North Korea-backed threat actors executed a sophisticated cyber attack on Bybit, a major cryptocurrency exchange, in February 2025, stealing $1.46 billion in digital assets the largest single theft of the year. This incident was part of a broader campaign where Pyongyang-linked hackers amassed over $2 billion in 2025 alone, primarily through social engineering attacks targeting exchanges and high-net-worth individuals. The stolen funds are allegedly funneled into North Korea’s missile and nuclear weapons programs, exacerbating geopolitical tensions. The attack underscores a shift from exploiting technical vulnerabilities to manipulating human behavior, highlighting systemic weaknesses in cryptocurrency security. Additionally, the laundering of proceeds involved complex, resource-intensive techniques to obscure transaction trails, leveraging blockchain’s pseudo-anonymity despite its inherent transparency. The breach not only inflicted massive financial damage on Bybit but also contributed to a triple-fold increase in annual crypto thefts compared to 2024, with over 30 additional hacks attributed to the same actors.
Source: https://www.infosecurity-magazine.com/news/bybit-recordbreaking-2bn-north/
TPRM report: https://www.rankiteo.com/company/bybitexchange
"id": "byb2332223100825",
"linkid": "bybitexchange",
"type": "Cyber Attack",
"date": "6/2024",
"severity": "100",
"impact": "8",
"explanation": "Attack that could bring to a war"{'affected_entities': [{'industry': 'financial services (crypto)',
'location': 'global (HQ: Dubai)',
'name': 'Bybit',
'type': 'cryptocurrency exchange'},
{'industry': 'financial services (crypto)',
'name': 'LND.fi',
'type': 'DeFi platform'},
{'industry': 'financial services (crypto)',
'name': 'WOO X',
'type': 'cryptocurrency exchange'},
{'industry': 'financial services (crypto)',
'name': 'Seedify',
'type': 'blockchain incubators/launchpad'},
{'location': 'global',
'name': 'High-net-worth individuals (HNWIs)',
'type': 'private individuals'}],
'attack_vector': ['social engineering',
'phishing',
'deception/manipulation of individuals'],
'date_publicly_disclosed': '2025-09',
'description': 'North Korea-backed threat actors have stolen more than $2bn '
'in cryptocurrency in 2025 (as of September) to fund the '
'regime’s missile and nuclear weapons programs. The thefts are '
'primarily driven by social engineering attacks, marking a '
'shift from exploiting technical vulnerabilities. The largest '
'single incident was a $1.46bn theft from cryptocurrency '
'exchange Bybit in February 2025. Other notable victims '
'include LND.fi, WOO X, and Seedify. Over 30 additional hacks '
'have been attributed to North Korea this year, with '
'laundering techniques growing increasingly sophisticated to '
'evade blockchain tracing.',
'impact': {'brand_reputation_impact': ['severe damage to trust in affected '
'exchanges',
'broader erosion of confidence in '
'cryptocurrency security'],
'financial_loss': '$2+ billion (2025 YTD)',
'operational_impact': ['loss of customer funds',
'reputational damage to exchanges']},
'initial_access_broker': {'entry_point': ['phishing emails',
'fake job offers',
'compromised communication '
'channels'],
'high_value_targets': ['cryptocurrency exchange '
'employees',
'high-net-worth individuals '
'with crypto holdings']},
'investigation_status': 'ongoing (blockchain tracing and attribution)',
'lessons_learned': ['Human factors (social engineering) are now the primary '
'attack vector, surpassing technical vulnerabilities in '
'crypto security.',
'North Korean actors are rapidly improving cryptocurrency '
'laundering techniques to evade blockchain tracing.',
'High-net-worth individuals are increasingly targeted '
'alongside exchanges.'],
'motivation': ['funding missile and nuclear weapons programs',
'state-sponsored financial gain'],
'post_incident_analysis': {'root_causes': ['Over-reliance on technical '
'controls without addressing human '
'vulnerabilities.',
'Inadequate verification processes '
'for high-value transactions.',
'Lack of real-time monitoring for '
'social engineering red flags.']},
'recommendations': ['Enhance employee and user training to resist social '
'engineering attacks.',
'Implement multi-factor authentication (MFA) and '
'transaction confirmation delays for high-value '
'transfers.',
'Collaborate with blockchain forensics firms to trace and '
'recover stolen funds.',
'Adopt behavioral analytics to detect anomalous '
'transaction patterns.'],
'references': [{'date_accessed': '2025-09',
'source': 'Elliptic (blockchain analysis firm)'},
{'date_accessed': '2025-09',
'source': "Infosecurity Magazine - 'Crypto-Hackers Steal "
"$2.2bn as North Koreans Dominate'"}],
'response': {'enhanced_monitoring': ['blockchain transaction monitoring for '
'laundering patterns'],
'recovery_measures': ['tracking stolen funds via blockchain '
'forensics'],
'third_party_assistance': ['blockchain analysis firms (e.g., '
'Elliptic)']},
'threat_actor': 'North Korea-backed threat actors (e.g., Lazarus Group, '
'APT38)',
'title': 'North Korea-backed Cryptocurrency Thefts Exceed $2 Billion in 2025',
'type': ['cyber theft',
'cryptocurrency heist',
'nation-state attack',
'social engineering'],
'vulnerability_exploited': 'human error (weakness in operational security)'}