One Year After the $1.5 Billion Bybit Hack, North Korea Has Stolen Over $6 Billion in Crypto and the Industry Still Cannot Stop It

One year ago this past Friday, a group of North Korean hackers operating under the codename TraderTraitor executed the largest cryptocurrency heist in history. In a single transaction on February 21, 2025, the Lazarus Group drained approximately 401,000 Ethereum tokens, worth $1.46 billion, from the Dubai-based exchange Bybit. The attackers exploited a vulnerability in the user interface of Safe Wallet, a widely trusted multi-signature platform, embedding malicious code into the frontend software to make a routine cold-to-warm wallet transfer appear legitimate while redirecting the funds to wallets they controlled.

Bybit survived. Within 72 hours, CEO Ben Zhou orchestrated emergency loans and deposits from firms including Galaxy Digital, FalconX, and Wintermute, securing nearly 447,000 Ether tokens to replenish reserves and prevent a bank run. The exchange did not miss a single withdrawal. By any measure of crisis management, it was an extraordinary response.

But the anniversary is not a story about resilience. It is a story about how little has changed.

The Numbers That Should Alarm Every Crypto Investor

According to blockchain analytics firm Chainalysis, total cryptocurrency theft reached $3.4 billion in 2025, with North Korea-linked actors responsible for more than $2 billion of that figure. The Bybit heist was the crown jewel, but it was far from the only operation. The regime executed dozens of smaller attacks throughout the year, targeting decentralized finance protocols, cross-chain bridges, and centralized exchanges with equal opportunism.

The cumulative toll is staggering. North Korea's known cryptocurrency haul now exceeds $6 billion, according to estimates compiled by the FBI and corroborated by firms like Elliptic and TRM Labs. These proceeds are widely believed to fund the regime's nuclear weapons and ballistic missile programs, transforming what might otherwise be dismissed as cybercrime into a matter of international security.

Early 2026 data offers no comfort. Elliptic recorded roughly twice as many exploits in January 2026 as during the same month a year earlier, suggesting that the operational tempo is accelerating rather than decelerating. The hackers are not slowing down because they have no reason to. Only 3% of the funds stolen in the Bybit hack, approximately $42 million, have been frozen. That figure has not meaningfully increased in the twelve months since the attack.

How the Laundering Machine Works

The sophistication of North Korea's laundering apparatus is what separates it from ordinary cybercrime. Within hours of the Bybit theft, the stolen Ethereum was converted to Bitcoin and dispersed across thousands of addresses on multiple blockchains. The attackers used a combination of decentralized exchanges, cross-chain bridges, and mixing services to obscure the trail, moving funds through a labyrinth of transactions designed to overwhelm investigators.

TRM Labs, which tracked the movement of funds in real time, identified a pattern that has become Lazarus Group's signature: rapid conversion from the stolen asset to Bitcoin, followed by distribution across hundreds of intermediate wallets, then gradual consolidation into fresh addresses for eventual conversion to fiat currency through over-the-counter brokers in jurisdictions with weak anti-money laundering enforcement.

The entire process, from theft to cash-out, can take as little as weeks for smaller amounts, though larger sums like the Bybit haul are laundered over months. The FBI issued a public service announcement in February 2025 asking cryptocurrency service providers to block transactions associated with addresses linked to the hack, but the voluntary nature of the request limited its effectiveness.

The Regulatory Response Has Been Fragmented at Best

The Bybit hack was supposed to be a watershed moment for crypto security regulation. In March 2025, the Center for Strategic and International Studies published a detailed analysis arguing that the heist exposed fundamental weaknesses in the regulatory framework governing digital asset custody. The report recommended mandatory security audits for exchanges, standardized cold wallet protocols, and international cooperation agreements specifically targeting state-sponsored crypto theft.

Twelve months later, virtually none of those recommendations have been implemented at a legislative level. The CLARITY Act, which would establish America's first comprehensive cryptocurrency regulatory framework, has stalled in the Senate amid partisan disagreements over jurisdiction between the SEC and the CFTC. Without a federal standard, exchanges continue to operate under a patchwork of state-level regulations that vary wildly in their security requirements.

Internationally, the response has been similarly fragmented. While the United Nations Panel of Experts on North Korea has documented the regime's crypto theft operations in exhaustive detail, the sanctions mechanisms designed to punish state-sponsored hacking have proven ineffective against actors who operate entirely in the digital realm. You cannot freeze bank accounts that do not exist in the traditional financial system.

What Investors Need to Understand

For individual investors holding cryptocurrency, the Bybit anniversary carries a practical lesson that extends beyond geopolitics. The attack succeeded not because Bybit had poor security, but because the attackers found a vulnerability in a third-party tool that Bybit trusted. The Safe Wallet interface had been audited multiple times. The malicious code was injected into a software update that appeared routine. The multi-signature approval process, designed to prevent exactly this kind of theft, was rendered useless because the attackers manipulated what the signers saw on their screens.

This means that the security of your crypto holdings depends not just on the exchange you use or the wallet you choose, but on the entire supply chain of software that touches your assets. Every dependency, every integration, every third-party library is a potential attack surface. The industry has made progress on some fronts, with several major exchanges adopting air-gapped signing devices and hardware-enforced transaction verification in the wake of the Bybit breach. But the fundamental asymmetry remains: defenders must protect every link in the chain, while attackers need to find only one weakness.

The Year Ahead

North Korea's crypto theft program is not a side operation. It is a core component of the regime's economic survival strategy, generating revenue that rivals the country's legitimate export income. As long as cryptocurrency markets remain liquid, globally accessible, and unevenly regulated, the incentive for state-sponsored theft will continue to grow.

The industry's best hope lies not in preventing every attack, which is likely impossible given the sophistication of the adversary, but in making laundering so difficult and so slow that the economic return on each operation diminishes. That requires faster international cooperation, mandatory participation in blockchain analytics programs, and regulatory standards that treat exchange security with the same seriousness applied to traditional financial institutions.

None of that existed a year ago. Very little of it exists today. And the hackers who pulled off the biggest crypto heist in history are already planning their next operation.