Home
Bybit
News

North Korea’s Lazarus Group Behind $1.5 Billion Bybit Hack, Investigators Confirm

Cryptopolitan

As reported before, In a significant security breach, Dubai-based cryptocurrency exchange Bybit has fallen victim to a massive hack resulting in the theft of approximately $1.5 billion in Ethereum (ETH). The attack, which stands as one of the largest in cryptocurrency history, has been attributed to North Korea's state-sponsored Lazarus Group, according to findings by on-chain investigator ZachXBT (@zachxbt on X / Twitter). You can read more about the Bybit Hacked: Inside the $1.5 Billion Crypto Heist here.

The Breach Details

The incident occurred during a routine transfer from Bybit's cold wallet—an offline storage system—to a warm wallet used for daily operations. The attackers employed a sophisticated method, manipulating the transaction's signing interface to display the correct address while altering the underlying smart contract logic. This deception allowed them to gain control over the cold wallet and siphon approximately 401,000 ETH to an unidentified address.

Identification of the Perpetrators

In response to the breach, Arkham Intelligence offered a bounty of 50,000 ARKM tokens, valued at around $31,500, for information leading to the identification of the attackers. ZachXBT (@zachxbt on X / Twitter) provided definitive proof linking the hack to the Lazarus Group. His analysis included detailed examinations of test transactions and connected wallets used prior to the exploit, as well as forensic graphs and timing analyses. This evidence has been shared with Bybit to aid in their ongoing investigation.

Bybit's Response and Assurance

Despite the substantial loss, Bybit's CEO, Ben Zhou, has assured users of the platform's solvency. He confirmed that all client assets are fully backed on a 1:1 basis and that withdrawals are being processed as usual on X / Twitter. To address the immediate shortfall, Bybit has secured bridge loans from partners, ensuring that user withdrawals are honored without delay. The company is also collaborating with blockchain forensic experts to trace the stolen funds and has reported the incident to the appropriate authorities.

Implications for the Cryptocurrency Industry

This event underscores the persistent security challenges within the cryptocurrency sector. In 2024 alone, over $2.2 billion was stolen from crypto platforms, highlighting the vulnerabilities that still exist despite advancements in security protocols. The involvement of the Lazarus Group, known for previous high-profile attacks, further emphasizes the need for enhanced security measures and international cooperation to combat such threats.

About Lazarus Group

The Lazarus Group is a North Korean state-sponsored cybercrime organization notorious for its involvement in large-scale cyberattacks, financial theft, and espionage. The group has been linked to the North Korean government and is believed to operate under the country's Reconnaissance General Bureau (RGB), North Korea's primary intelligence agency.

Key Facts About Lazarus Group

  • Ties to North Korea: The group operates as an arm of the North Korean regime, funding its weapons programs through cybercrime.
  • First Known Activity: Identified as early as 2009.
  • Attack Methods: Uses phishing, malware, ransomware, zero-day exploits, and social engineering to infiltrate financial institutions and crypto platforms.
  • Main Targets:
    • Banks
    • Cryptocurrency exchanges
    • Government agencies
    • Media companies
    • Military organizations

Notorious Attacks Linked to Lazarus Group

1. Sony Pictures Hack (2014)

  • One of the most famous cyberattacks attributed to Lazarus.
  • Hackers leaked Sony’s internal emails, movies, and employee data in retaliation for The Interview, a film that mocked North Korean leader Kim Jong-un.
  • Attack used wiper malware to destroy company data.

2. Bangladesh Bank Heist (2016)

  • $81 million stolen from the Bangladesh Central Bank through the SWIFT banking system.
  • Attackers used sophisticated malware to manipulate international transactions.
  • One of the largest cyber-enabled bank robberies in history.

3. WannaCry Ransomware Attack (2017)

  • global ransomware outbreak that infected over 300,000 computers across 150+ countries.
  • Targeted hospitals, businesses, and government agencies, demanding Bitcoin ransoms.
  • Used an NSA exploit (“EternalBlue”), leaked by hacking group Shadow Brokers.

4. Cryptocurrency Heists (2018 - Present)

  • $3 billion+ stolen in crypto since 2017.
  • Major hacks include:
    • Ronin Network ($620M) - 2022
    • Harmony Bridge ($100M) - 2022
    • Atomic Wallet Hack ($100M) - 2023
    • Stake.com ($41M) - 2023
    • Bybit Hack ($1.5B) - 2025
  • Lazarus uses mixing services like Tornado Cash and chain-hopping to launder stolen funds.

How Lazarus Moves Stolen Money

  1. Initial Theft – Hacks an exchange, wallet, or bank.
  2. Mixing Services – Launders funds via Tornado Cash, Sinbad, Blender.io.
  3. Bridging Assets – Converts stolen crypto into stablecoins (e.g., USDT, USDC).
  4. Fake Identities – Uses mule accounts and decentralized exchanges (DEXs) to evade sanctions.
  5. Cashout – Converts crypto into fiat via Chinese brokers or underground banking.

As the investigation continues, stakeholders across the cryptocurrency landscape are urged to remain vigilant and proactive in implementing robust security practices to safeguard digital assets.

Post a Comment

Disclaimer

The information on this page may have been obtained from third parties and does not necessarily reflect the views or opinions of F9XR. This content is provided for general informational purposes only, without any representation or warranty of any kind, nor shall it be construed as financial or investment advice. F9XR shall not be liable for any errors or omissions, or for any outcomes resulting from the use of this information. Investments in digital assets can be risky. Please carefully evaluate the risks of a product and your risk tolerance based on your own financial circumstances. For more information, please refer to our Terms of Use and Risk Disclosure.