Lazarus Linked To Massive Bybit Crypto Theft

On February 21, 2025, Bybit reported that it had suffered a massive cryptocurrency theft, estimated at 1.46 billion USD using that day's exchange rate.

Ethereum (ETH) was stolen from one of its ETH cold wallets, which stores cryptocurrency private keys offline. In practice, private keys are transferred from a device with an internet connection to a device without one to securely store cryptocurrency.

Soon after the theft was discovered, Bybit went to X to state the following,

Bybit detected unauthorized activity involving one of our ETH cold wallets. The incident occurred when our ETH multisig cold wallet executed a transfer to our warm wallet. Unfortunately, this transaction was manipulated through a sophisticated attack that masked the signing interface, displaying the correct address while altering the underlying smart contract logic. As a result, the attacker was able to gain control of the affected ETH cold wallet and transfer its holdings to an unidentified address. Our security team, alongside leading blockchain forensic experts and partners, is actively investigating the incident. Any teams with expertise in blockchain analytics and fund recovery who can assist in tracing these assets are welcome to collaborate with us. We want to assure our users and partners that all other Bybit cold wallets remain fully secure. All client funds are safe, and our operations continue as usual without any disruption. Transparency and security remain our top priorities, and we will provide updates asap

When the hack was discovered, crypto fraud investigator ZachXBT, the exploiter, had already split 10,000 ETH out of the roughly 401,346 ETH stolen in the attack to 48 addresses. This made the hack and subsequent theft of 1.46 billion USD in ETH the most significant crypto theft to date.

Chainalysis research showed that in 47 attacks attributed to Lazarus, North Korea's primary state-sponsored advanced persistent threat, 1.34 billion USD was stolen in 2024. A single attack on Bybit, now attributed to Lazarus, surpassed all of 2024.

Bybit Crypto Theft Linked to Lazarus

Lazarus has been carrying out cyberattacks, cyber espionage campaigns, and financially motivated attacks usually considered out of the realm of traditional state-sponsored activities, including crypto theft and ransomware deployment upon the enemies and allies of North Korea.

They set trends others follow and then follow other trends set by others. It is widely believed that the group's financially motivated cyber crimes are done to fund North Korea's weapon programs, including both the hermit kingdom's nuclear and long-range missile programs.

Regarding the above-mentioned Bybit attacks, ZachXBT discovered that the attackers sent stolen Bybit funds to an Ethereum address previously used in the Phemex, BingX, and Poloniex hacks also linked to Lazarus.

The crypto fraud researcher also said the threat actors launched and traded Pump Fun meme coins to launder the stolen cryptocurrency, with funds from the Bybit hack that reached more than 920 blockchain addresses. ZachXBT also claimed the Lazarus hackers are laundering ETH stolen from Bybit Hack using eXch (a centralized mixer) and bridging funds to Bitcoin via Chainflip.

ZachXBT's findings were later confirmed by TRM Labs, stating,

TRM has determined - with high confidence - that the Bybit hack was perpetrated by North Korean hackers. This assessment is based on substantial overlaps observed between addresses controlled by the Bybit hackers and those linked to prior North Korean thefts…In a single day North Korea's hackers nearly doubled the amount they stole in 2024 (roughly $800 million).

This was then followed by a public service announcement issued by the US Federal Bureau of Investigation (FBI) that stated,

The Federal Bureau of Investigation (FBI) is releasing this PSA to advise the Democratic People's Republic of Korea (North Korea) was responsible for the theft of approximately $1.5 billion USD in virtual assets from cryptocurrency exchange, Bybit, on or about February 21, 2025. FBI refers to this specific North Korean malicious cyber activity as "TraderTraitor." [also previously linked to Lazarus]"

 

TraderTraitor actors are proceeding rapidly and have converted some of the stolen assets to Bitcoin and other virtual assets dispersed across thousands of addresses on multiple blockchains. It is expected these assets will be further laundered and eventually converted to fiat currency.

Lazarus threat actors are believed to have gained access to Bybit cold storage wallets after hacking a developer's device at the multisig wallet platform Safe{Wallet}. Bybit CEO Ben Zhou summarized the attack by acknowledging the attack specifically targeted Bybit by injecting malicious JavaScript into the app.safe.global, which was accessed by Bybit's signers.

The payload was designed to activate only when certain conditions were met. This selective execution ensured that the backdoor remained undetected by regular users while allowing attackers to compromise high-value targets.

Since the incident, the Safe{Wallet} team has restored Safe{Wallet} on the Ethereum mainnet with a phased rollout that temporarily removed the native Ledger integration, which was the signing method used in the Bybit crypto heist.

The phased rollout to restore Safe{Wallet} services also added further security measures, including enhanced monitoring alerts and additional validations for transaction hash, data, and signatures. Safe{Wallet} 's team says it has fully rebuilt and reconfigured all infrastructure and rotated all credentials to ensure that the attack vector has been removed, preventing it from being used in future attacks.