Logo
logo
EnglishLanguage
logo
Listen live
HomeGlossaryContact us
Find us on social media
Advertisement for 5fXBptIOLaA?si=-QAVpQnM0DVFw-al

Bybit hack traced to North Korea’s Lazarus Group

Investigators pieced together wallet movements, identifying patterns consistent with state-sponsored hacking groups

Joanna BuenconsejoProfile
By Joanna BuenconsejoFeb. 25th - 10am
4 min read
Dubai-based crypto exchange Bybit experience largest crypto hack in history
North Korean hackers tricked Bybit’s cold wallet signers into approving malicious transactions, enabling a fake security system. Photo: Unsplash / Appshunter.io

The North Korean cybercrime group is believed to be behind the $1.4 billion theft from crypto exchange Bybit on Friday—the largest hack in crypto history. Investigators say the group laundered the stolen funds through Solana wallets and memecoin scams, raising fresh concerns about state-sponsored cybercrime.

Tracing the hackers: North Korean Lazarus Group

Shortly after the hack, while Bybit focused on recovery efforts, crypto detective ZachXBT identified the Lazarus Group—a notorious cybercrime crew tied to North Korea—as the likely culprits. Known for attacks like the Sony Pictures breach (linked to the film The Interview), the group has been active since 2009.

Blockchain analytics firm Chainalysis, which is collaborating with Bybit to recover the stolen assets, stated that the attack began with a social engineering scheme. The hackers tricked Bybit’s cold wallet signers into approving malicious transactions, allowing them to replace the wallet’s security system with a fake one. During a routine transfer, the attackers rerouted approximately 401,000 ETH—valued at nearly $1.5 billion—to their own addresses.

Arkham Intelligence confirmed ZachXBT’s findings, offering a bounty of 50K ARKM (approximately $32,000) for identifying the hackers. Arkham shared on X, “[ZachXBT’s] submission included a detailed analysis of test transactions and connected wallets used ahead of the exploit, as well as multiple forensic graphs and timing analyses.”

ZachXBT found links between the Bybit hack and other recent heists, including the $69 million Phemex hack and the $52 million BingX attack.

Chainalysis noted that the hackers used decentralized exchanges (DEXs), cross-chain bridges, and no-KYC instant swap services to convert and launder the stolen crypto, a tactic designed to evade detection. A significant portion of the funds remains dormant across various wallets, a strategy often used by North Korean hackers to wait until scrutiny dies down.

How Bybit responded to crypto’s biggest hack

Bybit’s CEO, Ben Zhou, took to X to explain what happened: “Hacker took control of the specific ETH cold wallet we signed and [transferred] all ETH in the cold wallet to this unidentified address.” Cold wallets are like offline safes for crypto—disconnected from the internet to keep them extra secure—unlike hot wallets, which are online and generally more vulnerable.

Zhou assured everyone that Bybit’s warm, hot, and other cold wallets were unaffected. Despite the billion-dollar loss, Bybit responded swiftly. Zhou told users on X that even if the losses weren’t recovered, client assets were fully backed 1:1. “We can cover the loss,” he added.

Just two days after the hack, Zhou also announced that they had “fully closed the ETH gap”—referring to the losses from the hack. They accessed funds through whale deposits, ETH purchases, and loans. “Bybit is again back to 100% 1:1 client assets through merkle tree,” he shared.

Industry and community reactions

The crypto community reacted positively to Bybit’s transparency and swift action. X user rachel.btc remarked, “This is textbook-level crisis management. While monitoring the situation, we have also learned a lot from you. Congrats!”

Ahmed Mir, CEO and founder of Carter Capital, also told The Crypto Radio, “The way that [Bybit] reacted and responded to what’s happened, I think, is incredibly positive.”

Chainalysis reported that more than $40 million of the stolen funds have already been frozen through collaborative efforts with industry partners. Bybit has also launched a recovery bounty program, offering up to 10% of any recovered funds as an incentive.

Lessons for crypto security

Bybit’s case highlights the urgent need for stronger security measures in crypto. The industry’s growth has attracted both investors and criminals, making asset protection essential. While Bybit’s proactive response helped mitigate the impact, stronger preventive measures—such as advanced wallet security, real-time monitoring, and collaboration with cybersecurity experts—are essential.

With state-sponsored groups like Lazarus evolving their methods, the crypto industry must stay one step ahead to protect both retail investors and institutional platforms.

Share :
Advertisement for 5fXBptIOLaA?si=-QAVpQnM0DVFw-al

We use cookies on our site.