- The Lazarus Group has been identified as the mastermind behind the massive $1.4 billion Ethereum theft from cryptocurrency exchange Bybit.
- In response, As the investigation into the attack continues, Bybit has received support from several major exchanges, including OKX and Coinbase.
The notorious Lazarus Group, a North Korean state-backed hacking syndicate, has once again been implicated in a massive cryptocurrency heist. On-chain security analyst ZachXBT has identified the group as the mastermind behind the recent 401,346 ETH hack on the crypto exchange Bybit, amounting to a staggering $1.4 billion in stolen funds.
Following the attack, ZachXBT’s investigation uncovered key evidence linking the breach to Lazarus Group. His findings were later validated by Arkham Intelligence, a blockchain analytics firm that had launched a bounty campaign to trace the perpetrators.
Arkham confirmed the link in a post on X, stating:
His submission included a detailed analysis of test transactions and connected wallets used ahead of the exploit, as well as multiple forensic graphs and timing analyses.
Arkham’s bounty campaign, which offered 50,000 ARKM tokens (valued at approximately $31,500), aimed to gather credible leads on those responsible for the attack.
How the Bybit Hack Unfolded
The breach was first detected by on-chain security analyst ZachXBT, who flagged suspicious transactions linked to the attack. Bybit CEO Ben Zhou took to X to shed light on how the exploit occurred. According to Bybit CEO Ben Zhou, the hack stemmed from a masked transaction targeting the exchange’s Ethereum multisig cold wallet. Explaining the incident, Zhou stated that Bybit’s cold wallet executed a transfer to its warm wallet, which initially appeared legitimate.
However, the transaction was masked, displaying the correct address and a seemingly authentic @safe URL, deceiving all signers. Unbeknownst to them, the signing message actually altered the smart contract logic of Bybit’s ETH cold wallet, ultimately granting the hacker control. As a result, the attacker managed to drain the wallet and transfer all ETH to an unidentified address, exposing a critical security vulnerability in the signing process.
The attacker exploited a vulnerability in the signing process, manipulating the transaction details so that Bybit’s team unknowingly authorized a transfer that handed control of the wallet to the hacker. The stolen assets were quickly dispersed across multiple wallets, with at least $200 million worth of stETH already liquidated on decentralized exchanges.
Despite the breach, Bybit remained operational, continuing to process withdrawals and reassuring users that their assets were safe. The exchange still holds over $20 billion in assets, with its cold wallets, except the compromised one left untouched.
Coinbase executive Conor Grogan praised Bybit’s resilience, highlighting that unlike FTX, which collapsed due to liquidity issues, Bybit remains financially stable. Additionally, OKX, a Seychelles-based cryptocurrency exchange, deployed its security team to assist in the investigation.
The Lazarus Group has built a notorious reputation for orchestrating some of the largest cryptocurrency heists in history, demonstrating a sophisticated approach to cybercrime. One of their earliest major breaches occurred in 2017, when they stole $60 million from South Korean exchange Youbit, forcing it into bankruptcy.
In 2018, they infiltrated Bithumb, another South Korean exchange, making off with $30 million. However, in March 2022, they executed one of the biggest crypto hacks ever, breaching the Ronin Network, an Ethereum-based sidechain used by the popular blockchain game Axie Infinity, and stealing $625 million.
