Arkham says Lazarus Group behind Bybit hack

On-chain analytics platform Arkham Intelligence said the North Korean Lazarus Group was behind the roughly $1.5bn hack of the Bybit exchange.

BREAKING: BYBIT $1 BILLION HACK BOUNTY SOLVED BY ZACHXBT

At 19:09 UTC today, @zachxbt submitted definitive proof that this attack on Bybit was performed by the LAZARUS GROUP.

His submission included a detailed analysis of test transactions and connected wallets used ahead of… https://t.co/O43qD2CM2U pic.twitter.com/jtQPtXl0C5

— Arkham (@arkham) February 21, 2025

“Today [21 February] at 19:09 UTC, on-chain analyst ZachXBT provided irrefutable evidence of the Lazarus Group’s involvement in the Bybit hack. His breakdown includes a detailed analysis of test transactions and linked wallets used ahead of the attack, as well as a set of charts and timestamps. These data have been passed to the exchange’s team to assist the investigation,” company representatives said.

Dmitry Machikhin, founder of AML service BitOK and a crypto investor, told ForkLog the stolen cryptocurrency is being actively transferred out of the Ethereum network to other blockchains.

Stay calm

During a special livestream, Bybit CEO Ben Zhou said the exchange is discussing an ETH-denominated loan with partners. The platform remains solvent; the funds are needed to shore up Ethereum liquidity during the crisis period.

Binance founder Changpeng Zhao offered to help Bybit’s chief mitigate the fallout. He also recommended suspending withdrawals as a precaution.

Coinbase’s head of product, Conor Grogan, wrote that Binance and Bitget deposited more than 50,000 ETH into Bybit’s cold wallets.

Binance and Bitget just deposited 50k+ ETH directly into Bybit’s cold wallets. Bitget’s deposits are especially interesting; its 1/4 of all of the exchange’s ETH! (that I can see)

Since they skipped a deposit address, these funds were coordinated directly by Bybit themselves pic.twitter.com/yimpcYpLx7

— Conor (@jconorgrogan) February 21, 2025

According to reporter Colin Wu, 12,652 stETH (about $33.75m) flowed from the MEXC exchange into a Bybit cold wallet.

Chinese crypto entrepreneurs are supporting liquidity by actively sending ETH to the stricken platform. In particular, Huobi co-founder Du Jun deposited 10,000 ETH and promised not to withdraw it for a month. The co-founders of Conflux and Mask Network also said they had deposited ether into the exchange’s cold wallets.

Bybit representatives said information about the incident had been “handed over to the relevant authorities”. Collaboration with on-chain analytics providers has identified and isolated linked addresses, limiting the attackers’ ability “to cash out ETH via legitimate markets”.

Bitget chief Gracy Chen said that despite the large losses, they are equivalent to Bybit’s annual profit ($1.5bn). She stressed that client funds are fully safe, so there is no cause for panic.

Chen also clarified that the assets transferred came from Bitget itself, not users.

Zhou said that in roughly the ten hours after the hack the exchange saw a record number of withdrawal requests—more than 350,000. Around 2,100 remain pending; 99.994% of transactions have been completed.

“The biggest heist”

Grogan called the Bybit hack “the largest heist in history”.

The NK hack of Bybit is the largest heist of all time, of any medium (Central Bank of Iraq Heist (was ~$1B)

Its ~10x in $ terms of the 2016 DAO hack (That was a much higher % of supply though, 15% versus <0.5%) Expect we see some calls for an Ethereum fork here

— Conor (@jconorgrogan) February 21, 2025

In his view, the incident could revive discussions of Ethereum hard forks.

Arthur Hayes, former CEO of crypto exchange BitMEX, noted that as an investor with large ETH holdings he would back a community decision to roll back the chain to an earlier state, as after The DAO hack in 2016.

My own view as a mega $ETH bag holder is $ETH stopped being money in 2016 after the DAO hack hardfork. If the community wanted to do it again, I would support it because we already voted no on immutability in 2016 y not do it again?

— Arthur Hayes (@CryptoHayes) February 21, 2025

What next?

According to analysis by Taproot Wizards co-founder Eric Wall, the North Korean hackers will likely convert all ERC-20 tokens into ETH, then swap the ether for BTC, and later slowly cash out the bitcoins into yuan via Asian exchanges. The funds could be used to finance North Korea’s nuclear and missile programmes.

If you want to understand what happens to funds after they’re stolen by North Korea/Lazarus Group, the Chainalysis 2022 report is great

Step 1: Swap any ERC20s (like stETH) into ETH

Step 2: Swap any ETH into BTC

Step 3: Cash out BTC to cash (Chinese Renminbi) using Asian… pic.twitter.com/cmxUEAHRZN

— Eric Wall | BIP-420 ? (@ercwl) February 21, 2025

Similar patterns are described in Chainalysis’s 2022 report.

“This process can take years. They are in no hurry,” Wall noted.

He also stressed that “the funds are unlikely ever to be returned, given that this is the Lazarus Group”.

ZachXBT said Lazarus moved 5,000 ETH to a new address and began laundering funds through the centralised mixer eXch, then converted them to bitcoin via Chainflip.

Bybit’s Ben Zhou expressed hope the cross-chain service would help the exchange block and prevent further transfers of assets to other networks.

We are starting to see some funds being moved to https://t.co/O4AqIJo81z as bridge to convert to BTC: bc1qlu4a33zjspefa3tnq566xszcr0fvwz05ewhqfq

with below transactions:
0x4f5f7ba657bf518d383828183087978b452b99da6cde0c9b94739b8d72a8c5ef…

— Ben Zhou (@benbybit) February 22, 2025

Chainflip said it had detected attempts by the attackers to withdraw the stolen Bybit funds into bitcoin via its platform.

To counter this, developers disabled part of the front-end services, though a full protocol shutdown is impossible given its decentralised structure with 150 nodes.

Lookonchain researchers hypothesised that the Bybit attack could have been carried out by the same person or group that targeted the Phemex exchange:

“When they laundered the funds, they transferred ETH to the wallet 0x33d0…8F65.”

Community support

Zhou expressed gratitude and listed an impressive roster of organisations that supported the stricken exchange.

The financial assistance allowed the trading platform to quickly replenish liquidity, supporting a rise in Ethereum’s price after yesterday’s correction.

Bounty

Bybit launched the Bounty Recovery programme.

Participants who successfully return funds will receive a reward equal to 10% of the amount. In the event of full recovery, the payout could reach $140m.

“We have endured one of the most difficult moments in the history of the crypto industry and proved that we stand above the bad actors,” wrote Ben Zhou.

Arkham has already paid 50,000 ARKM (about $34,000) to researcher ZachXBT for establishing the link between Lazarus and Friday’s attack.

The mETH Protocol team said it blocked the withdrawal of 15,000 cmETH (~$43.5m) and redirected assets from the attacker’s address to a recovery account.

Tether boss Paolo Ardoino said the company froze $181,000 in USDT linked to the attack.

According to Bybit’s official statement, the incident occurred while transferring ETH from a cold multisig vault to a hot wallet.

The attackers spoofed the transaction-signing interface so that all participants in the procedure saw the correct address. At the same time the smart-contract logic was altered, giving the hackers control over the ETH wallet; they withdrew all funds to an unidentified address.

According to Chainalysis, losses from crypto crime in 2024 totalled at least $9.9bn.