A notorious state-sponsored North Korean APT group was behind the world’s largest cryptocurrency heist late last week, the FBI has confirmed.

A brief Public Service Announcement (PSA) issued by the law enforcement agency on Febrary 26 attributed the attack on cryptocurrency exchange Bybit to the “TraderTraitor” group (aka Lazarus, APT38, BlueNoroff, and Stardust Chollima).

“TraderTraitor actors are proceeding rapidly and have converted some of the stolen assets to Bitcoin and other virtual assets dispersed across thousands of addresses on multiple blockchains,” it warned.

“It is expected these assets will be further laundered and eventually converted to fiat currency.”

The FBI’s attribution is consistent with Infosecurity reporting following the incident, which cited a report from London-based blockchain analysis firm Elliptic.

“Elliptic has attributed the Bybit theft to North Korea's Lazarus Group, based on various factors, including our analysis of the laundering of the stolen crypto assets,” the firm said at the time.

“Lazarus Group has developed a powerful and sophisticated capability to not only breach target organisations and steal crypto assets, but also to launder these proceeds through thousands of blockchain transactions.”

The North Korean threat actors are currently thought to be working through the second of a two-stage money laundering process.

The first is to exchange stolen tokens for a "native" blockchain asset like Ether which can’t be frozen, while the second involves “layering” the stolen funds in order to obfuscate the transaction trail.

Within just two hours of the heist, the stolen funds were sent to 50 different wallets, which were subsequently emptied. The funds will then likely be routed via various channels in order to further throw investigators off the scent and confound efforts to block the actors from cashing out, Elliptic explained.

These include decentralized (DeFi) and centralized exchanges, cross-chain bridges, crypto mixers and an exchange called eXch which allows users to swap crypto assets anonymously.

FBI Urges Crypto Community to Take Action

The FBI urged the community to come together to help stop the North Korean group from converting the stolen crypto to fiat currency.

“FBI encourages private sector entities including RPC node operators, exchanges, bridges, blockchain analytics firms, DeFi services, and other virtual asset service providers to block transactions with or derived from addresses TraderTraitor actors are using to launder the stolen assets,” it said.

Its PSA listed around 50 Ethereum addresses apparently used by Lazarus during its money laundering activity.

Bybit has offered a reward of 10% of any recovered funds to anyone who can help it recover some of the $1.46bn in cryptocurrency stolen by Lazarus.