The platform for tracking on-chain data, Arkham Intelligence, reported that the North Korean Lazarus Group is likely behind the $1.5 billion hack of cryptocurrency exchange Bybit.
BREAKING: BYBIT $1 BILLION HACK BOUNTY SOLVED BY ZACHXBT
At 19:09 UTC today, @zachxbt submitted definitive proof that this attack on Bybit was performed by the LAZARUS GROUP.
His submission included a detailed analysis of test transactions and connected wallets used ahead of…
— Arkham (@arkham) February 21, 2025.
The founder of AML service BitOK noted that stolen cryptocurrency is actively being moved out of Ethereum into other blockchains.
Immediately after the hack, Ethereum assets were distributed across 48 different addresses.
The pattern shows how these assets are laundered by breaking down large amounts into smaller parts.
These addresses remained untouched until recently.
On the second stage:
- Cryptocurrency from these addresses is gradually divided into even smaller parts (about 50 ETH).
- Funds are transferred through bridges (eXch and Chainflip) to other networks.
On a second image, it’s shown how transactions from one of these 48 addresses are split into 50 ETH units and sent to Chainflip.
Stay Calm
In a special live stream, CEO Ben Zhou stated that Bybit is discussing loans with partners to cover liquidity during this crisis period. The platform remains solvent; funds are needed to ensure liquidity in Ethereum during this critical time.
Binance founder Changpeng Zhao offered assistance in mitigating the incident’s effects and suggested halting withdrawals as a precautionary measure.
Conor Grogan from Coinbase noted that Binance and Bitget deposited over fifty thousand ETH directly into Bybit’s cold wallets.
Binance and Bitget just deposited 50k+ ETH directly into Bybit’s cold wallets.
Bitget’s deposits are especially interesting; its 1/4 of all of the exchange’s ETH! (that I can see)
Since they skipped a deposit address, these funds were coordinated directly by Bybit themselves.
— Conor (@jconorgrogan)
According to reporter Colin Wu, MEXC sent approximately thirty-three million seventy-five thousand dollars worth of stETH to Bybit’s cold wallet.
Chinese crypto entrepreneurs are supporting liquidity by transferring ETH onto affected platforms. Specifically, Huobi co-founder Du Jun deposited ten thousand ETH and promised not to withdraw them for a month. Conflux and Mask Network co-founders also stated they have deposited ether into Bybit’s cold wallets.
Bybit representatives said information about the incident has been passed on to relevant authorities and collaborated with on-chain analytics providers to identify linked addresses, limiting hackers’ ability to spend stolen funds through legal markets.
Bitget CEO Gracy Chen emphasized that despite significant losses equivalent nearly half its stored Ether ($1.5 billion), customer funds remain secure with no reason for panic.
Chen clarified that transferred assets belong solely to Bitget itself rather than users’ funds.
Zhou mentioned within ten hours after being hacked; over three hundred fifty thousand withdrawal requests were recorded —99.994% completed while about two thousand one hundred remain pending review.
”Largest Heist”
Grogan called it ”the largest heist in history,” potentially reigniting discussions about an Ethereum hard fork.
The NK hack of Bybit is the largest heist of all time, of any medium (Central Bank of Iraq Heist (was ~$1B)
Its ~10x in $ terms of the 2016 DAO hack (That was a much higher % of supply though, 15% versus <0.5%)
Expect we see some calls for an Ethereum fork here
— Conor (@jconorgrogan) February 21, 2025
He believes this incident could revive discussions around hardforking Ethereum.
Former BitMEX CEO Arthur Hayes suggested supporting any community decision regarding rolling back blockchain states if needed.
My own view as a mega $ETH bag holder is $ETH stopped being money in 2016 after the DAO hack hardfork.
If the community wanted to do it again, I would support it because we already voted no on immutability in 2016 y not do it again?
— Arthur Hayes (@CryptoHayes)
What Next?
According to an analysis by Eric Wall, co-founder of Taproot Wizards, North Korean hackers likely convert all ERC-20 tokens into Ether (ETH), then swap the obtained Ether for Bitcoin (BTC). Afterward, they gradually transfer Bitcoins into Chinese Renminbi through Asian exchanges. These funds could be used to finance North Korea’s nuclear and missile programs.
If you want to understand what happens to funds after they’re stolen by North Korea/Lazarus Group, the Chainalysis 2022 report is great
Step 1: Swap any ERC20s (like stETH) into ETH
Step 2: Swap any ETH into BTC
Step 3: Cash out BTC to cash (Chinese Renminbi) using Asian…
— Eric Wall | BIP-420 (@ercwl)
Similar patterns are described in Chainalysis’ 2022 report.
”This process can take years. They are not in a hurry,” noted Wall.
The expert also emphasized that ”it’s unlikely these funds will ever be returned, considering it’s the Lazarus Group.”
ZachXBT reported that Lazarus transferred 5,000 ETH to a new address and began laundering funds through a centralized mixer eXch, then converted them into Bitcoin via Chainflip.
Bybit CEO Ben Zhou expressed hope that cross-chain services would help block further asset transfers across blockchains.
We are starting to see some funds being moved to as bridge to convert to BTC: bc1qlu4a33zjspefa3tnq566xszcr0fvwz05ewhqfq
with below transactions:0x4f5f7ba657bf518d383828183087978b452b99da6cde0c9b94739b8d72a8c5ef…
— Ben Zhou (@benbybit)
Chainflip stated they detected attempts by hackers to cash out stolen Bybit funds in Bitcoin through their platform.
To counter this, developers disabled part of their frontend services, but due to its decentralized structure with over 150 nodes, it was impossible to fully stop the protocol.
Researchers at Lookonchain hypothesized that the same individual or group responsible for attacking Bybit might have also attacked Phemex:
”When they laundered funds, they transferred ETH to wallet address 0x33d0…8F65.”
According to Bybit’s official statement, the incident occurred during an Ethereum transfer from a multi-signature cold wallet to a hot wallet.
Attackers manipulated the transaction signing interface so all participants saw the correct address while altering smart contract logic. This allowed hackers unauthorized access and control over Ether wallets from which all assets were withdrawn into an unidentified account.
Recall that according to Chainalysis data, cryptocurrency scams resulted in at least $9.9 billion in losses during 2024.
This article was originally Posted on Coinpaper.com
