On-chain investigator ZachXBT has identified North Korea’s Lazarus Group as the team behind the billion-dollar Bybit hack, winning a 50k ARKM bounty for solving the case. The breakthrough came when ZachXBT submitted conclusive evidence linking the attack to the hacking group at 19:09 UTC. BREAKING: BYBIT $1 BILLION HACK BOUNTY SOLVED BY ZACHXBT At 19:09 UTC today, @zachxbt submitted definitive proof that this attack on Bybit was performed by the LAZARUS GROUP. His submission included a detailed analysis of test transactions and connected wallets used ahead of… https://t.co/O43qD2CM2U pic.twitter.com/jtQPtXl0C5 — Arkham (@arkham) February 21, 2025 The investigation shared the hackers exploited Bybit’s Ethereum ( ETH ) multisig cold wallet during a routine transfer to the exchange’s warm wallet. The attackers manipulated the signing interface, making it display the correct wallet address while altering the underlying smart contract logic. Bybit CEO Ben Zhao confirmed the security breach resulted in losses exceeding $1.5 billion in cryptocurrency assets. Despite the magnitude of the theft, Zhao assured users that all client withdrawals would be processed, even those under review. You might also like: VanEck research reveals if Strategic Bitcoin Reserve can pay off US debt by 2049 ZachXBT reveals connections between Bybit and Phemex hack ZachXBT’s investigation revealed direct on-chain connections between the Bybit incident and the recent Phemex exchange hack. The attackers also commingled funds from both thefts through the same initial theft addresses. This pattern matches the Lazarus Group’s known tactics of linking multiple exchange compromises. Lazarus Group just connected the Bybit hack to the Phemex hack directly on-chain commingling funds from the intial theft address for both incidents. Overlap address: 0x33d057af74779925c4b2e720a820387cb89f8f65 Bybit hack txns on Feb 22, 2025:… pic.twitter.com/dh2oHUBCvW — ZachXBT (@zachxbt) February 22, 2025 The bounty submission included detailed analyses of test transactions conducted before the main attack, connected wallet tracking, and timing analyses that pointed to the North Korean state-sponsored group. Arkham has shared this forensic evidence with Bybit’s team to support their ongoing investigation. The incident began when Bybit detected unauthorized transfers from one of their Ethereum ( ETH ) cold wallets. The exchange immediately launched an investigation, partnering with blockchain forensics experts to trace the stolen assets. The company issued an open call for assistance from teams with expertise in blockchain analytics and fund recovery. This hack represents one of the largest cryptocurrency exchange hacks in history. The Bybit team received aid from other exchanges to keep the withdrawals open for users. Read more: Coinbase set to win SEC dismissal in ‘major win,’ analyst says
