Bybit got ripped apart by hackers today, and now we know exactly who did it. The infamous Lazarus Group, North Korea’s state-backed cybercriminal syndicate, has been exposed as the masterminds behind the $1.5 billion Bybit exploit, which is the largest crypto theft in history.
The confirmation came from ZachXBT, one of the most respected on-chain sleuths in the space, who dropped indisputable evidence linking Lazarus to the attack.
Arkham Intelligence, which had offered a $50,000 ARKM bounty to identify the attackers, quickly confirmed the findings. The analysis reportedly included wallet connections, test transactions, and on-chain forensic data, all pointing directly to Lazarus Group.
ZachXBT, working with Josh from ChainFeeds (CF), connected the dots between the Bybit breach and a previous attack on Phemex, another crypto exchange. Their research showed that the same addresses, laundering patterns, and exploit methodologies were used in both cases. It was clear: Lazarus was behind it all.
BREAKING: BYBIT $1 BILLION HACK BOUNTY SOLVED BY ZACHXBT
At 19:09 UTC today, @zachxbt submitted definitive proof that this attack on Bybit was performed by the LAZARUS GROUP.
His submission included a detailed analysis of test transactions and connected wallets used ahead of… https://t.co/O43qD2CM2U pic.twitter.com/jtQPtXl0C5
— Arkham (@arkham) February 21, 2025
Arkham’s bounty, valued at $32,000, was a drop in the ocean compared to what Bybit just lost. But the speed at which the bounty worked is unbelievable. Within an hour, ZachXBT had solved the case.
The North Korean Lazarus has been systematically draining the crypto industry for years, funding Pyongyang’s ballistic missile program with stolen crypto.
Bybit CEO Ben Zhou confirmed that the exchange remains fully operational after the hack, assuring users that: “Bybit’s hot wallet, warm wallet, and all other cold wallets are fine. “The only cold wallet that was hacked was the ETH cold wallet. ALL withdrawals are NORMAL.”
In a later statement, Zhou reiterated that Bybit remains solvent regardless of the stolen funds. “All client assets are 1-to-1 backed. We can cover the loss.”
Before today’s Bybit hack, the largest exploit in crypto history was the $600 million Ronin Network attack on March 23, 2022.
Zhou explained that Bybit’s Ethereum (ETH) multisig cold wallet had made a transfer to the exchange’s warm wallet about an hour before the attack. The transaction appeared normal at first.
“It appears that this specific transaction was masked,” Zhou said. “All the signers saw a masked UI that showed the correct address, and the URL was from Safe.”
But the actual signing message changed the smart contract logic of Bybit’s ETH cold wallet. This allowed the hacker to take control of the wallet and transfer all ETH to an unidentified address.
Cryptopolitan Academy: Coming Soon - A New Way to Earn Passive Income with DeFi in 2025. Learn More
