FBI Joins Manhunt for North Korea’s Lazarus Group as Laundering Effort Intensifies

• The FBI is now involved in the manhunt for North Korea’s Lazarus Group, responsible for the $1.5 billion Bybit hack.
• Hackers exploited a Safe wallet vulnerability and manipulated transactions to steal ETH.
• Over 100 Ethereum addresses linked to the group are being monitored, with Bybit freezing $40 million of the stolen funds.

The FBI has joined the search for North Korea’s Lazarus Group, the cybercriminal organization responsible for the Bybit hack that resulted in the theft of ETH valued at $1.5 billion. The attack is considered one of the largest crypto heists to date.

Investigations revealed that hackers compromised a Safe wallet belonging to a Bybit developer and injected malicious code into the exchange’s front end. This allowed them to manipulate transaction parameters and deceive signers into approving unauthorized transfers.

Laundering princess is ongoing, with 270,000 ETH worth $605 million laundered through THORChain.

Breach Origin and Attack Execution

Analysis by Verichains and Sygnia determined that the breach originated from Safe{Wallet}’s AWS infrastructure rather than Bybit’s internal systems. Bybit CEO Ben Zhou disclosed that attackers injected malicious JavaScript into Safe{Wallet}’s AWS S3 bucket on February 19 at 15:29:25 UTC. This unauthorized modification allowed hackers to interfere with Bybit’s transaction approval process.

Hackers tricked signers into approving what seemed like a routine cold-to-warm wallet transfer. However, the manipulated code altered wallet ownership during the signature, redirecting funds.

Related: Binance’s CZ Criticizes Safe’s Bybit Hack Report as ZenGo Expands TRX Wallet Features

Once the ETH was stolen, the funds were distributed across 40+ wallets. They were moved through cross-chain bridges and mixers and processed via THORChain swaps and unregulated exchanges.

Bybit managed to freeze $40 million of the stolen funds and is offering a 10% bounty for recovered ETH. However, $120 million has already been laundered, and an exchange called eXch refused to freeze funds, complicating recovery efforts. The refusal stemmed from its historic dispute with Bybit and other crypto exchanges.

Related: FBI: North Korea’s “TraderTraitor” Gang Behind $1.5B Bybit Hack

FBI’s Call to Action: Blocking TraderTraitor Transactions

Meanwhile, the FBI is urging private sector entities, including RPC node operators, cryptocurrency exchanges, blockchain analytics firms, DeFi services, and other virtual asset service providers, to block transactions linked to addresses associated with the TraderTraitor actors involved in laundering the stolen funds.

Over 100 Ethereum addresses have been linked to North Korean TraderTraitor actors, with some still holding stolen assets.

The FBI expressed commitment to protecting the virtual asset community by identifying, disrupting, and preventing North Korea’s cybercrime operations. It urged individuals with relevant information to contact their local FBI field office or file a report with the FBI’s Internet Crime Complaint Center at ic3.gov.