In the first three weeks of 2025, cryptocurrency platforms lost more than $600 million to hackers, with North Korea’s Lazarus group responsible for the overwhelming majority of the damage. The centerpiece: a $1.5 billion theft from the Bybit exchange on or about February 21, 2025, which the FBI formally attributed to Lazarus in a public service announcement published five days later. As of May 2026, it remains the largest single cryptocurrency heist ever confirmed by a law enforcement agency.
The $606 million figure, tracked by blockchain security firms monitoring wallet movements across multiple platforms during an 18-day window in early 2025, captures a broader wave of attacks that coincided with the Bybit breach. While the FBI’s formal attribution covers only the Bybit incident, on-chain analysts at firms including Chainalysis and Elliptic have linked several concurrent thefts to wallet clusters previously associated with Lazarus operations. Those secondary attributions have not been confirmed at the government level, but the pattern is consistent with Lazarus’s known playbook of launching overlapping campaigns against multiple targets.
The Bybit breach: what the FBI confirmed
The FBI’s Internet Crime Complaint Center identified the Bybit attackers under two designations: Lazarus and TraderTraitor, both tied to the Democratic People’s Republic of Korea’s cyber apparatus. The PSA stated that approximately $1.5 billion in virtual assets were stolen and warned that the funds were already being “converted and dispersed across thousands of addresses on multiple blockchains.”
That language was not routine. By flagging the speed of the laundering operation, the FBI was effectively telling every exchange, compliance team, and blockchain analytics firm on the planet that the window for freezing assets was closing fast. Within hours of a theft this size, attackers can split funds into thousands of smaller transactions, swap tokens across chains, and route them through mixing services that sever the link between stolen coins and their origin.
Bybit, which at the time processed billions of dollars in daily trading volume, did not dispute the FBI’s characterization. The $1.5 billion loss surpassed the previous record holder, the roughly $620 million Ronin Network hack of March 2022, which U.S. authorities also attributed to Lazarus. For a single threat actor to hold both records underscores how far ahead of the industry’s defenses Pyongyang’s hackers have moved.
Lazarus’s decade-long escalation
The Bybit theft did not emerge from nowhere. Lazarus has been targeting financial infrastructure since at least 2016, when the group attempted to steal nearly $1 billion from Bangladesh Bank by exploiting the SWIFT interbank messaging system. That operation netted roughly $81 million before a typo in a transfer request triggered scrutiny and halted further withdrawals.
Since then, the group has shifted heavily toward cryptocurrency, where transactions are irreversible and regulatory oversight is fragmented. The U.S. Department of the Treasury, the FBI, and allied governments have linked Lazarus to a string of exchange and protocol breaches, including the $620 million Ronin hack and a $100 million theft from Harmony’s Horizon Bridge in June 2022. Each successive attack has been larger and faster than the last, suggesting the group is refining both its intrusion techniques and its laundering infrastructure.
The 18-day burst of activity in early 2025 fits that trajectory. If the $606 million aggregate tracked by blockchain analysts holds up under further scrutiny, it would represent a pace of theft that no private-sector security team can absorb without significant losses reaching customers.
What remains unknown
Several critical questions are still unanswered more than a year after the Bybit breach. The FBI’s PSA did not disclose the attack vector. Whether Lazarus compromised Bybit through a supply chain attack, a social engineering campaign aimed at employees, or a smart contract exploit has not been publicly confirmed. Each scenario carries different implications for other exchanges trying to assess their own exposure.
The net amount that ultimately reaches North Korea’s government is also unclear. Laundering cryptocurrency at scale involves transaction fees, exchange rate slippage, and the risk that some wallets will be flagged and frozen before funds can be extracted. The gross theft figure and the usable proceeds are never the same number, and no public source has reliably quantified the gap for the Bybit case.
The breakdown of the $606 million across specific platforms beyond Bybit has not been confirmed through official channels either. Blockchain analytics firms have published assessments linking Lazarus-associated wallets to activity on several exchanges during the same period, but those findings rely on pattern matching and on-chain forensics rather than the intelligence community validation behind the FBI’s Bybit attribution. Readers should treat the broader figure as credible but not yet confirmed to the same standard.
What exchanges and users should take from this
For anyone holding assets on a centralized exchange, the practical lesson is blunt. Once a breach of this scale occurs, individual depositors have almost no time to act. The FBI’s warning about rapid fund dispersal means that by the time a hack becomes public, the money is often already fragmenting across blockchains.
Moving assets to self-custody wallets, spreading holdings across multiple platforms, and enabling hardware-based two-factor authentication can reduce exposure to a single catastrophic failure. None of these steps eliminate risk, but they shrink the blast radius.
Exchanges themselves face a harder reckoning. The Bybit incident demonstrated that perimeter defenses are not enough against a state-backed adversary with years of experience breaching financial systems. Regular red-team exercises, strict access controls on hot wallets, and rapid incident response playbooks are now baseline requirements. Any platform handling billions in customer deposits must assume it is a high-priority Lazarus target and build its architecture around that assumption.
Regulators are under pressure too. Each successful theft attributed to a sanctioned state actor raises questions about whether existing anti-money-laundering and know-your-customer frameworks can keep pace with cross-chain swaps and decentralized protocols. But overly rigid rules risk pushing activity into less regulated venues, where both investors and investigators have fewer tools. Striking that balance has become one of the defining policy challenges in digital finance.
Why the Bybit heist still matters in 2026
More than a year after the breach, the Bybit case continues to shape how the cryptocurrency industry thinks about security, regulation, and the geopolitical dimensions of digital money. The same properties that allow value to move globally in minutes also let a sanctioned government bypass traditional financial controls at a scale that was unimaginable a decade ago.
For anyone who suspects exposure to the Bybit theft or related Lazarus activity, the FBI maintains regional offices that coordinate with cyber squads and international partners. Contact information is available through the bureau’s field office directory. The odds of full recovery drop sharply once stolen assets pass through mixers and cross-chain bridges, but timely reporting can still help disrupt laundering routes and support future enforcement actions.
Until the industry builds defenses that match the persistence and sophistication of groups like Lazarus, every major exchange hack will carry consequences far beyond the platform that was breached. For North Korea, each successful theft is not just a payday. It is proof of concept that programmable money can fund a sanctioned weapons program faster than any diplomat or regulator can respond.
David M. Keller is a finance writer based in Columbus, Ohio, covering personal finance and consumer-focused economic topics. He earned his degree in journalism from Ohio University and began his career reporting on local business and economic trends for a regional media outlet. Since then, he has contributed to a variety of online publications, focusing on clear, practical coverage of topics such as cost of living, debt, and everyday financial decision-making.
