Investigation Reveals Lazarus Group’s Involvement in Bybit Hack
An independent investigation into the $1.5 billion hack suffered by the Bybit cryptocurrency exchange on Friday has revealed connections to the infamous Lazarus group.
A day after the attack was disclosed by ByBit, Blockchain investigator ZachXBT shared findings connecting the hack to the DPRK-backed hacking group.
Connection Confirmed by Transactions Prior to the Attack
ZachXBT submitted a detailed analysis of test transactions and connected wallets used just before the exploit, along with multiple graphs and timing analysis, which Arkham added in the X post.
Before a major exploit, attackers often conduct small test transactions to ensure that their methods will work without triggering alarms. By analyzing these transactions, investigators can trace the flow of funds and identify patterns that link multiple crypto wallets together.
Additionally, graphical analysis and timing correlation help identify clusters of wallets controlled by the same entity and the sequence in which fundings were made.
ZachXBT reported finding addresses tied to the recent Phemex and BingX hack, also allegedly performed by the Lazarus Group, linked to the same cluster as Bybit.
Hackers Gained Access to Cold Wallets
Bybit reported the attack on Saturday through their Announcement page. “On February 21, 2025, at approximately 12:30 PM UTC, Bybit detected unauthorized activity within one of our Ethereum (ETH) Cold Wallets during a routine transfer process,” said the exchange.
The attackers employed a deceptive transaction that masked the interface presented to the cold wallet signers authorized to transfer funds,” Santiago Pontiroli, Acronis Lead TRU researcher told CSO. “The interface displayed the correct destination address while covertly altering the underlying smart contract logic, granting attackers control over the cold wallet.”
Bybit reported that over 400,000 ETH and stETH worth more than $1.5 billion were transferred to an unidentified address. The company said it has already processed 70% of withdrawal requests, which presumably peaked after the attack’s confirmation.
Conclusion
The recent hack of Bybit by the Lazarus Group highlights the persistent security challenges within the cryptocurrency industry, underscoring the need for enhanced protective measures against increasingly sophisticated cyberattacks.
FAQs
Q: What is the Lazarus Group?
A: The Lazarus Group is a DPRK-backed hacking group known for its involvement in various cyberattacks, including the theft of millions of dollars worth of cryptocurrency.
Q: What was the extent of the hack on Bybit?
A: The hack resulted in the theft of over 400,000 ETH and stETH worth more than $1.5 billion.
Q: How did the hackers gain access to Bybit’s cold wallets?
A: The hackers employed a deceptive transaction that masked the interface presented to the cold wallet signers authorized to transfer funds, granting them control over the cold wallet.
Q: What is the current status of the situation?
A: Bybit has reported that it has already processed 70% of withdrawal requests, and the company is working alongside blockchain forensic experts to trace the stolen funds and resolve the situation.
