North Korea’s Lazarus Group Identified in Bybit’s $1.46 Billion Hack
In a significant development, blockchain analytics firm Arkham Intelligence has attributed the monumental $1.46 billion hack of cryptocurrency exchange Bybit to North Korea’s notorious Lazarus Group. This conclusion was reached following an investigation led by on-chain sleuth ZachXBT, who previously highlighted the incident on the social media platform X. Arkham took to X to announce a bounty of 50,000 ARKM tokens as a reward for anyone who could assist in identifying the attackers involved in Friday’s breach.
Subsequently, Arkham confirmed that ZachXBT had submitted “definitive proof” linking the attackers to the North Korean hacking collective. His submission included a thorough analysis of test transactions and associated wallets that were utilized prior to the hack, alongside various forensic graphs and timing analyses to establish a clear connection.
The hack, which has sent shockwaves through the crypto market, has been described by Elliptic’s co-founder and chief scientist, Tom Robinson, as “the largest crypto theft of all time, by some margin.” To put this in perspective, he noted that the next largest theft was the $611 million pilfered from Poly Network in 2021, highlighting the unprecedented scale of this incident.
According to blockchain data provider Nansen, the attackers executed their plan by initially siphoning nearly $1.5 billion in assets from the exchange into a primary wallet before dispersing the funds across multiple wallets. Nansen reported, “Initially, the stolen funds were transferred to a primary wallet, which then distributed them across more than 40 wallets.” Furthermore, the attackers converted all stETH, cmETH, and mETH into ETH, systematically transferring it in increments of $27 million to over 10 additional wallets.
The breach appears to have been facilitated by a technique known as “Blind Signing.” This method involves approving a smart contract transaction without fully understanding its contents. Ido Ben Natan, CEO of blockchain security firm Blockaid, noted, “This attack vector is rapidly becoming a preferred choice for cyber attacks executed by advanced threat actors, including North Korea. It mirrors the approach taken in the Radiant Capital breach and the WazirX incident.”
Ben Natan elaborated on the vulnerabilities inherent in the current signing processes, stating, “The issue lies in the fact that, even with the most robust key management solutions, the majority of the signing process is entrusted to software interfaces that interact with decentralized applications (dApps). This creates a critical vulnerability, as it opens the door for malicious manipulation of the signing process, which is precisely what transpired in this attack.”
In response to the incident, Bybit’s CEO, Ben Zhou, addressed concerns on X, revealing that a hacker had successfully taken control of a specific ETH cold wallet, subsequently transferring all ETH contained within it to an unidentified address. He reassured users that the exchange remains solvent, even if the losses incurred from this hack are not recovered.
Oliver Knight contributed to the reporting of this story.
