What it takes to stop Bybit’s hacker, Lazarus Group

Every high-profile cryptocurrency breach hides a story of calculated risk and near-perfect execution. The Lazarus Group, known for the Bybit hack, leverages both cutting-edge technology and savvy social engineering to bypass even the strongest defenses.

Giving exclusive insights to The Crypto Radio, Ferdie Nervida, a blockchain forensic specialist and investigator at AnChain AI, shared a unique angle on the notorious Bybit exploit. Rather than delving into every technical detail, Nervida emphasized that the attack was executed with the precision and coordination of a professionally managed project.

Inside AnChain AI’s global fight against crypto crime 

AnChain AI has worked closely with the U.S. government to investigate major crypto and blockchain exploits and continues to do so today, collaborating with public and private organizations, law enforcement, and clients stretching from Japan to Brazil. 

Their work extends to critical engagements with Dubai’s Virtual Assets Regulatory Authority (VARA) and major industry players such as Solana and Ripple, setting new benchmarks in cybersecurity and digital asset tracing. 

With a track record of $870 million in DeFi seizures and recoveries, $2 billion in fines and penalties secured, and a network of more than 200 global clients, AnChain AI leverages its advanced blockchain forensic capabilities to expose and disrupt illicit activities in the digital realm.

Compromising Bybit by attacking its supporting systems

Bybit Hack Forensics Report
As promised, here are the preliminary reports of the hack conducted by @sygnia_labs and @Verichains
Screenshotted the conclusion and here is the link to the full report: https://t.co/3hcqkXLN5U pic.twitter.com/tlZK2B3jIW

— Ben Zhou (@benbybit) February 26, 2025

Bybit CEO Ben Zhou shared a forensics report on X, revealing that analysis by Sygnia determined attackers did not breach Bybit’s main systems. Instead, they exploited a vulnerability in digital crypto wallet Safe Wallet’s AWS S3 bucket (cloud storage component), also known as Bybit’s supporting systems.

By injecting harmful code into transaction processes, they were able to redirect funds to their own accounts. While the Sygnia investigation has not conclusively identified social engineering as the method of attack, it remains a possible factor as further analysis explores how its supporting systems were compromised.

However, the FBI reported the activity as TraderTraitor, explaining the role of social engineering in the attack.

“Intrusions begin with a large number of spearphishing (targeted phishing attacks) messages sent to employees of cryptocurrency companies—often working in system administration or software development/IT operations (DevOps)—on a variety of communication platforms,” per the FBI.

“The messages often mimic a recruitment effort and offer high-paying jobs to entice the recipients to download malware-laced cryptocurrency applications, which the U.S. government refers to as ‘TraderTraitor.’”

Masterminding the Bybit hack: A project management feat

According to Nervida, the Lazarus Group’s success in executing the Bybit hack was no accident. “A project manager oversees everything from initiation to execution,” he explained. In the case of Bybit, every move—from the months-long planning to the seamless dispersal of stolen Ethereum across multiple addresses—spoke to a level of operational precision usually reserved for high-stakes corporate projects. 

The use of sophisticated techniques like routing funds through non-KYC (know-your-customer security measures) crypto mixers—such as ExCH—underscores the group’s ability to cover its tracks and evade law enforcement.

“The precision and coordination suggest someone with strong project management skills is behind it, ensuring every step is executed seamlessly to evade investigators and law enforcement,” Nervida said.

The real danger: Exploiting human vulnerabilities

While advanced technical exploits are a hallmark of state-sponsored cyberattacks, Nervida warns that the most perilous aspect of modern hacking is often the human element. “Even the best cybersecurity systems can’t protect against human error,” he said. 

The Lazarus Group frequently resorts to social engineering, such as posing as recruiters on LinkedIn to lure unsuspecting developers into interacting with malicious code. These “dev hiring exploits” either drain MetaMask wallets instantly or install malware designed to target high-value deposits later on.

Such tactics exploit the weakest link in cybersecurity—our own trust and lack of vigilance. As organizations fortify their digital perimeters, the battle increasingly shifts to educating and safeguarding the human element.

Is the crypto industry prepared for Lazarus-level threats?

When asked to rate the industry’s readiness against threats like Lazarus Group, Nervida candidly offers a score of only six or seven out of 10. “No organization is ever fully prepared for state-sponsored cyber threats,” he explained. 

Even platforms with robust security measures, like Bybit, remain vulnerable to sophisticated exploits that target weak code and unvetted personnel. The remedy, he suggested, lies not in reactive measures but in a proactive, security-first mindset.

Achieving a near-perfect preparedness level would require:

• Stricter regulatory backing: Mandating digital asset providers to meet rigorous cybersecurity standards.

• Proactive security protocols: Shifting from damage control to preemptive defense.

• Industry-wide collaboration: Sharing threat intelligence and establishing uniform security standards.

Can Lazarus Group be stopped?

Despite facing setbacks—sanctions, frozen funds, and improved blockchain tracing—Lazarus Group continues to outmaneuver investigators. 

“Shutting them down would require global cooperation, stricter KYC/AML (know-your-customer and anti-money laundering security measures) enforcement, cyber offensive measures, and stronger security standards across digital asset platforms,” he said.

“Without these, Lazarus will continue adapting and evolving as a major threat," he added. Their ability to outmaneuver investigators and exploit security gaps keeping them a persistent force in the crypto underworld.

Blockchain forensics: The sword and shield in cyber warfare

Blockchain’s transparency and cryptographic integrity serve as both shield and sword in the digital arena. Every transaction, immutably recorded on a public ledger, becomes a forensic breadcrumb capable of unraveling intricate money-laundering schemes. 

In an exclusive preview of his upcoming book, Bitcoin, DeFi, and Financial Innovation, Ferdie Nervida explained how smart contracts—self-executing digital agreements stored on the blockchain—ensure immutability and reduce the risk of fraud. Yet, as the Bybit exploit reveals, hackers often bypass blockchain’s robust defenses by targeting human vulnerabilities rather than the technology itself.

The race against time: Strengthening digital security

The Lazarus Group’s audacious operations highlight a sobering reality: our digital infrastructures must evolve rapidly to counter increasingly sophisticated threats. As forensic experts like Nervida at AnChain AI continue to track and analyze these cyber onslaughts, it becomes clear that a multi-faceted approach—combining advanced technology, regulatory reform, and human vigilance—is essential.

In a world where digital assets and cyber threats intersect daily, understanding and countering the methods of elite hacker groups isn’t just a technological challenge—it’s a race against time. The call for unity among regulators, tech firms, and cybersecurity experts has never been more urgent.