TRM assessed with high confidence that North Korean hackers were behind the Bybit theft of about USD 1.5 billion in Ethereum tokens, citing substantial overlaps between attacker-controlled addresses and addresses linked to prior North Korean thefts. The attackers compromised one of Bybit’s offline cold wallets, with the source listing a possible supply-chain attack, insider threat, or sophisticated private-key compromise as explanations. TRM tagged the compromised addresses as hacked or stolen-funds addresses and created a Bybit Exploiter Feb 2025 tracking entity to follow the stolen assets in real time. The scale matters because the theft nearly doubled in one day the amount North Korean hackers were reported to have stolen across 2024.