The recent cryptocurrency heist that occurred last week, labeled as the world’s largest, has been confirmed by the FBI to have been orchestrated by a state-sponsored North Korean APT group. The FBI issued a Public Service Announcement on February 26 linking the attack on the Bybit cryptocurrency exchange to the group known as “TraderTraitor,” also recognized as Lazarus, APT38, BlueNoroff, and Stardust Chollima.
According to the announcement, the TraderTraitor actors are swiftly moving forward with their plans and have already converted some of the stolen assets into Bitcoin and other virtual currencies scattered across multiple addresses on various blockchains. The agency expressed concern that these assets will further undergo a laundering process before being eventually converted into fiat currency.
The FBI’s attribution aligns with reports from Infosecurity, which cited insights from the London-based blockchain analysis firm Elliptic. Elliptic linked the Bybit theft to North Korea’s Lazarus Group based on their analysis of the laundering activities involving the stolen cryptocurrency. The Lazarus Group has been identified as having the capability to breach target organizations, steal crypto assets, and employ sophisticated laundering tactics through blockchain transactions.
The North Korean threat actors are believed to be engaged in a two-stage money laundering operation. The first stage involves exchanging stolen tokens for a native blockchain asset like Ether that cannot be frozen, while the second stage includes layering the stolen funds to obscure the transaction trail. Within a mere two hours of the heist, the funds were sent to 50 different wallets and then promptly emptied to complicate tracking efforts by investigators.
Elliptic outlined the various channels through which the stolen funds could be routed, including decentralized exchanges, centralized exchanges, crypto mixers, and platforms like eXch, enabling anonymous asset swapping. The complexity of these laundering techniques makes it challenging for authorities to prevent the actors from cashing out.
The FBI has called on the crypto community to collaborate in preventing the conversion of the stolen assets into fiat currency. The agency encouraged private sector entities such as RPC node operators, exchanges, blockchain analytics firms, and virtual asset service providers to block transactions involving the addresses used by the TraderTraitor actors in their laundering activities. Approximately 50 Ethereum addresses associated with Lazarus were listed in the PSA.
In response to the theft, Bybit has announced a reward of 10% for any recovered funds to individuals who can assist in retrieving the $1.46 billion worth of cryptocurrency stolen by Lazarus. The plea for community assistance underscores the severity of the situation and the collective effort needed to combat such sophisticated attacks in the cryptocurrency realm.