An independent investigation into the $1.5 billion hack suffered by the Bybit cryptocurrency exchange on Friday has revealed connections to the infamous Lazarus group.
A day after the attack was disclosed by ByBit, Blockchain investigator ZachXBT shared findings connecting the hack to the DPRK-backed hacking group.
“At 19.09 UTC today, @zackxbt submitted definitive proof that this attack on Bybit was performed by the Lazarus Group,” said a Saturday X post by Arkham Intelligence, the blockchain analysis firm that awarded ZackXBT a bounty for their discovery.
Bybit is the world’s second-largest cryptocurrency exchange by trading volume, with over 50 million registered users worldwide as per a September 2024 report.
Connection confirmed by transactions prior to the attack
ZachXBT submitted a detailed analysis of test transactions and connected wallets used just before the exploit, along with multiple graphs and timing analysis, which Arkham added in the X post.
Before a major exploit, attackers often conduct small test transactions to ensure that their methods will work without triggering alarms. By analyzing these transactions, investigators can trace the flow of funds and identity patterns that link multiple crypto wallets together.
Additionally, Graphical analysis and timing correlation help identify clusters of wallets controlled by the same entity and the sequence in which fundings were made.
ZachXBT reported finding addresses tied to the recent Phemex and BingX hack, also allegedly performed by the Lazarus Group, linked to the same cluster as Bybit.
“I spent the entire day graphing out the laundering movements and flagged theft addresses,” ZachXBT said while sharing the addresses connected to the Bybit hack.
Hackers gained access to cold wallets
Bybit reported the attack on Saturday through their Announcement page. “On February 21, 2025, at approximately 12:30 PM UTC, Bybit detected unauthorized activity within one of our Ethereum (ETH) Cold Wallets during a routine transfer process,” said the exchange.
“The attackers employed a deceptive transaction that masked the interface presented to the cold wallet signers authorized to transfer funds,” Santiago Pontiroli, Acronis Lead TRU researcher told CSO. “ The interface displayed the correct destination address while covertly altering the underlying smart contract logic, granting attackers control over the cold wallet.”
Bybit reported that over 400,000 ETH and stETH worth more than $1.5 billion were transferred to an unidentified address. The company said it has already processed 70% of withdrawal requests, which presumably peaked after the attack’s confirmation.
“Bybit has more than enough assets to cover the loss, with AUM exceeding $20 billion, and will use a bridge loan if necessary to ensure the availability of user funds,” Bybit added in the announcement.
While CSO did not obtain a response to the queries sent to Bybit until the publishing of this article, the announcement said it is working alongside blockchain forensic experts to trace the stolen funds and resolve the situation. Crypto traders were assured that the Bybit platform and all the other services, including trading products, cards, and P2P, are fully operational.
While the exchange and withdrawals function without restriction, this incident underscores the persistent security challenges within the cryptocurrency industry, highlighting the need for enhanced protective measures against increasingly sophisticated cyberattacks, Pontiroli added, calling this the biggest heist in the cryptocurrency space so far.
