisticated group known as TraderTraitor, widely linked to North Korean cyber operatives. In the aftermath of the incident, while Bybit maintained stability by securing cryptocurrency loans and establishing a bounty initiative aimed at recovering the stolen funds, the FBI attributed the attack to TraderTraitor, identifying them as a notable faction within North Korea’s cyber capabilities.
TraderTraitor has previously been implicated in numerous high-profile crypto thefts and cyber assaults targeting supply chain software. Michael Barnhart, an experienced cybersecurity researcher specializing in North Korean threats, noted the anticipated nature of this attack. “We were waiting for the next big thing,” he stated, emphasizing that these hackers persistently plot and execute sophisticated operations against global targets.
North Korean cyber units, alongside their counterparts in China, Russia, and Iran, are recognized as some of the most adept and hazardous threats to Western democracies. Unlike general espionage and data theft activities, North Korea’s cyber endeavors are distinctly focused on securing resources to fund the regime’s nuclear ambitions, with cryptocurrency theft becoming a crucial component of their strategy.
In recent years, the Kim Jong-un regime has dispatched skilled IT personnel worldwide, allowing them to earn substantial wages that are subsequently funneled back to North Korea. This tactic not only aids in generating revenue but also enables workers to engage in extortion against former employers by threatening exposure of sensitive information. Concurrently, the wider Lazarus Group, under which TraderTraitor operates, has executed extensive cyber thefts, amassing billions in stolen cryptocurrency from exchanges and other entities globally.
Emerging around the beginning of 2022, TraderTraitor is believed to be an offshoot of the notorious APT38 group, known for previous attempts to surreptitiously extract funds from the SWIFT financial system and for a failed $1 billion heist from the Central Bank of Bangladesh in 2016. This pivot towards cryptocurrency was a strategic recalibration after realizing that reliance on intermediaries, like money mules, could dilute operational efficiency.
The byproduct of this evolving strategy has led to the formation of two distinct factions—CryptoCore and TraderTraitor—each focusing on more direct seizures of cryptocurrency assets. Industry experts like Barnhart recognize TraderTraitor as the more advanced entity among these groups, attributing its sophistication to the foundational skills honed by APT38.
The tactics employed during the Bybit breach likely included several techniques from the MITRE ATT&CK framework, particularly those categorizing initial access, lateral movement, and exfiltration methods. Given the nature of the attack, it is plausible that the hackers utilized sophisticated phishing techniques or exploited vulnerabilities within Bybit’s infrastructure to gain control over their digital assets. This incident serves as a stark reminder of the increasing complexity and scale of cyber threats, particularly from state-sponsored actors, and underscores the necessity for robust cybersecurity measures within organizations handling cryptocurrency and sensitive data.
