Multiple companies and experts have found evidence linking the massive Bybit cryptocurrency heist to North Korean hackers.
It came to light over the weekend that hackers targeted the cryptocurrency exchange Bybit, managing to steal roughly 400,000 Ethereum (ETH and stETH) — worth nearly $1.5 billion — in what is considered the biggest-ever cryptocurrency heist.
The funds were taken from an offline wallet belonging to Bybit. The company explained that the attack was conducted during the transfer of ETH from one of its cold wallets to a warm wallet.
Through a manipulation of the user interface, the hackers made it appear as if the funds were being transferred to the correct address, but they altered the underlying smart contract logic and they were able to take control of the cold wallet and transfer assets to an address they controlled.
Security firm Check Point believes the attacker identified multisig signers responsible for approving transactions and hacked their devices through the use of malware, phishing, or a supply chain attack.
According to the latest update from Bybit, which has been working on recovering the stolen funds, nearly $43 million has been recovered after various cryptocurrency services started freezing the stolen funds.
The company has launched a ‘recovery bug bounty program’ that will reward those who help recover the stolen funds with up to 10% of the recovered amount. It has assured customers that their assets are backed and the company is solvent even if it fails to recover the funds.
Multiple companies and experts linked the attack to North Korea, specifically the threat group known as Lazarus, which has been known for significant cryptocurrency heists.
An investigator focusing on cryptocurrency attacks and scams, known as ZachXBT, was among the first to link the Bybit hack to North Korea, based on the use of addresses previously attributed to the state-sponsored threat actor.
Blockchain intelligence platform TRM Labs determined “with high confidence” that the hack was conducted by North Korea “based on substantial overlaps observed between addresses controlled by the Bybit hackers and those linked to prior North Korean thefts”.
Blockchain analytics firm Elliptic also linked the attack to North Korea’s Lazarus, based on “various factors”, including the way the hackers have attempted to launder the stolen assets.
According to Elliptic, the attackers — within two hours of the theft — transferred the stolen funds to 50 different wallets, which are being systematically emptied. The funds are laundered via centralized and decentralized exchanges, as well as cross-chain bridges.
“The stolen Ether is steadily being converted to bitcoin, using eXch [which is refusing to freeze funds] and other services. If previous laundering patterns are followed we might expect to see the use of mixers next, to further obfuscate the transaction trail. However this may prove challenging due to the sheer volume of stolen assets,” Elliptic said.
In late 2024, the FBI officially blamed North Korean hackers for a $308 million heist targeting Bitcoin.DMM.com.
Another massive cryptocurrency hack that was officially blamed by the US government on North Korea’s Lazarus group targeted Ronin and involved the theft of $600 million worth of cryptocurrency.
The US, Japan, and South Korea recently said that North Korean hackers stole approximately $660 million in cryptocurrency in 2024.
Related: Indiana Man Sentenced to 20 Years in Prison for Hacking, $37 Million Crypto Theft
Related: Hackers Drain Over $85 Million From Crypto Exchange Phemex
Related: US Charges 3 Russians for Operating Cryptocurrency Mixers Used by Cybercriminals
Related: Wallet Drainer Malware Used to Steal $500 Million in Cryptocurrency in 2024
