Bybit hack traced to North Korea’s Lazarus Group

The North Korean cybercrime group is believed to be behind the $1.4 billion theft from crypto exchange Bybit on Friday—the largest hack in crypto history. Investigators say the group laundered the stolen funds through Solana wallets and memecoin scams, raising fresh concerns about state-sponsored cybercrime.

Tracing the hackers: North Korean Lazarus Group

Shortly after the hack, while Bybit focused on recovery efforts, crypto detective ZachXBT identified the Lazarus Group—a notorious cybercrime crew tied to North Korea—as the likely culprits. Known for attacks like the Sony Pictures breach (linked to the film The Interview), the group has been active since 2009.

Blockchain analytics firm Chainalysis, which is collaborating with Bybit to recover the stolen assets, stated that the attack began with a social engineering scheme. The hackers tricked Bybit’s cold wallet signers into approving malicious transactions, allowing them to replace the wallet’s security system with a fake one. During a routine transfer, the attackers rerouted approximately 401,000 ETH—valued at nearly $1.5 billion—to their own addresses.

Arkham Intelligence confirmed ZachXBT’s findings, offering a bounty of 50K ARKM (approximately $32,000) for identifying the hackers. Arkham shared on X, “[ZachXBT’s] submission included a detailed analysis of test transactions and connected wallets used ahead of the exploit, as well as multiple forensic graphs and timing analyses.”

BREAKING: BYBIT $1 BILLION HACK BOUNTY SOLVED BY ZACHXBT

At 19:09 UTC today, @zachxbt submitted definitive proof that this attack on Bybit was performed by the LAZARUS GROUP.

His submission included a detailed analysis of test transactions and connected wallets used ahead of… https://t.co/O43qD2CM2U pic.twitter.com/jtQPtXl0C5

— Arkham (@arkham) February 21, 2025

ZachXBT found links between the Bybit hack and other recent heists, including the $69 million Phemex hack and the $52 million BingX attack.

Chainalysis noted that the hackers used decentralized exchanges (DEXs), cross-chain bridges, and no-KYC instant swap services to convert and launder the stolen crypto, a tactic designed to evade detection. A significant portion of the funds remains dormant across various wallets, a strategy often used by North Korean hackers to wait until scrutiny dies down.

How Bybit responded to crypto’s biggest hack

Bybit’s CEO, Ben Zhou, took to X to explain what happened: “Hacker took control of the specific ETH cold wallet we signed and [transferred] all ETH in the cold wallet to this unidentified address.” Cold wallets are like offline safes for crypto—disconnected from the internet to keep them extra secure—unlike hot wallets, which are online and generally more vulnerable.

Bybit ETH multisig cold wallet just made a transfer to our warm wallet about 1 hr ago. It appears that this specific transaction was musked, all the signers saw the musked UI which showed the correct address and the URL was from @safe . However the signing message was to change…

— Ben Zhou (@benbybit) February 21, 2025

Zhou assured everyone that Bybit’s warm, hot, and other cold wallets were unaffected. Despite the billion-dollar loss, Bybit responded swiftly. Zhou told users on X that even if the losses weren’t recovered, client assets were fully backed 1:1. “We can cover the loss,” he added.

Just two days after the hack, Zhou also announced that they had “fully closed the ETH gap”—referring to the losses from the hack. They accessed funds through whale deposits, ETH purchases, and loans. “Bybit is again back to 100% 1:1 client assets through merkle tree,” he shared.

Latest Update: Bybit has already fully closed the ETH gap, new audited POR report will be published very soon to show that Bybit is again Back to 100% 1:1 on client assets through merkle tree, Stay tuned. https://t.co/QLa1vOujM6

— Ben Zhou (@benbybit) February 24, 2025

Industry and community reactions

The crypto community reacted positively to Bybit’s transparency and swift action. X user rachel.btc remarked, “This is textbook-level crisis management. While monitoring the situation, we have also learned a lot from you. Congrats!”

This is textbook-level crisis management. While monitoring the situation, we have also learned a lot from you. Congrats!

— rachel.btc (@rachel_alexgo) February 24, 2025

Ahmed Mir, CEO and founder of Carter Capital, also told The Crypto Radio, “The way that [Bybit] reacted and responded to what’s happened, I think, is incredibly positive.”

Chainalysis reported that more than $40 million of the stolen funds have already been frozen through collaborative efforts with industry partners. Bybit has also launched a recovery bounty program, offering up to 10% of any recovered funds as an incentive.

Lessons for crypto security

Bybit’s case highlights the urgent need for stronger security measures in crypto. The industry’s growth has attracted both investors and criminals, making asset protection essential. While Bybit’s proactive response helped mitigate the impact, stronger preventive measures—such as advanced wallet security, real-time monitoring, and collaboration with cybersecurity experts—are essential.

With state-sponsored groups like Lazarus evolving their methods, the crypto industry must stay one step ahead to protect both retail investors and institutional platforms.