Bybit, the world’s second-largest cryptocurrency trade, suffered a devastating $1.4 billion Ethereum (ETH) hack from a chilly pockets breach on February 21, 2025. Within the days following the assault, unbiased blockchain investigator ZachXBT traced the stolen funds on to North Korea’s Lazarus Group, a infamous state-backed hacking group. His findings have been confirmed by Arkham Intelligence, a blockchain evaluation agency, and shared with the Bybit staff for additional investigation.
ZachXBT Uncovers Lazarus Group’s Crypto Path
On February 21 at 19:09 UTC, Arkham tweeted that ZachXBT had submitted definitive proof linking the assault to the Lazarus Group. His submission included detailed take a look at transactions, linked pockets addresses, forensic graphs, and timing analyses; all of which instructed the hack was premeditated.
The subsequent day, February 22, ZachXBT posted additional proof revealing that Lazarus had not solely executed the Bybit hack however had additionally immediately linked the stolen funds on-chain to the current Phemex hack, which occurred on February 20. He recognized a key overlapping deal with (0x33d057af74779925c4b2e720a820387cb89f8f65) the place funds from each hacks had been commingled, successfully proving the identical entity was accountable.
On-Chain Proof of Lazarus Group’s Exercise
Bybit Hack Transactions (Feb 22, 2025):
0xc963e65b9ec39b11076f78990c31f29aaa80705c75312dafd1748479e3e94ed00x411374feedcfa560335f00c0fcfa0a3906fdcc33687e6f924dd78ebecc45cd00
Phemex Hack Transactions (Feb 20, 2025):
0x6262a3339842240aeebae4ebfe338dbc771aa0e2df8f5a1ebcd7f9b090bedfe3
ZachXBT later tweeted that, earlier than these transactions surfaced, he and one other blockchain investigator, Josh from CF (Cryptoforensic Investigators), had already traced Bybit-related testing addresses that have been concerned in laundering funds from the Phemex hack by way of Tron. Their findings helped them safe a bounty from Arkham, which had launched a reward for anybody who might establish the Bybit hackers.
Lazarus Group simply linked the Bybit hack to the Phemex hack immediately on-chain commingling funds from the intial theft deal with for each incidents.
Overlap deal with:
0x33d057af74779925c4b2e720a820387cb89f8f65Bybit hack txns on Feb 22, 2025:… pic.twitter.com/dh2oHUBCvW
— ZachXBT (@zachxbt) February 22, 2025
New Findings Join Bybit Hack to BingX Hack
Afterward February 22, ZachXBT made one other main revelation: Lazarus Group had additionally linked an deal with used within the September 2024 BingX hack to the identical cluster of addresses liable for the Bybit and Phemex hacks. Which means that the three hacks: Bybit, BingX, and Phemex, are all linked by on-chain transactions.
Overlap Tackle:
0xd555789b146256253cd4540da28dcff6e44f6e50
Bybit Hack Transaction:
0x4a366130118d750715c2d35fdc07509cf943fcc988fa5e6d02211e3d5472796e
BingX Hack Transaction:
0x93424aa87731bb9b1d8cc1f708d2ac9f3faf914f368a00494d87cba3e7719e8c
Lazarus Group simply linked an deal with tied to the BingX hack to this identical cluster a couple of minutes in the past which now connects the Bybit, BingX, & Phemex hacks on-chain.
Overlap
0xd555789b146256253cd4540da28dcff6e44f6e50Bybit hack txn:… pic.twitter.com/CGh7pB31Xa
— ZachXBT (@zachxbt) February 22, 2025
Investigators Publish 920+ Addresses Linked to the Hack
On February 22 at 9:05 PM UTC, ZachXBT tweeted that he had spent your complete day graphing the laundering actions of the stolen Bybit funds. He additionally made 920+ theft-linked pockets addresses publicly available to assist exchanges and safety groups block illicit transactions.
Bybit responded to his findings with a tweet on February 23 at 9:17 AM, thanking ZachXBT for his work, stating: “Massive shoutout to @ZachXBT for all the time protecting the house sharp. 👀🔍 Your work didn’t go unnoticed—a lot respect.”
Bybit Resumes Operations and Warns of Scammers
Regardless of the huge theft, Bybit announced that deposits and withdrawals on the platform had returned to regular. Nevertheless, the trade warned customers of scammers impersonating Bybit staff, urging them to confirm all communications and keep away from sharing private info.
“Scammers are on the market pretending to be Bybit staff. Keep sharp! Bybit won’t ever ask in your private data, deposits, or passwords,” Bybit tweeted.
Coordinated Effort Freezes $42.89M in Stolen Funds
A coordinated international effort amongst crypto safety groups led to the freezing of $42.89 million in stolen belongings inside a single day. In line with ByBit’s tweet, a number of key gamers within the trade, together with stablecoin issuers and exchanges, helped monitor and block the motion of the hacked funds.
Funds Frozen by Varied Entities:
- ChangeNOW: Froze 34 ETH
- Circle: Assisted with essential clues
- THORChain: Blocked the blacklist
- FixedFloat: Froze 120K USDC + USDT
- Avalanche (AVAX): Froze 0.38755 BTC
- Bitget: Blocked the blacklist and froze 84 USDT
- Tether: Flagged an deal with and froze 181K USDT
- CoinEx: Blocked the blacklist and supplied key insights
Bybit acknowledged and praised these firms for his or her swift response, stating that their efforts have been important in monitoring and freezing the hacked funds.
Who’s the Lazarus Group?
The Lazarus Group is a state-sponsored North Korean hacking group liable for among the largest cyber heists in historical past. First recognized within the early 2010s, the group has been linked to a number of high-profile monetary and cyber assaults, together with the 2014 Sony Footage hack, the 2017 WannaCry ransomware attack, and a protracted checklist of crypto trade breaches.
Their major goal is stealing funds to support North Korea’s closely sanctioned economic system, which struggles underneath worldwide monetary restrictions. In line with intelligence companies and blockchain analytics companies, Lazarus has stolen over $3 billion in cryptocurrency since 2018, with a lot of the funds being funnelled into North Korea’s nuclear weapons program and navy operations.
The group sometimes executes assaults through social engineering, phishing, and exploiting safety vulnerabilities in crypto platforms. Their laundering strategies usually contain mixing companies, decentralized exchanges, and cross-chain swaps to cowl transaction trails earlier than cashing out.
Nonetheless, the ByBit incident is likely one of the largest crypto hacks in historical past, backing considerations about safety vulnerabilities in centralized exchanges. The speedy response from blockchain investigators like ZachXBT, exchanges, and safety groups has helped mitigate the influence, however the assault additional highlights the delicate techniques of hacking teams like Lazarus.
With Bybit now operational once more, the trade stays on excessive alert as investigations proceed into the laundering of the stolen funds.
