- Blockchain investigator ZachXBT has linked the $1.4 billion Bybit hack to North Korea’s Lazarus Group.
- Bybit assured users that all funds are backed 1:1 and operations remain unaffected.
The massive $1.4 billion Bybit crypto exchange hack has taken a significant turn. Blockchain intelligence firm Arkham Intelligence said independent researcher ZachXBT shared crucial information linking the attack with North Korean hacking collective Lazarus Group.
The breach occurred on February 21st and is the largest crypto breach in history. Arkham reported that ZachXBT submitted a thorough forensic investigation, with transactions, related wallets, and on-chain transactions in the weeks leading up to the breach. The Bybit team is working closely with blockchain security firms to recover the lost funds.
BREAKING: BYBIT $1 BILLION HACK BOUNTY SOLVED BY ZACHXBT
At 19:09 UTC today, @zachxbt submitted definitive proof that this attack on Bybit was performed by the LAZARUS GROUP.
His submission included a detailed analysis of test transactions and connected wallets used ahead of… https://t.co/O43qD2CM2U pic.twitter.com/jtQPtXl0C5
— Arkham (@arkham) February 21, 2025
Attack Exploited Human Error, Not Code
According to our previous report, Bybit’s initial investigation disclosed the complexity of the attack. The exchange explained how attackers manipulated Bybit’s Ethereum cold wallet’s signing UI and presented the correct transaction information while manipulating the smart contract’s underlying logic.
Bybit detected unauthorized activity involving one of our ETH cold wallets. The incident occurred when our ETH multisig cold wallet executed a transfer to our warm wallet. Unfortunately, this transaction was manipulated through a sophisticated attack that masked the signing…
— Bybit (@Bybit_Official) February 21, 2025
This deception was carried out without triggering internal alarm systems. The Lazarus Group was not reported to have cracked Bybit’s code but took advantage of human vulnerabilities.
The attackers targeted multi-sig signers, took over their devices with malware, and manipulated approval on transactions without triggering alarm. The revelation has stoked alarm in the crypto space over the sufficiency of multi-sig protection.
Despite the severity of the breach, Bybit assured users that their customer funds are secure and fully backed. The exchange is still permitting withdrawals and operating normally. Bybit’s CEO stated that even in a worst-case scenario, the exchange is in a position where a bank run is not something to worry about.
6/ The good news:
"Bybit is solvent even if this hack loss is not recovered. All client assets are 1-to-1 backed, we can cover the loss."
Their founder claims they can handle even a bank run scenario: "We have enough tokens to give to the clients." pic.twitter.com/LYrgKGVZDP
— f(gautham)💤 (@gauthamzzz) February 21, 2025
Crypto Industry Reacts Quickly to Bybit Hack
The crypto community and other exchanges have acted swiftly in response to the Bybit hack. Bybit’s supplier, Safe.eth, conducted a comprehensive internal investigation and was not able to find a breach in their system. However, as a precautionary measure, Safe temporarily deactivated several wallet features to safeguard users.
A number of exchanges and DeFi protocols are also reviewing their security protocols. Bybit’s CEO Gracy ensured investors that the loss, while massive, was within Bybit’s annual $1.5 billion margin. She clarified that Bitget lent assets to Bybit and not customer capital.
Meanwhile, Ethena Labs confirmed none of its backing reserves was on Bybit, keeping potential contagion risk low. They reported lowering their unrealized profit-and-loss exposure from $30 million down to $10 million and having no exposure in a matter of hours.
As an update: the $30m of unrealised PNL noted in the prior post has been reduced to $10m and we expect to have zero unrealised PNL exposure to Bybit within the next hour.
There are currently $2.0b of liquid stablecoins in USDe backing which can be redeemed immediately if users… https://t.co/ONbRIaewpw
— Ethena Labs (@ethena_labs) February 21, 2025
However, the next 48 hours are crucial. The key questions still remain: Will the exchange receive back the money? How were the multi-signature signers compromised? What security upgrades are going to be pushed down the entire market?
Since Lazarus Group’s involvement is confirmed, authorities and blockchain researchers will intensify efforts to track down the stolen money and prevent future exploitation.