Safe{Wallet} has revealed that the $1.5 billion Bybit cryptocurrency theft was a highly sophisticated, state-sponsored attack, allegedly carried out by North Korean cybercriminals. The hacking group, known as TraderTraitor (also called Jade Sleet, PUKCHONG, and UNC4899), reportedly took extensive measures to erase evidence and hinder investigations.
To investigate the breach, Safe{Wallet} enlisted Google Cloud Mandiant, which determined that the attackers compromised a Safe{Wallet} developer’s laptop (referred to as Developer1) and hijacked AWS session tokens to bypass multi-factor authentication (MFA).
The intrusion occurred on February 4, 2025, when the developer unknowingly downloaded a malicious Docker project named MC-Based-Stock-Invest-Simulator-main. The project communicated with a suspicious domain, getstockprice[.]com, registered just two days earlier. Past attacks linked to TraderTraitor suggest the group lured developers via Telegram, persuading them to assist in troubleshooting compromised Docker projects.
Once inside, the attackers deployed malware to conduct reconnaissance on Safe{Wallet}’s Amazon Web Services (AWS) infrastructure and hijacked active user sessions to mimic legitimate activity. They also used ExpressVPN IPs and the Kali Linux toolkit, tools commonly associated with offensive cybersecurity operations.
Additionally, between February 19 and 21, 2025, the attackers injected malicious JavaScript into the Safe{Wallet} website, further exploiting security loopholes.
Bybit CEO Ben Zhou provided an update on the stolen funds, stating that:
77% remain traceable
20% have disappeared
3% have been frozen
Around 83% of the stolen Ethereum (417,348 ETH) has been converted into Bitcoin and distributed across nearly 7,000 wallets. Efforts to freeze assets involved multiple parties, including Mantle, Paraswap, and ZachXBT.
This attack contributes to a record-breaking year for crypto heists. According to blockchain security firm Immunefi, over $1.6 billion has already been stolen in the first two months of 2025—an eightfold increase compared to the same period last year.
The incident highlights critical vulnerabilities in Web3 security, reinforcing the need for stronger industry-wide protections to prevent similar breaches in the future.