North Korea’s Lazarus Group Hacks Bybit, Steals $1.5 Billion in Crypto – Source: securityboulevard.com

North Korea’s notorious Lazarus Group hackers reportedly hit the world’s second-largest cryptocurrency exchange, draining Bybit of almost $1.5 billion in digital assets in what’s being seen as the largest such heist in history.

According to Bloomberg, crypto market observers on February 21 began seeing huge and suspicious withdrawals of Ether from the Dubai-based Bybit exchange, which the news organization said has more than $36 billion in daily average trading volume.

Bybit CEO Ben Zhou took to X (formerly Twitter) to explain the attack, saying the attackers took control of a particular Ether cold wallet, adding that “Bybit Hot wallet, Warm wallet and all other cold wallets are fine.” Zhou also said on posts as well as during a livestream on the social media site that the exchange is solvent, that all clients’ assets are backed up, and that Bybit can cover the loss.

“The incident occurred when our ETH multisig cold wallet executed a transfer to our warm wallet,” the company posted on X. “Unfortunately, this transaction was manipulated through a sophisticated attack that masked the signing interface, displaying the correct address while altering the underlying smart contract logic. As a result, the attacker was able to gain control of the affected ETH cold wallet and transfer its holdings to an unidentified address.”

Responding to the Attack

In a blog post, the company wrote that “as soon as the incident was detected, Bybit’s security team took immediate action – locking down systems, securing funds, and collaborating with top cybersecurity experts.

Researchers with blockchain analysis firms like Elliptic and Arkham Intelligence traced the stolen crypto as it moved through accounts and was offloaded, according to a CNBC report. Both firms  pointed to Lazarus Group, a high-profile threat group, a state-sponsored actor from North Korea, whose regime uses cyberattacks to bypass international sanctions to steal information and money to finance its nuclear and other weapons programs.

Arkham wrote in an X post that a cybersecurity investigator with the X handle @zachxbt had “submitted definitive proof that this attack on Bybit was performed by the LAZARUS GROUP. His submission included a detailed analysis of test transactions and connected wallets used ahead of the exploit, as well as multiple forensics graphs and timing analyses.”

The submission was shared with Bybit, the company wrote.

North Korea and Crypto

Chainalysis, another blockchain analysis company, reported that North Korea-backed operatives last year stole $1.34 billion in crypto last year. The single attack on Bybit surpasses that figure.

Tom Robinson, co-founder and CTO at Elliptic, wrote in a LinkedIn post that the company is “working to help exchanges and law enforcement to trace and freeze these funds. The more difficult we make it to benefit from crimes such as this, the less frequently they will take place.”

Bybit issued a bounty on the perpetrators of the hack, offering up to 10% of whatever is collected, which means up to $140 million if all of it is collected. The bounty program was announced amid a rush of withdrawals from the exchange. According to Zhou, in the first 10 hours after the hack, the company saw “the most number of withdraws that we have ever seen.”

A Rush of Withdrawal Requests

There were more than 350,000 withdrawal requests, with Bybit completing more than 99% of those that came during that 10-hour timeframe, the CEO wrote on X.

“Although we have been hit by the worst hack possibly in the history of any medians (banks, crypto, finance), … all Bybit functions and product remain functional,” he wrote.

The exchange noted that firms in the decentralized finance (DeFi) and centralized finance (CeFi) markets took steps to prevent more movement of the stolen funds, including blacklisting and blocking exploit-related addresses, activating their own response teams, and maintaining trading positions to ensure stability, Bybit said in a statement.

In addition, Chainalysis tracked and published the attacker’s wallet addresses to help with a coordinated response, according to Bybit.

It Had Been a Good Day for Crypto

The attack came amid good news for a cryptocurrency industry that is seeing the new Trump Administration working to reduce regulations on the controversial market. The president, once an opponent of crypto, signed an executive order easing some of the regulations put in place by the Biden Administration.

Coinbase, in the hours before news of the Bybit hack broke, announced that the Securities and Exchange Commission (SEC) was dropping its investigation of the major crypto exchange platform provider. The agency had accused Coinbase of illegally making billions of dollars for years by operating as an unregistered securities exchange, broker, and clearing agency.