Key Takeaways
- Lazarus Group stole a record $1.5 billion from Bybit using sophisticated 'Blind Signing' exploits.
- Blockchain investigator ZachXBT first identified Lazarus, with confirmation from Arkham, Elliptic, and Nansen.
- Bybit secured bridge loans covering 80% of losses, maintaining customer withdrawals as normal.
North Korean hacking collective Lazarus Group has executed the largest digital asset theft ever recorded, stealing approximately $1.5 billion from the Bybit exchange on February 21.
Attack Details
Hackers accessed Bybit’s Ethereum cold wallet—typically an offline and secure storage solution—and moved Ethereum and ERC-20 tokens to multiple wallets.
Blockchain security firm Arkham Intelligence offered a $30,000 bounty for identifying the hackers.
ZachXBT, a renowned blockchain investigator, was the first to link the theft directly to Lazarus Group.
Investigation findings
Arkham praised ZachXBT’s submission, noting:
His submission included a detailed analysis of test transactions and connected wallets used ahead of the exploit, as well as multiple forensics graphs and timing analyses.
Other blockchain security companies, including Elliptic and Nansen, confirmed the link to Lazarus.
Elliptic’s co-founder Tom Robinson called it…
… the largest crypto theft of all time, by some margin.
Attack method
Security analysts pinpointed “Blind Signing,” where users unknowingly authorize malicious transactions hidden within complicated smart contract data, as the attack method.
According to Ido Ben Natan, CEO of Blockaid:
This attack vector is quickly becoming the favorite form of cyberattack used by advanced threat actors, including North Korea.
Exchange response
Bybit CEO Ben Zhou assured customers on X (formerly Twitter) that the exchange remains solvent, obtaining bridge loans to cover approximately 80% of the stolen assets.
Withdrawals continue normally.
