An impartial investigation into the $1.5 billion hack suffered by the Bybit cryptocurrency alternate on Friday has revealed connections to the notorious Lazarus group.
A day after the assault was disclosed by ByBit, Blockchain investigator ZachXBT shared findings connecting the hack to the DPRK-backed hacking group.
“At 19.09 UTC at present, @zackxbt submitted definitive proof that this assault on Bybit was carried out by the Lazarus Group,” mentioned a Saturday X publish by Arkham Intelligence, the blockchain evaluation agency that awarded ZackXBT a bounty for his or her discovery.
Bybit is the world’s second-largest cryptocurrency alternate by buying and selling quantity, with over 50 million registered customers worldwide as per a September 2024 report.
Connection confirmed by transactions previous to the assault
ZachXBT submitted an in depth evaluation of check transactions and related wallets used simply earlier than the exploit, together with a number of graphs and timing evaluation, which Arkham added within the X publish.
Earlier than a significant exploit, attackers usually conduct small check transactions to make sure that their strategies will work with out triggering alarms. By analyzing these transactions, investigators can hint the movement of funds and identification patterns that hyperlink a number of crypto wallets collectively.
Moreover, Graphical evaluation and timing correlation assist establish clusters of wallets managed by the identical entity and the sequence during which fundings had been made.
ZachXBT reported discovering addresses tied to the latest Phemex and BingX hack, additionally allegedly carried out by the Lazarus Group, linked to the identical cluster as Bybit.
“I spent your complete day graphing out the laundering actions and flagged theft addresses,” ZachXBT mentioned whereas sharing the addresses related to the Bybit hack.
Hackers gained entry to chilly wallets
Bybit reported the assault on Saturday via their Announcement web page. “On February 21, 2025, at roughly 12:30 PM UTC, Bybit detected unauthorized exercise inside one in all our Ethereum (ETH) Chilly Wallets throughout a routine switch course of,” mentioned the alternate.
“The attackers employed a misleading transaction that masked the interface introduced to the chilly pockets signers licensed to switch funds,” Santiago Pontiroli, Acronis Lead TRU researcher advised CSO. “ The interface displayed the proper vacation spot deal with whereas covertly altering the underlying sensible contract logic, granting attackers management over the chilly pockets.”
Bybit reported that over 400,000 ETH and stETH price greater than $1.5 billion had been transferred to an unidentified deal with. The corporate mentioned it has already processed 70% of withdrawal requests, which presumably peaked after the assault’s affirmation.
“Bybit has greater than sufficient belongings to cowl the loss, with AUM exceeding $20 billion, and can use a bridge mortgage if crucial to make sure the provision of consumer funds,” Bybit added within the announcement.
Whereas CSO didn’t get hold of a response to the queries despatched to Bybit till the publishing of this text, the announcement mentioned it’s working alongside blockchain forensic consultants to hint the stolen funds and resolve the state of affairs. Crypto merchants had been assured that the Bybit platform and all the opposite providers, together with buying and selling merchandise, playing cards, and P2P, are absolutely operational.
Whereas the alternate and withdrawals operate with out restriction, this incident underscores the persistent security challenges inside the cryptocurrency trade, highlighting the necessity for enhanced protecting measures in opposition to more and more subtle cyberattacks, Pontiroli added, calling this the most important heist within the cryptocurrency area to date.
