The largest digital asset heist in history has just occurred as hackers stole $1.5 billion from the Bybit exchange. Multiple blockchain security firms have linked the attack to the North Korean state-backed hacking team Lazarus Group which targets digital asset platforms.
The massive breach happened on February 21 when hackers withdrew almost $1.5 billion worth of Ethereum (ETH) and other ERC-20 tokens from Bybit’s cold wallet.
Cold wallets are meant to be more secure since they are offline but hackers found a way to bypass Bybit’s defenses and transfer the funds to multiple wallets then distribute them further.
Arkham Intelligence offered a $30,000 bounty for information on the perpetrators. On-chain investigator ZachXBT was the first to provide proof that Lazarus Group was behind the attack.
“His submission included a detailed analysis of test transactions and connected wallets used ahead of the exploit, as well as multiple forensics graphs and timing analyses,” Arkham said on X.
Elliptic and Nansen also confirmed the Lazarus Group’s involvement. Elliptic labeled the group’s wallets to prevent further liquidation of the stolen funds. Tom Robinson, co-founder of Elliptic, called it “the largest crypto theft of all time, by some margin”.
Experts believe the attack was done through “Blind Signing”. This is when you approve a smart contract transaction without fully understanding its contents.
In Blind Signing, a transaction is presented to the wallet owner that shows very long sequences of hashes and numbers, something a human being cannot easily decipher.
This, mixed with long lines of data from smart contracts transactions creates a large confusing block of data. If the owner does not pay enough attention, a malicious code could be hidden within.
According to Ido Ben Natan, CEO of Blockaid, “This attack vector is quickly becoming the favorite form of cyber attack used by advanced threat actors, including North Korea.”
Bybit CEO Ben Zhou acknowledged the breach on X, saying the hacker “took control of the specific ETH cold wallet and transferred all the ETH in the cold wallet to this unidentified address”.
Despite the loss, he assured customers the exchange was solvent and all withdrawals were being processed as normal.
Lazarus Group is well known for its criminal activities which have stolen billions from the digital asset industry. Investigators say the group uses chain-hopping—converting stolen assets into bitcoin and then to cash, and using obfuscation methods to hide their tracks.
ZachXBT also linked the Bybit hack to a previous attack on Phemex in January where Lazarus stole $30 million.
These are just the latest in a long list of high-profile digital asset thefts perpetrated by the group including the $625 million Ronin Network heist, $100 million Atomic Wallet breach, and $54 million CoinEx hack.
Related: North Korean Hacker Group Lazarus Possesses $40M in Stolen Bitcoin
Several other companies are helping out Bybit. Tron’s founder Justin Sun announced his team is tracking the stolen funds. OKX and KuCoin also expressed support, with OKX deploying a team to assist with the investigation.
Bybit itself is taking measures to recover. CEO Ben Zhou said the exchange got bridge loans to cover about 80% of the stolen funds so withdrawals can continue as normal. He assured everything will continue to run and all withdrawals will be honored.
The Bybit hack has raised concerns about the security of digital asset exchanges.
Some industry leaders like Coinbase’s Conor Grogan told users to stay calm, saying Bybit is still well funded. Others pointed out that strong revenue streams and backing will help Bybit recover.
