North Korea’s Lazarus hackers behind $1.4 billion crypto theft from Bybit, researchers say

Cybersecurity researchers say North Korean hackers are behind the largest cryptocurrency heist in history and are actively laundering the more than $1.4 billion in cryptocurrency stolen from the Bybit exchange on Friday.

Soon after the incident, the blockchain analytics firm TRM Labs released a short blog post saying they had determined with “high confidence” that North Korean hackers were behind the incident, “based on substantial overlaps observed between addresses controlled by the Bybit hackers and those linked to prior North Korean thefts.” 

The influential crypto investigator known as ZachXBT reached a similar conclusion, and on Sunday analysts at blockchain research firm Elliptic detailed how the money flowed out of Bybit’s coffers and through a web of decentralized exchanges and dozens of wallets. The firm attributed the activity to Lazarus Group, a hacking outfit with ties to the North Korean government that has been behind some of the largest cryptocurrency thefts to date. 

The incident occurred when Bybit attempted to transfer a large sum of Ethereum tokens from a so-called cold wallet — whose private keys are kept offline — to an online “hot” wallet. An intermediary was able to siphon off some 401,000 ETH coins in one fell swoop.

In the aftermath of the theft, the hackers followed a “characteristic pattern” for Lazarus Group, Elliptic said, exchanging the stolen ETH tokens for Ether, a “native” blockchain asset. 

“This is because tokens have issuers who in some cases can ‘freeze’ wallets containing stolen assets, whereas there is no central party who can freeze Ether or Bitcoin,” they said. Within minutes, hundreds of millions of dollars worth of Ethereum was exchanged in this way.

They then moved on to layering the funds, complicating the tracing process. On Friday afternoon, 50 different wallets each received about 10,000 ETH (worth about $26.66 million), which are “now being systematically emptied.” 

As of 8am EST on Sunday, 14.5% of the stolen funds had been moved from the wallets, Elliptic said. 

“Once moved out of these wallets, the funds are being laundered through various services, including DEXs [decentralized exchanges], cross-chain bridges and centralized exchanges,” they said. 

Elliptic and the researcher ZachXBT highlighted the alleged role of eXch — a cryptocurrency exchange that does not use a “Know Your Customer” (KYC) protocol, meaning no proof of identity is required — in laundering the money. 

Bybit asked the exchange on Friday evening to freeze funds connected to the suspicious addresses. In a response to their request shared by Bybit CEO Ben Zhou, eXch pointed to Bybit’s previous designation of the exchange as “high-risk” because of its lack of KYC policies.

At this point is really not about bybit or any entity, it's about our general approach towards hackers as an industry, really hope that @eXch can reconsider and help us to block funds outflowing from them. We are also getting help from Interpool and international regulatory… https://t.co/wRzN925X9l

— Ben Zhou (@benbybit) February 23, 2025

"given the direct attacks on the reputation of our exchange by Bibit over the past year, it is difficult for us to understand the expectation of collaboration at this time,” eXch wrote. 

On Monday, an administrator for eXch told Recorded Future News that “after receiving some explanations from ByBit the following day, we eventually blacklisted the requested addresses.” 

Despite the platform claiming that as of Sunday no stolen funds were running through eXch, Elliptic co-founder and chief scientist Tom Robinson said exchanges continued on Monday. 

“Over $75 million of the stolen funds have been laundered through eXch so far,” he said. “They are trying to conceal it and the total figure may be more than this.” 

Following the incident, Zhou told users in a livestream that the platform had enough liquidity to cover withdrawals and that it was in the process of securing loans to cover the stolen ETH. The exchange completed more than 580,000 withdrawals since Friday, resulting in $4 billion of cryptocurrency leaving the platform.

On Sunday night, Zhou said the company had “fully closed the ETH gap” through loans.  

Bybit offered a bounty of 10% to any researchers who are able to secure stolen funds. The company also said that $42.9 million worth of cryptocurrency had been recovered with the help of partners by Sunday. 

On Sunday night, the crypto-focused bank Infini reportedly lost $49.4 million of USDC — a stablecoin pegged to the American dollar. 

Company founder Christian Li confirmed the incident on X and tried to assure customers their assets were safe. 

“There is no problem with liquidity,” he said. “Full compensation can be paid and the funds are being traced.”