- 22
- 1
- 3
Security experts have linked the North Korean hacking group Lazarus to the theft of nearly $1.5 billion from the cryptocurrency exchange Bybit. Meanwhile, the company has announced a reward of 10% of the stolen funds (around $140 million) for any information that will help return the stolen funds.
Recall that at the end of last week, attackers stole more than $1.46 billion in cryptocurrency from Bybit, withdrawing funds from one of the exchange's cold wallets. This attack became the largest cryptocurrency hack in history, more than doubling the previous record.
[td]“On February 21, 2025, at approximately 12:30 UTC, Bybit detected unauthorized activity in one of our Ethereum (ETH) cold wallets during a routine transfer process. The transfer was part of a planned move of ETH from our ETH multisig cold wallet to a hot wallet,” Bybit said in a report on the attack . “Unfortunately, the transaction was manipulated through a sophisticated attack that altered the smart contract logic and signing interface, allowing the attacker to gain control of the ETH cold wallet. As a result, over 400,000 ETH and stETH, worth over $1.5 billion, were transferred to an unknown address.”[/td]It should be noted that experts from Check Point believe that the attackers identified the people responsible for approving multisig transactions and then hacked their devices using some kind of malware, phishing, or a supply chain attack.
Despite the theft of $1.5 billion and a massive wave of withdrawal requests, Bybit assured that all other cold wallets are securely protected, customer funds are safe, and the incident will not affect the exchange's operations. In addition, Bybit CEO Ben Zhou said that Bybit is solvent and will be able to cover all losses.
Shortly after the attack, blockchain analyst ZachXBT, who first discovered the incident, reported that the North Korean hacking group Lazarus was likely behind the attack. The fact is that the attackers sent the funds stolen from Bybit to an Ethereum address that had previously appeared in attacks on Phemex , BingX and Poloniex .

[td]The Link Between the Phemex and Bybit Hacks[/td]The researcher also claimed that Lazarus launders the stolen ETH using the eXch mixer and transfers the funds to Bitcoin via Chainflip.
ZachXBT's findings are confirmed by TRM Labs , who also write that North Korean hackers are behind the Bybit hack.
Blockchain analysts from Elliptic also attribute this attack to Lazarus and note that the stolen funds have already passed through a large number of wallets, and in this way the hackers are trying to hide the actual origin of the assets, slowing down attempts to track them.
[td]“One particular exchange, eXch, appears to have knowingly laundered tens of millions of dollars in stolen funds despite calls from Bybit to stop,” Elliptic says. “The stolen funds are mostly converted into Bitcoin. If previous money laundering schemes are repeated this time, we can expect the use of Bitcoin mixers to cover their tracks.”[/td]At the same time, eXch denies all accusations of intentionally laundering funds stolen from Bybit, stating that “eXch does not launder money for Lazarus and North Korea.” Allegedly, only a small part of the funds stolen from Bybit was received by eXch, this was an isolated incident, and the commission from this operation will be donated to charity.
Meanwhile, Bybit representatives announced that they are launching a reward program that should help return the stolen funds and identify the hackers behind this attack. Bybit promised to pay 10% of the returned funds (up to $ 140 million) to information security experts who “play an active role in the return of the stolen cryptocurrencies.”
Recall that at the end of last week, attackers stole more than $1.46 billion in cryptocurrency from Bybit, withdrawing funds from one of the exchange's cold wallets. This attack became the largest cryptocurrency hack in history, more than doubling the previous record.
Despite the theft of $1.5 billion and a massive wave of withdrawal requests, Bybit assured that all other cold wallets are securely protected, customer funds are safe, and the incident will not affect the exchange's operations. In addition, Bybit CEO Ben Zhou said that Bybit is solvent and will be able to cover all losses.
Shortly after the attack, blockchain analyst ZachXBT, who first discovered the incident, reported that the North Korean hacking group Lazarus was likely behind the attack. The fact is that the attackers sent the funds stolen from Bybit to an Ethereum address that had previously appeared in attacks on Phemex , BingX and Poloniex .

ZachXBT's findings are confirmed by TRM Labs , who also write that North Korean hackers are behind the Bybit hack.
Blockchain analysts from Elliptic also attribute this attack to Lazarus and note that the stolen funds have already passed through a large number of wallets, and in this way the hackers are trying to hide the actual origin of the assets, slowing down attempts to track them.
Meanwhile, Bybit representatives announced that they are launching a reward program that should help return the stolen funds and identify the hackers behind this attack. Bybit promised to pay 10% of the returned funds (up to $ 140 million) to information security experts who “play an active role in the return of the stolen cryptocurrencies.”