On February 21, 2025, news broke of a staggering $1.5 billion theft from the Bybit exchange — a heist reportedly orchestrated by a criminal enterprise the United States Department of Justice has alleged is controlled by the North Korean government. This ranks the largest cryptocurrency theft in history, yet it has received remarkably little attention outside the cryptocurrency community. Given its scale and sophistication, this incident not only underscores the growing security threats in the crypto space but also highlights broader national security concerns. Why, then, isn’t this dominating headlines?
The implications go beyond financial loss. If North Korea is indeed behind this, the theft demonstrates its continued capacity to exploit emerging technologies to circumvent international sanctions and fund its regime. This should prompt serious discussions about cybersecurity, international law, and national security strategies.
This would be a good place for some disclosures: I don’t consider myself a cryptocurrency expert, I maintain a strong interest in technology and the blockchain space. My insights are often shaped by conversations with my sons—Jordan Suarez, a University of Miami College of Law graduate and technology entrepreneur with deep expertise in cryptocurrency – a true subject matter expert, and Bradley, a CPA, first-year law student at George Washington University and first-rate thinker (my Experts). Their perspectives have helped me better grasp the complexities of digital assets, countering threats from bad actors, and preserving the privacy and freedom inherent in decentralized finance.
This incident warrants more scrutiny and debate, not only within tech circles but also at the national security level. In short, it should be a big deal and yet it is not. On the day I wrote this, not a single article had been written about the heist in the Wall Street Journal or The Economist.
A Detailed Breakdown of the Bybit Heist
As the largest cryptocurrency heist in history, this heist surpasses even the direst predictions in the TRM Labs 2025 Crypto Crime Report. The implications are profound. Cybersecurity researchers, including TRM Labs and Chainalysis, have linked the Bybit theft to the Lazarus Group. The hackers accessed Bybit’s user interface through phishing attacks on cold wallet signers, tricking them into approving transactions that replaced the Safe’s multi-signature wallet implementation contract with a malicious version. This allowed the attackers to reroute the stolen cryptocurrency tokens to wallets they controlled.
The stolen tokens were then converted to ETH and laundered through a complex network of decentralized exchanges (DEXs) and cross-chain bridges. The Lazarus Group converted the stolen tokens to ETH because tokens have issuers who can freeze wallets, whereas ETH and Bitcoin cannot be frozen by any central authority.
Bybit has offered a 10% bounty for recovered funds but has only managed to recoup a meager $42.9 million.
Legal Implications of Cryptocurrency Theft
A significant portion of the stolen funds remains idle across multiple addresses—a common tactic used by North Korea-affiliated hackers to wait out the intense scrutiny that follows high-profile breaches. Eventually, however, the perpetrators will likely attempt to convert the stolen cryptocurrency into fiat currency (e.g., U.S. dollars). When that happens, the recipient of the fiat currency can be identified, potentially unraveling the criminal network. Unfortunately, this could take decades.
The question then arises: because everything on the blockchain is visible, including the stolen ETH, how does a North Korean criminal enterprise utilize stolen cryptocurrency without exposing their identity? This is a question I posed to my Experts.
One method is through decentralized mixers – a tool that helps you hide where your cryptocurrency comes from. Instead of sending money directly from your wallet to someone else, you send it to the mixer. The mixer then combines your money with funds from many other users. When you withdraw your funds to a new wallet, it’s mixed up with the others, so it’s very hard for anyone to figure out which coins came from you.
Another is using overseas decentralized exchanges (DEXs), cross-chain bridges, and no-KYC exchanges. These platforms’ decentralized nature and lack of robust Know Your Customer (KYC) procedures provide criminals with relative anonymity. Addressing this challenge requires stronger international cooperation and new regulatory frameworks that balance crime deterrence with individual privacy rights.
A less secure and desirable laundering technique involves moving relatively small amounts of stolen cryptocurrencies to multiple wallets and then purchasing small-cap digital assets, such as meme coins or NFTs. The increased trading volume drives up the price, allowing the criminals to sell and transfer the proceeds to “clean” wallets. Although this method often incurs losses and does shield the identity of the wallets involved in the transactions, using a large number of wallets and making repeated transactions prior to ultimately purchasing small-cap digital assets makes tracing these transactions time-consuming for investigators, thus effectively converting stolen, unusable funds into usable assets — a trade-off criminals are willing to accept.
The Bybit hack also highlights the vulnerability of cryptocurrency exchanges to sophisticated cyber-attacks, raising questions about security protocols and investor protection. As exchanges increasingly serve as custodians of digital assets, they may face legal liability for failing to safeguard user funds. This area is ripe for regulatory intervention. Just as medical providers and defense contractors are legally obligated to protect information or face statutorily created liability and regulatory penalties, Congress could enact similar legislation for cryptocurrency exchanges.
Similarly, Congress could create an FDIC-style insurance program for cryptocurrency exchanges which could significantly bolster market stability and investor confidence by protecting consumers’ assets in the event of exchange failures or hacks. By guaranteeing deposits up to a certain amount, similar to how bank accounts are insured, would reassure investors that their money is safe even if a major crypto platform collapses, reducing the panic that often follows these incidents. However, implementing this kind of insurance faces significant challenges: regulatory hurdles are high – the crypto industry lacks a unified oversight framework – and enforcing an insurance scheme globally would be difficult, since exchanges would need to comply across jurisdictions and contribute to the insurance fund.
Whether such a program could be designed to withstand an extreme cyber-attack from North Korea or another bad act or presents a more challenging question given the scale of losses an insurer might have to cover and the national security risks at play. Nevertheless, this is an idea worth exploring. For a thoughtful exploration of this idea Tyler Kraft’s, University of Missouri law review article, Room in the Inn: How an FDIC Style Safety Net Could Provide Respite from the Crypto Winter is a worthwhile read. https://lawreview.missouri.edu/room-in-the-inn-how-an-fdic-styled-safety-net-could-provide-respite-from-the-crypto-winter/#:~:text=fails.,26%5D%C2%A0%C2%A0The%20absence%20of%20a.
Another significant issue that merits exploration is the fact that cryptocurrencies are here to stay and will shape the future of finance. By holding substantial amounts of cryptocurrency, North Korea could exert influence over decentralized blockchain networks and their governing foundations, potentially shaping the future of decentralized finance. This possibility underscores the urgency of a coordinated international response.
International Legal Frameworks and Regulatory Responses
The involvement of state-sponsored actors like North Korea raises national security and international law concerns. North Korea has been known to use cryptocurrency theft to fund its weapons programs in violation of UN sanctions. Greater international cooperation is needed to address this threat, including coordinated actions by the European Union and the United Nations. Ignoring this issue is dangerously shortsighted.
Several international legal frameworks are relevant to the Bybit heist. The Financial Action Task Force (FATF) has issued guidance on virtual assets and virtual asset service providers (VASPs), requiring countries to implement regulations to combat money laundering and terrorist financing. These regulations include licensing or registration requirements, KYC obligations, and transaction monitoring.
The U.S. has also taken an active role in regulating cryptocurrency, with agencies like the Securities and Exchange Commission (SEC) and the Commodity Futures Trading Commission (CFTC) asserting jurisdiction over certain digital assets. However, the Biden administration’s regulatory approach faced significant and, in my view, well-founded criticism for its approach to regulating the space. In my view, the administration lacked a cohesive, well-thought-out strategy and appeared more focused on controlling the industry than on fostering innovation or targeting bad actors. This critique is not political but reflects my assessment of the policy approach on this specific issue.
This brings me to an uncomfortable but necessary observation: age plays a significant role in understanding and effectively regulating this space. While experience and wisdom are invaluable, crafting effective cryptocurrency regulations requires input from younger generations who deeply understand the technology’s nuances and potential. Experienced regulators can provide valuable guidance, but the specifics should be shaped by the best and brightest of this new generation, who will ultimately live with the consequences and benefits of these policies.
It is worth noting that the Department of Justice (DOJ) has prosecuted cryptocurrency-related crimes, including money laundering and fraud, but its efforts have been insufficient. Significantly greater resources are needed to combat crime in this space. In 2024, OFAC issued 13 sanctions designations involving 86 cryptocurrency addresses; this is clearly insufficient.
Looking ahead, I am not optimistic about the direction of the Trump administration’s approach on criminal enforcement. Its early focus on redirecting resources to address illegal immigration suggests that cryptocurrency-related crime, at least for the moment, may receive even less attention. Again, this is not a political statement but rather my assessment of the administration’s priorities as currently articulated.
Recovery Mechanisms for Victims
Victims of the Bybit heist may have several potential avenues for recovery. First, they may be able to pursue legal action against Bybit, alleging negligence or breach of contract. The success of such a claim will depend on the specific terms of Bybit’s user agreement and the laws of the jurisdiction in which the claim is filed. However, it is worth noting that Bybit CEO, Ben Zhou, announced that the exchange remains solvent and that all client assets are backed at 1:1. He stated that even if the stolen funds are not recovered, Bybit can cover the loss, ensuring that customer assets are secure.
Second, victims may be able to file insurance claims if they have cryptocurrency insurance coverage. However, many cryptocurrency insurance policies have exclusions for losses caused by cyber-attacks or theft, so it is important to carefully review the terms of the policy.
Third, law enforcement agencies and blockchain analytics firms like Chainalysis and TRM Labs are working to trace and recover the stolen funds. These efforts have resulted in the seizure of millions of dollars in stolen cryptocurrency, and it is possible that additional funds may be recovered in the future.
Looking Ahead
The Bybit heist should be bigger news. It should not be a one-day new cycle story but rather a story that needs to be talked about and kept in the headlines. It is not just a crime story and not just a financial news story. The incident exposes vulnerabilities that threaten the stability of global financial systems and highlights the growing national security risks posed by state-sponsored cybercrime and has profound implications for the governance of the blockchains affected.
Ethereum, the primary asset targeted, fell nearly 9% before recovering slightly, still down about 6–7%. This tempered reaction, compared to past high-profile hacks, suggests growing market maturity and resilience, but I remain stunned that a crime that leads to a 7% drop in a $2.3 trillion industry garners no attention from major news sources. Again, this blind spot is dangerous.
Keeping this story in the headlines is crucial to sparking the necessary regulatory, security, and geopolitical discussions. Yet, as of this writing, the world’s leading financial daily has not published a single word about it. This glaring omission underscores a troubling disconnect between the significance of the incident and our focus and attention.
Note: I am indebted to Jordan Suarez, Bradley Suarez and Tyler Wellener for their insights and significant contributions to this post.
References
North Korea’s Lazarus hackers behind $1.4 billion crypto theft from Bybit, researchers say (https://therecord.media/lazarus-hackers-behind-bybit-crypto-heist)
Collaboration in the Wake of Record-Breaking Bybit Theft (https://www.chainalysis.com/blog/bybit-exchange-hack-february-2025-crypto-security-dprk/)
TRM Links North Korea to Record $1.5 Billion Record Hack | TRM Insights (https://www.trmlabs.com/post/trm-links-north-korea-to-record-1-5-billion-record-hack)
2025 Crypto Crime Report (https://www.trmlabs.com/2025-crypto-crime-report)
TRM – 2025 Crypto Crime Report (https://cdn.prod.website-files.com/6082dc5b670562507b3587b4/67a66929a076faf602d64b4c_TRM%202025%20Crypto%20Crime%20Report.pdf)
