North Korean Lazarus Group Identified as Perpetrator of Bybit’s $1.5 Billion Hack, Arkham Intelligence Reports
The Lazarus Group, a notorious North Korean hacking collective, has been identified as the mastermind behind the recent $1.5 billion exploit targeting crypto exchange Bybit, according to blockchain analytics firm Arkham Intelligence. The confirmation came after on-chain investigator ZachXBT provided definitive proof linking the cyberattack to the group.
Arkham had initially offered a 50,000 ARKM token bounty to anyone who could trace the attackers responsible for the hack. In a follow-up post on social media platform X, the firm stated that ZachXBT’s submission included extensive forensic evidence, such as transaction patterns, connected wallets, and timing analyses, solidifying the link to Lazarus Group.
A Record-Breaking Crypto Heist
The breach, which sent shockwaves through the cryptocurrency market and caused major price drops, has been described as the “largest crypto theft in history by a significant margin,” according to Tom Robinson, co-founder and chief scientist at Elliptic. He noted that the next largest crypto heist was the $611 million stolen from Poly Network in 2021.
Blockchain analytics provider Nansen reported that the attackers first funneled nearly $1.5 billion from Bybit into a primary wallet before distributing the funds across more than 40 different wallets.
“The stolen assets were initially sent to a central wallet, which then systematically distributed ETH in $27 million increments across multiple addresses,” Nansen explained. The hackers also converted all stolen stETH, cmETH, and mETH into ETH before executing these transfers.
Blind Signing: A Growing Attack Vector
Experts believe the exploit was facilitated by a vulnerability known as “Blind Signing,” a process where a user approves a smart contract transaction without fully understanding its contents.
“This method is rapidly becoming the preferred attack vector for sophisticated cybercriminals, including North Korean state-backed actors,” said Ido Ben Natan, CEO of blockchain security firm Blockaid. “We saw the same type of exploit used in the Radiant Capital and WazirX breaches.”
He further explained that even with strong key management protocols, the reliance on software interfaces to process transactions creates a critical weakness. “This vulnerability allows bad actors to manipulate the signing process undetected, which is exactly what happened here,” he added.
Bybit’s Response and CEO’s Assurance
Bybit CEO Ben Zhou confirmed on X that the hacker managed to gain control of a specific Ethereum cold wallet and drained its assets. Despite the massive loss, Zhou reassured users that Bybit remains financially stable.
“The exchange remains solvent even if the stolen funds are not recovered,” Zhou stated.
The unprecedented nature of the attack has reignited concerns about security vulnerabilities in the crypto industry, as well as the persistent threat posed by North Korean cybercriminals.
