• Investigators have linked the record-breaking $1.46 billion Bybit hack to North Korea’s Lazarus Group, using advanced cyber tactics to breach security.
  • The stolen Ethereum, believed to help fund North Korea’s military, poses laundering challenges as crypto security firms track the movement of the assets.

New findings suggest that the record-breaking $1.46 billion hack of cryptocurrency exchange Bybit was orchestrated by North Korea’s notorious Lazarus Group. Security researchers and blockchain analysts have linked the attack to the state-sponsored cybercriminal unit, which has been responsible for some of the largest crypto heists in history.

On Friday, hackers gained access to one of Bybit’s cold wallets, where the exchange stored a substantial amount of Ethereum (ETH). The perpetrators then transferred over 401,346 ETH—worth approximately $1.46 billion—to an unidentified address.

Bybit’s CEO, Ben Zhou, confirmed the breach, stating that while the loss is significant, the exchange remains financially solvent and will continue to honor all customer withdrawals.

According to blockchain investigator ZachXBT and crypto security firm Halborn, the attack displayed hallmarks of Lazarus Group’s tactics, including test transactions, fraudulent signatures, and the eventual exploitation of a routine wallet transfer.

These methods align with previous Lazarus-led breaches, such as the $600 million Ronin Network hack in 2022 and the $100 million Harmony Horizon Bridge attack in 2023.

Blockchain forensics firm TRM Labs and security researchers from MetaMask have expressed high confidence that the Bybit hack was carried out by Lazarus.

Ari Redbord, head of policy at TRM Labs, stated:

“TRM has determined—with high confidence—that the Bybit hack was perpetrated by North Korean hackers. This assessment is based on substantial overlaps observed between addresses controlled by the Bybit hackers and those linked to prior North Korean thefts.”

Crypto analyst ZachXBT further highlighted similarities between the Bybit hack and the January breach of Singapore-based exchange Phemex, where hackers stole at least $70 million.

The Lazarus Group has been repeatedly linked to attacks of this nature, using malware, phishing, and compromised private keys to infiltrate crypto platforms.

North Korea’s Crypto-Fueled Military Funding

Lazarus’ crypto heists are believed to be a critical funding source for North Korea’s nuclear weapons program. The regime has previously used illicit crypto gains to bypass international sanctions, with reports estimating that North Korea stole around $800 million in crypto in 2024 alone.

In 2022, its cyber thefts amounted to $1.7 billion—nearly half of the country’s military budget at the time.

The sheer scale of the Bybit attack places North Korea among the top holders of Ethereum worldwide, surpassing even Ethereum co-founder Vitalik Buterin and the Ethereum Foundation in ETH holdings, according to data from Arkham.

Challenges in Recovery and Laundering Stolen Funds

Given the size of the stolen assets, laundering the funds without detection presents a significant challenge. Experts believe that Lazarus may rely on cryptocurrency mixers, decentralized exchanges (DEXs), and a technique known as “chain-hopping” to obfuscate transaction trails.

While some recovery may be possible, ZachXBT estimated that “partial recovery is more common (15-30% in a good scenario).”

As law enforcement agencies and crypto security firms continue to track the stolen funds, the Bybit breach serves as a stark reminder of the ongoing battle between crypto platforms and increasingly sophisticated cybercriminals backed by nation-states.

Edited by Harshajit Sarmah