Paradigm uses the Bybit theft to explain how DPRK cryptocurrency operations are organized and how different RGB-linked clusters target the industry. The report says the February 2025 Bybit incident involved compromise of Safe{Wallet} infrastructure and a malicious JavaScript payload built to target Bybit's cold wallet, rather than only compromised multisig signers. It distinguishes Lazarus, AppleJeus, APT38, DangerousPassword, and TraderTraitor activity, and notes that TraderTraitor was linked to major crypto thefts such as Axie Infinity and Rain.com. The source is a threat-modeling overview for crypto defenders, emphasizing social engineering, infrastructure compromise, and signer or wallet workflow abuse.