FBI urges crypto community to avoid laundering funds from Bybit hack

The FBI is encouraging the private sector to help contain the $1.5 billion in cryptocurrency stolen from the Bybit exchange last week by North Korean hackers.

The bureau posted an alert Wednesday attributing the incident to a threat actor known as TraderTraitor or Lazarus, following similar assessments by cybersecurity researchers.

The FBI provided a list of Ethereum wallet addresses associated with the attack and urged anyone handling virtual assets to be vigilant about potential interactions with them.  

“TraderTraitor actors are proceeding rapidly and have converted some of the stolen assets to Bitcoin and other virtual assets dispersed across thousands of addresses on multiple blockchains,” the alert said. “It is expected these assets will be further laundered and eventually converted to fiat currency.”

Blockchain intelligence company TRM Labs said Thursday that about $400 million had been laundered already. 

“Beyond the sheer scale of the Bybit hack, the speed at which the stolen funds are being laundered is particularly alarming,” the company said. 

The wallet service Safe confirmed on Wednesday that the attack “was conducted by compromising a Safe Wallet developer machine which affected an account operated by Bybit” and said it “added security measures to eliminate the attack vector.”

Bybit is offering up to $140 million in bounties to anyone who can prove they have frozen funds from the attack. As of Thursday morning, 12 “hunters” had been awarded about $4.2 million so far. CEO Ben Zhou released a preliminary report on the incident from incident response company Syngia and financial security firm Verichains.

Operators of remote procedure call (RPC) nodes — servers that connect applications to blockchains — as well as crypto exchanges, decentralized finance (DeFi) services and other entities should “block transactions with or derived from addresses TraderTraitor actors are using to launder the stolen assets,” the FBI said.