The cryptocurrency industry's largest hack has taken a new turn as security researchers identify North Korea's Lazarus Group as the perpetrators behind the $1.4 billion Bybit exchange exploit.
Blockchain security expert ZachXBT, who first spotted the incident, won Arkham Intelligence's bounty for identifying the organization behind the attack using on-chain data analysis.
BREAKING: BYBIT $1 BILLION HACK BOUNTY SOLVED BY ZACHXBT
— Arkham (@arkham) February 21, 2025
At 19:09 UTC today, @zachxbt submitted definitive proof that this attack on Bybit was performed by the LAZARUS GROUP.
His submission included a detailed analysis of test transactions and connected wallets used ahead of… https://t.co/O43qD2CM2U pic.twitter.com/jtQPtXl0C5
Following the identification, the Lazarus Group has begun moving the stolen funds across multiple wallets.
According to on-chain analytics firm Lookonchain, the group transferred 10,000 Ether (approximately $27 million) to a wallet labeled "Bybit Exploiter 54" on February 22. The hackers currently control 489,395 ETH (valued at over $1.3 billion) and 15,000 Mantle Restaked ETH (cmETH) distributed across 53 additional wallets.
In response to the incident, Bybit has launched a Recovery Bounty Program, offering up to 10% of recovered funds as rewards. This could amount to $140 million if all stolen assets are retrieved.
The exchange's CEO, Ben Zhou, confirmed that Bybit remains solvent despite the hack and can cover potential losses, as all client assets are backed 1:1.
The crypto community has rallied to support Bybit, with several major players taking immediate action. Tether has frozen 181,000 USDT connected to the hack. At the same time, Polygon's chief information security officer, Mudit Gupta, reported that approximately $43 million in stolen funds have already been recovered with assistance from the Mantle, SEAL, and mETH teams.
The incident occurred when attackers exploited Bybit's ETH cold wallet through a masked transaction that contained malicious source code, altering the smart contract logic.
Despite the breach, the exchange has maintained normal withdrawal operations and received praise from industry executives for its transparent communication during the crisis.
The cryptocurrency exchange industry has demonstrated unprecedented solidarity in response to the incident. Multiple organizations, including OKX, KuCoin, and Tron blockchain, have deployed their security teams to assist in tracking and recovering the stolen funds. This collaborative effort highlights the growing maturity of the crypto sector in handling security breaches.
Coinbase executive Conor Grogan provided reassurance about Bybit's stability, noting that the exchange maintains over $20 billion in assets, with most cold wallets remaining untouched. The isolated nature of the signing hack and Bybit's strong capitalization suggest limited risk of broader market contagion.
Several crypto platforms have implemented protective measures, with Orbiter, deBridge, SynFutures, MYX, Thruster, and Owlto blacklisting exploit-related addresses to prevent unauthorized transfers. Zero Shadows has activated its 24/7/365 Global Response team to support the investigation and recovery efforts.
The impact on the broader crypto market was notable but contained, with Ether's price experiencing an 8% decline following the hack's confirmation. However, the market has shown resilience, supported by institutional clients maintaining their trading positions.
This attack marks another significant operation by the Lazarus Group, which has been increasingly active in crypto, allegedly stealing $1.34 billion worth of crypto in 2024 alone.