The FBI has officially accused North Korea's Lazarus Group of stealing $1.5 billion in Ethereum from crypto-exchange Bybit earlier this month, and asked for help tracking down the stolen funds.

In [1]an alert Wednesday, the bureau said Pyongyang's cyber-crime gang, dubbed TraderTraitor by the Feds, was responsible for the heist. That memo included addresses of wallets said to be operated by the thieves and that contain or contained coins stolen from Dubai-based Bybit.

The g-men hope releasing this info will help others identify and block further transactions involving the purloined Ethereum.

[2]

"TraderTraitor actors are proceeding rapidly and have converted some of the stolen assets to Bitcoin and other virtual assets dispersed across thousands of addresses on multiple blockchains," the FBI said. "It is expected these assets will be further laundered and eventually converted to fiat currency."

[3]

[4]

The Feds aren't alone in wanting vengeance. On Tuesday Bybit [5]set up a bounty program to recover its funds after the Lazarus crew subverted a SafeWallet transfer on February 21 to redirect hundreds of thousands of Ethereum destined for the exchange's hot wallet to the thieves' wallet.

The money is now being laundered, and while more than $40 million in tokens have been identified and frozen, that leaves a lot of digital money in the hands of the Kim Jong Un government.

[6]Bybit declares war on North Korea's Lazarus crime-ring to regain $1.5B stolen from wallet

[7]Rather than add a backdoor, Apple decides to kill iCloud encryption for UK peeps

[8]North Korea targets crypto developers via NPM supply chain attack

[9]North Koreans clone open source projects to plant backdoors, steal credentials

Bybit is willing to pay a 10 percent bounty to those who can trace movement of its pilfered funds and halt such transfers.

The Chainflip cryptocurrency exchange says it has already stopped about $1 million in Bybit's digital dosh being funneled through its system and warned others to be on their guard.

[10]

"We're aware of the hacker's attempts to move the Bybit hack funds to BTC via Chainflip," it [11]said . "We have disabled some front-end services to stop the flow, but as a fully decentralized protocol with 150 nodes, we can't completely shut down the protocol." ®

Get our [12]Tech Resources



[1] https://www.ic3.gov/PSA/2025/PSA250226

[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2Z8Dul1pb01qdnHHrD3MZkQAAAdY&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0

[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Z8Dul1pb01qdnHHrD3MZkQAAAdY&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Z8Dul1pb01qdnHHrD3MZkQAAAdY&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[5] https://www.theregister.com/2025/02/26/bybit_lazarus_bounty/

[6] https://www.theregister.com/2025/02/26/bybit_lazarus_bounty/

[7] https://www.theregister.com/2025/02/24/rather_than_add_a_backdoor/

[8] https://www.theregister.com/2025/02/13/north_korea_npm_crypto/

[9] https://www.theregister.com/2025/01/29/lazarus_groups_supply_chain_attack/

[10] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Z8Dul1pb01qdnHHrD3MZkQAAAdY&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[11] https://x.com/Chainflip/status/1893222347252875386

[12] https://whitepapers.theregister.com/