Trail of Bits frames the February 2025 Bybit theft as an operational-security compromise rather than a smart-contract exploit, with attackers allegedly manipulating what multisig signers saw while collecting valid approvals. The article connects the Bybit loss to WazirX and Radiant Capital and cites ZachXBT’s analysis tying the Bybit attack to North Korea. It attributes the broader capability to DPRK state-sponsored groups tracked as TraderTraitor, Jade Sleet, UNC4899, and Slow Pisces under the Reconnaissance General Bureau. The source describes a repeatable playbook built around social engineering, compromised employee devices, cross-platform malware, persistence, payload download, and interface manipulation against cryptocurrency signing workflows.