{"id":21409,"date":"2025-02-22T09:30:21","date_gmt":"2025-02-22T07:30:21","guid":{"rendered":"https:\/\/forklog.com\/en\/arkham-says-lazarus-group-behind-bybit-hack\/"},"modified":"2025-02-22T09:30:21","modified_gmt":"2025-02-22T07:30:21","slug":"arkham-says-lazarus-group-behind-bybit-hack","status":"publish","type":"post","link":"https:\/\/forklog.com\/en\/arkham-says-lazarus-group-behind-bybit-hack\/","title":{"rendered":"Arkham says Lazarus Group behind Bybit hack"},"content":{"rendered":"<p>On-chain analytics platform Arkham Intelligence said the North Korean Lazarus Group was behind the roughly $1.5bn hack of the Bybit exchange.<\/p>\n<p><!--more--><\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">BREAKING: BYBIT $1 BILLION HACK BOUNTY SOLVED BY ZACHXBT<\/p>\n<p>At 19:09 UTC today, <a href=\"https:\/\/twitter.com\/zachxbt?ref_src=twsrc%5Etfw\">@zachxbt<\/a> submitted definitive proof that this attack on Bybit was performed by the LAZARUS GROUP.<\/p>\n<p>His submission included a detailed analysis of test transactions and connected wallets used ahead of\u2026 <a href=\"https:\/\/t.co\/O43qD2CM2U\">https:\/\/t.co\/O43qD2CM2U<\/a> <a href=\"https:\/\/t.co\/jtQPtXl0C5\">pic.twitter.com\/jtQPtXl0C5<\/a><\/p>\n<p>\u2014 Arkham (@arkham) <a href=\"https:\/\/twitter.com\/arkham\/status\/1893033424224411885?ref_src=twsrc%5Etfw\">February 21, 2025<\/a><\/p><\/blockquote>\n<p> <script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\"><p>\n<cite>\u201cToday [21 February] at 19:09 UTC, on-chain analyst ZachXBT provided irrefutable evidence of the Lazarus Group\u2019s involvement in the Bybit hack. His breakdown includes a detailed analysis of test transactions and linked wallets used ahead of the attack, as well as a set of charts and timestamps. These data have been passed to the exchange\u2019s team to assist the investigation,\u201d company representatives said.<\/cite><\/p><\/blockquote>\n<p>Dmitry Machikhin, founder of AML service BitOK and a crypto investor, told ForkLog the stolen cryptocurrency is being actively transferred out of the Ethereum network to other blockchains.<\/p>\n<p><script async src=\"https:\/\/telegram.org\/js\/telegram-widget.js?22\" data-telegram-post=\"forklog\/42678\" data-width=\"100%\"><\/script><\/p>\n<h2 class=\"wp-block-heading\">Stay calm<\/h2>\n<p>During a <a href=\"https:\/\/www.bybit.com\/en\/press\/live\/eth-wallet-incident\">special livestream<\/a>, Bybit CEO Ben Zhou said the exchange is discussing an ETH-denominated loan with partners. The platform <a href=\"https:\/\/t.me\/forklog\/42658\">remains solvent<\/a>; the funds are needed to shore up Ethereum liquidity during the crisis period.<\/p>\n<p>Binance founder Changpeng Zhao offered to help Bybit\u2019s chief mitigate the fallout. He also recommended suspending withdrawals as a precaution.<\/p>\n<p><script async src=\"https:\/\/telegram.org\/js\/telegram-widget.js?22\" data-telegram-post=\"forklog\/42660\" data-width=\"100%\"><\/script><\/p>\n<p>Coinbase\u2019s head of product, Conor Grogan, wrote that Binance and Bitget deposited more than 50,000 ETH into Bybit\u2019s cold wallets.<\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">Binance and Bitget just deposited 50k+ ETH directly into Bybit&#8217;s cold wallets. Bitget&#8217;s deposits are especially interesting; its 1\/4 of all of the exchange&#8217;s ETH! (that I can see)<\/p>\n<p>Since they skipped a deposit address, these funds were coordinated directly by Bybit themselves <a href=\"https:\/\/t.co\/yimpcYpLx7\">pic.twitter.com\/yimpcYpLx7<\/a><\/p>\n<p>\u2014 Conor (@jconorgrogan) <a href=\"https:\/\/twitter.com\/jconorgrogan\/status\/1893030274432122920?ref_src=twsrc%5Etfw\">February 21, 2025<\/a><\/p><\/blockquote>\n<p> <script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>According to <a href=\"https:\/\/x.com\/WuBlockchain\/status\/1893129785221714068\">reporter Colin Wu<\/a>, 12,652 stETH (about $33.75m) flowed from the MEXC exchange into a Bybit cold wallet.<\/p>\n<p>Chinese crypto entrepreneurs are supporting liquidity by actively sending ETH to the stricken platform. In particular, Huobi co-founder Du Jun <a href=\"https:\/\/x.com\/WuBlockchain\/status\/1893253477025095760\" title=\"\u0432\u043d\u0435\u0441 10 000 ETH\">deposited 10,000 ETH<\/a> and promised not to withdraw it for a month. The co-founders of Conflux and Mask Network also said they had deposited ether into the exchange\u2019s cold wallets.<\/p>\n<p>Bybit representatives <a href=\"https:\/\/x.com\/Bybit_Official\/status\/1893044807217393910\">said<\/a> information about the incident had been \u201chanded over to the relevant authorities\u201d. Collaboration with on-chain analytics providers has identified and isolated linked addresses, limiting the attackers\u2019 ability \u201cto cash out ETH via legitimate markets\u201d.<\/p>\n<p>Bitget chief Gracy Chen <a href=\"https:\/\/x.com\/GracyBitget\/status\/1893089165186609197\">said<\/a> that despite the large losses, they are equivalent to Bybit\u2019s annual profit ($1.5bn). She stressed that client funds are fully safe, so there is no cause for panic. <\/p>\n<p>Chen also clarified that the assets transferred came from Bitget itself, not users.<\/p>\n<p>Zhou <a href=\"https:\/\/x.com\/benbybit\/status\/1893101619862188471\">said<\/a> that in roughly the ten hours after the hack the exchange saw a record number of withdrawal requests\u2014more than 350,000. Around 2,100 remain pending; 99.994% of transactions have been completed.<\/p>\n<h2 class=\"wp-block-heading\">\u201cThe biggest heist\u201d<\/h2>\n<p>Grogan called the Bybit hack \u201cthe largest heist in history\u201d.<\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">The NK hack of Bybit is the largest heist of all time, of any medium (Central Bank of Iraq Heist (was ~$1B)<\/p>\n<p>Its ~10x in $ terms of the 2016 DAO hack (That was a much higher % of supply though, 15% versus <0.5%)\n\nExpect we see some calls for an Ethereum fork here<\/p>\n<p>\u2014 Conor (@jconorgrogan) <a href=\"https:\/\/twitter.com\/jconorgrogan\/status\/1893040705938784302?ref_src=twsrc%5Etfw\">February 21, 2025<\/a><\/p><\/blockquote>\n<p> <script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>In his view, the incident could revive discussions of Ethereum hard forks.<\/p>\n<p>Arthur Hayes, former CEO of crypto exchange BitMEX, noted that as an investor with large ETH holdings he would back a community decision to roll back the chain to an earlier state, as after The DAO hack in 2016.<\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">My own view as a mega <a href=\"https:\/\/twitter.com\/search?q=%24ETH&#038;src=ctag&#038;ref_src=twsrc%5Etfw\">$ETH<\/a> bag holder is <a href=\"https:\/\/twitter.com\/search?q=%24ETH&#038;src=ctag&#038;ref_src=twsrc%5Etfw\">$ETH<\/a> stopped being money in 2016 after the DAO hack hardfork. If the community wanted to do it again, I would support it because we already voted no on immutability in 2016 y not do it again?<\/p>\n<p>\u2014 Arthur Hayes (@CryptoHayes) <a href=\"https:\/\/twitter.com\/CryptoHayes\/status\/1893070933482737805?ref_src=twsrc%5Etfw\">February 21, 2025<\/a><\/p><\/blockquote>\n<p> <script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<h2 class=\"wp-block-heading\">What next?<\/h2>\n<p>According to analysis by Taproot Wizards co-founder Eric Wall, the North Korean hackers will likely convert all ERC-20 tokens into ETH, then swap the ether for BTC, and later slowly cash out the bitcoins into yuan via Asian exchanges. The funds could be used to finance North Korea\u2019s nuclear and missile programmes.<\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">If you want to understand what happens to funds after they\u2019re stolen by North Korea\/Lazarus Group, the Chainalysis 2022 report is great<\/p>\n<p>Step 1: Swap any ERC20s (like stETH) into ETH <\/p>\n<p>Step 2: Swap any ETH into BTC <\/p>\n<p>Step 3: Cash out BTC to cash (Chinese Renminbi) using Asian\u2026 <a href=\"https:\/\/t.co\/cmxUEAHRZN\">pic.twitter.com\/cmxUEAHRZN<\/a><\/p>\n<p>\u2014 Eric Wall | BIP-420 ? (@ercwl) <a href=\"https:\/\/twitter.com\/ercwl\/status\/1893047987355689257?ref_src=twsrc%5Etfw\">February 21, 2025<\/a><\/p><\/blockquote>\n<p> <script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>Similar patterns are described <a href=\"https:\/\/go.chainalysis.com\/rs\/503-FAP-074\/images\/Crypto-Crime-Report-2022.pdf\">in Chainalysis\u2019s 2022 report<\/a>.<\/p>\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\"><p>\n<cite>\u201cThis process can take years. They are in no hurry,\u201d Wall noted.<\/cite><\/p><\/blockquote>\n<p>He also stressed that \u201cthe funds are unlikely ever to be returned, given that this is the Lazarus Group\u201d.<\/p>\n<p>ZachXBT <a href=\"https:\/\/t.me\/investigations\/219\" title=\"\u0441\u043e\u043e\u0431\u0449\u0438\u043b\">said<\/a> Lazarus moved 5,000 ETH to a new address and began laundering funds through the centralised mixer eXch, then converted them to bitcoin via Chainflip.<\/p>\n<p>Bybit\u2019s Ben Zhou expressed hope the cross-chain service would help the exchange block and prevent further transfers of assets to other networks.<\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">We are starting to see some funds being moved to <a href=\"https:\/\/t.co\/O4AqIJo81z\">https:\/\/t.co\/O4AqIJo81z<\/a> as bridge to convert to BTC: bc1qlu4a33zjspefa3tnq566xszcr0fvwz05ewhqfq<\/p>\n<p>with below transactions: <br \/>0x4f5f7ba657bf518d383828183087978b452b99da6cde0c9b94739b8d72a8c5ef\u2026<\/p>\n<p>\u2014 Ben Zhou (@benbybit) <a href=\"https:\/\/twitter.com\/benbybit\/status\/1893199498966638630?ref_src=twsrc%5Etfw\">February 22, 2025<\/a><\/p><\/blockquote>\n<p> <script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>Chainflip <a href=\"https:\/\/x.com\/Chainflip\/status\/1893222347252875386\">said<\/a> it had detected attempts by the attackers to withdraw the stolen Bybit funds into bitcoin via its platform.  <\/p>\n<p>To counter this, developers disabled part of the front-end services, though a full protocol shutdown is impossible given its decentralised structure with 150 nodes. <\/p>\n<p>Lookonchain researchers <a href=\"https:\/\/x.com\/lookonchain\/status\/1893223657838633177?t=qomKk2AlnNGsoeR1QBygWg&#038;s=31\" title=\"\u0432\u044b\u0434\u0432\u0438\u043d\u0443\u043b\u0438 \u0433\u0438\u043f\u043e\u0442\u0435\u0437\u0443\">hypothesised<\/a> that the Bybit attack could have been carried out by the same person or group that targeted the Phemex exchange:<\/p>\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\"><p>\n<cite>\u201cWhen they laundered the funds, they transferred ETH to the wallet 0x33d0\u20268F65.\u201d<\/cite><\/p><\/blockquote>\n<h2 class=\"wp-block-heading\">Community support<\/h2>\n<p>Zhou expressed gratitude and listed an impressive roster of organisations that supported the stricken exchange. <\/p>\n<p><script async src=\"https:\/\/telegram.org\/js\/telegram-widget.js?22\" data-telegram-post=\"forklog\/42681\" data-width=\"100%\"><\/script><\/p>\n<p>The financial assistance allowed the trading platform to quickly <a href=\"https:\/\/x.com\/cryptoquant_com\/status\/1893332169688588738\" title=\"\u0432\u043e\u0441\u043f\u043e\u043b\u043d\u0438\u0442\u044c \u043b\u0438\u043a\u0432\u0438\u0434\u043d\u043e\u0441\u0442\u044c\">replenish liquidity<\/a>, supporting a rise in Ethereum\u2019s price after yesterday\u2019s correction.<\/p>\n<p><script async src=\"https:\/\/telegram.org\/js\/telegram-widget.js?22\" data-telegram-post=\"forklog\/42682\" data-width=\"100%\"><\/script><\/p>\n<h2 class=\"wp-block-heading\">Bounty<\/h2>\n<p>Bybit <a href=\"https:\/\/www.bybit.com\/en\/press\/post\/bybit-launches-recovery-bounty-program-with-rewards-up-to-10-of-stolen-funds-bltcd3ebbb9445d5b74\">launched<\/a> the Bounty Recovery programme.<\/p>\n<p>Participants who successfully return funds will receive a reward equal to 10% of the amount. In the event of full recovery, the payout could reach $140m.<\/p>\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\"><p>\n<cite>\u201cWe have endured one of the most difficult moments in the history of the crypto industry and proved that we stand above the bad actors,\u201d wrote Ben Zhou.<\/cite><\/p><\/blockquote>\n<p><a href=\"https:\/\/x.com\/arkham\/status\/1892975780218409203\">Arkham has already paid 50,000 ARKM<\/a> (about $34,000) to researcher ZachXBT for establishing the link between Lazarus and Friday\u2019s attack.<\/p>\n<p>The mETH Protocol team <a href=\"https:\/\/x.com\/mETHProtocol\/status\/1893264673837109585\">said<\/a> it blocked the withdrawal of 15,000 cmETH (~$43.5m) and redirected assets from the attacker\u2019s address to a recovery account. <\/p>\n<p>Tether boss Paolo Ardoino <a href=\"https:\/\/x.com\/paoloardoino\/status\/1893288600625721804\">said<\/a> the company froze $181,000 in USDT linked to the attack.<\/p>\n<p>According to Bybit\u2019s official statement, the incident occurred while transferring ETH from a cold multisig vault to a hot wallet.<\/p>\n<p>The attackers spoofed the transaction-signing interface so that all participants in the procedure saw the correct address. At the same time the smart-contract logic was altered, giving the hackers control over the ETH wallet; they withdrew all funds to an unidentified address.<\/p>\n<p>According to Chainalysis, losses from crypto crime in 2024 totalled at least $9.9bn.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>On-chain analytics platform Arkham Intelligence said the North Korean Lazarus Group was behind the roughly $1.5bn hack of the Bybit exchange.<\/p>\n","protected":false},"author":1,"featured_media":21408,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"select":"","news_style_id":"","cryptorium_level":"","_short_excerpt_text":"","creation_source":"","_metatest_mainpost_news_update":false,"footnotes":""},"categories":[3],"tags":[1151,1166,44,1125,1150],"class_list":["post-21409","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news-and-analysis","tag-bybit","tag-centralized-exchanges-cex","tag-cybercrime","tag-lazarus","tag-news-plus"],"aioseo_notices":[],"amp_enabled":true,"views":"51","promo_type":"","layout_type":"","short_excerpt":"","is_update":"","_links":{"self":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/21409","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/comments?post=21409"}],"version-history":[{"count":0,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/21409\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media\/21408"}],"wp:attachment":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media?parent=21409"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/categories?post=21409"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/tags?post=21409"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}