Lazarus Group Behind Bybit's $1.4 Billion Hack: Reports

Security researchers have linked the North Korean Lazarus Group to a record-breaking $1.4 billion breach of cryptocurrency exchange Bybit, marking one of the largest crypto heists in history.

According to blockchain analytics firm Arkham, the attack was likely carried out by the notorious hacking organization sponsored by the North Korean state.

North Korean's Lazarus Group Linked to Record $1.4 Billion Bybit Heist

The link was established through an on-chain analysis conducted by pseudonymous blockchain investigator ZachXBT, who identified connections between the wallets used in the attack and previous exploits attributed to Lazarus. As a result, Arkham awarded ZachXBT a $50,000 bounty for his findings.

Lazarus Group has been responsible for multiple high-profile cyber heists in recent years, including the $600 million hack of the Ronin Network in 2022. U.S. law enforcement agencies have long accused North Korea of using crypto-related cybercrimes to fund its regime.

While ZachXBT has yet to release detailed findings, he stated that he and a colleague identified North Korean involvement by tracing wallet activity.

The same addresses were reportedly linked to an $85 million exploit of Phemex, a Singapore-based crypto exchange, last month. Phemex also suffered a $73 million attack in January, further underscoring Lazarus’ continued operations in the sector.

According to blockchain security firm Chainalysis, North Korean cybercriminals stole approximately $1.34 billion in cryptocurrency last year, accounting for 61% of all illicit crypto thefts in 2024.

Hackers Drain 70% of Bybit’s Ether Holdings in Cold Wallet Breach

The Bybit breach, which occurred early Friday, involved a hacker accessing the exchange’s cold wallet—a storage method considered more secure than online alternatives.

More than 401,000 Ether, valued at $1.4 billion at the time, was transferred to an unidentified wallet. Bybit CEO Ben Zhou confirmed the stolen amount accounted for approximately 70% of the exchange’s Ether holdings. The exchange secured a bridge loan from "unnamed partners" to cover almost 80% of the Ether stolen in the hack, Zhou stated.

Bybit has reported the attack to authorities and is collaborating with blockchain analytics firms to track and isolate the stolen funds. The company is working to prevent hackers from cashing out through legitimate markets, though efforts to recover stolen assets remain uncertain.