[Update] Bybit Hack Update Timeline: North Korea's Lazarus Group Responsible for Largest Crypto Hack in History | BitPinas (original) (raw)

Disclaimer: This article is for informational purposes only and does not constitute financial advice. BitPinas has no commercial relationship with any mentioned entity unless otherwise stated.

📬 Get the biggest crypto stories in the Philippines and Southeast Asia every week — subscribe to the BitPinas Newsletter.

Updated on March 17, 2025.

Bybit has suffered what is now confirmed to be one of the largest crypto hack in history, with over $1.46 billion stolen in an exploit linked to North Korea’s Lazarus Group.

Below is a timeline of how events unfolded.

Bybit Hack Timeline
eXch Refuses Cooperation Amid Laundering Allegations
Bybit Exploiter Laundering Funds Through Memecoins
Coordinated Efforts Lead to Freezing of $42.89M
Lazarus Bounty Hunt
Laundered all Stolen Funds
Bybit CEO: Funds are retrievable
Fully Reimbursed Losses
Timeline of Events as per Bybit
$300M impossible to recover

Initial Reports of Suspicious Outflows

ZachXBT reports $1.46 billion in suspicious outflows from Bybit. BitPinas was first alerted by a post from Aleksander Larsen, founder of Sky Mavis, whose own blockchain Ronin experienced a similar attack in 2022.

Transactions involving mETH and stETH are detected being swapped for ETH on decentralized exchanges (DEXs).

Photo for the Article - [Update] Bybit Hack Update Timeline: North Korea's Lazarus Group Responsible for Largest Crypto Hack in History

Confirmation of Security Incident

ZachXBT confirms the incident as a security breach, citing sources familiar with the situation.

Bybit Confirmation and Livestream Conference

Bybit CEO Ben Zhou was the first to confirm the hack within the organization.

“Bybit ETH multisig cold wallet just made a transfer to our warm wallet about 1 hour ago. It appears that this specific transaction was masked; all the signers saw a masked UI that displayed the correct address, and the URL appeared to be from Safe. However, the signing message actually changed the smart contract logic of our ETH cold wallet. This resulted in the hacker taking control of that specific ETH cold wallet, transferring all ETH to an unidentified address. Please rest assured that all other cold wallets are secure. All withdrawals remain normal.”

Explanation

Simplifying Zhou’s statement:

Bybit’s security team was tricked by a fake user interface (UI) when approving a transaction.
The hackers made it look like they were signing a normal transfer to a wallet, but in reality, they were unknowingly giving the hacker control over Bybit’s Ethereum cold wallet. Once the hacker gained control, they emptied the wallet by transferring all ETH to an unknown address.
The key trick here was that the real transaction details were hidden (masked) from Bybit’s team.
- They saw a legitimate-looking transaction, but what they were actually signing was something different—a change to the wallet’s smart contract logic that handed control over to the attacker.

Zhou said that only this one ETH cold wallet was affected. Their other wallets—hot wallets, warm wallets, and other cold wallets—remain secure and withdrawals for users are still working normally.

Bybit is Solvent even if this hack loss is not recovered, all of clients assets are 1 to 1 backed, we can cover the loss.

— Ben Zhou (@benbybit) February 21, 2025

Lazarus Group Identified as Attackers

Arkham Intelligence announces that ZachXBT has submitted definitive proof linking the attack to Lazarus Group, a North Korean cybercriminal organization notorious for targeting crypto firms.

ZachXBT’s report includes test transactions, connected wallets, forensic graphs, and timing analyses used in the attack.
Bybit confirms they are working with on-chain analytics providers to track and mitigate further movement of the stolen funds.

Bybit Hack Connected to Phemex Hack

ZachXBT and Josh from Chainalysis Forensics (CF) reveal that on-chain evidence connects the Bybit exploit to the recent Phemex hack.
Analysts speculate this could be part of a coordinated Lazarus Group operation targeting multiple crypto platforms.

Recovery Efforts Begin

ZachXBT estimates that partial recovery (15-30%) could be possible, though laundering $1.46 billion remains difficult.
Bybit officially reports the case to law enforcement authorities and is working to blacklist attacker addresses across EVM chains.

We have reported the case to the appropriate authorities and we will send an update as soon as we have any further information. We have fortunately worked quickly and extensively with on-chain analytics providers to identify and demix the implicated addresses. These actions will…

— Bybit (@Bybit_Official) February 21, 2025

Liquidity Support and Record Withdrawals

Since the attack, Bybit has processed a record number of withdrawals, with over 350,000 requests completed in just 10 hours. According to CEO Ben Zhou, 99.994% of withdrawals have been processed, with only 2,100 requests remaining.

To ensure platform stability, Bybit has received $4 billion in liquidity support over the past 12 hours. According to SoSoValue and TenArmor, Bybit’s inflows include:

63,168.08 ETH (~$170 million)
$3.15 billion in USDT
$173 million in USDC
$525 million in CUSD

These funds come from bridge loans and institutional transfers, including 64,452 ETH from Bitget, MEXC, and Binance withdrawals.

Additionally, 11,800 ETH (~$31 million) was transferred from Binance to Bybit’s cold wallet to support customer withdrawals.

Bitget transferred 40,000 ETH ($106M) to Bybit as a loan.

North Korean Hackers Laundering Stolen Funds

According to Eric Wall’s analysis, Lazarus Group is expected to:

Convert all ERC-20 tokens into ETH
Swap ETH for BTC
Gradually offload Bitcoin into CNY via Asian exchanges

These stolen funds are suspected to be used for North Korea’s nuclear weapons and ballistic missile programs.

Meanwhile, ZachXBT reports that Lazarus Group has already laundered 5,000 ETH, using the eXch mixer and bridging funds to Bitcoin through Chainflip. In response, Bybit CEO Ben Zhou has urged cross-chain bridge projects to help block further illicit transfers.

Cross-Chain Bridges Respond

Chainflip Labs stated that while they have taken temporary action, their decentralized nature limits their ability to fully block or freeze funds. They have, however, disabled certain frontend services to slow the movement of funds.

OKX President Hong Fang confirmed that OKX is in contact with Bybit to assist with IT security and liquidity support. DWF Labs partner Andrei Grachev also expressed willingness to provide ETH support if necessary, though no official withdrawal requests have been made from Bybit yet.

We're aware of the hacker's attempts to move the @Bybit_Official hack funds to BTC via Chainflip.

We have disabled some frontend services to stop the flow, but as a fully decentralised protocol with 150 nodes, we can't completely shut down the protocol.

As a more permanent…

— CHAINFLIP LABS (@Chainflip) February 22, 2025

eXch Refuses Cooperation Amid Laundering Allegations

The eXch coin mixer platform, used by North Korean hackers, has rejected Bybit’s request for cooperation in tracking stolen funds. Security firm SlowMist has previously identified eXch’s involvement in multiple security incidents, including exposing personal information of industry security personnel. Experts are now urging all crypto platforms to enhance risk controls for funds originating from eXch.

Bybit Exploiter Laundering Funds Through Memecoins

According to blockchain analysis, the Bybit exploiter is laundering stolen funds by issuing memecoins on Pump Fun, a popular token launchpad.

The exploiter (5STkQy…95T7Cq) transferred 60 SOL to 9Gu8v6…aAdqWS
The recipient wallet then launched a memecoin called QinShihuang (500,000), which has already recorded over $26 million in trades

Security researchers, including ZachXBT, noted that it is likely an entity laundering money for the Lazarus Group issued the token via Pump Fun.

In response, Pump Fun’s frontend has blocked the QinShihuang (500,000) token to prevent further trading.

Coordinated Efforts Lead to Freezing of $42.89M

Bybit has led a coordinated industry effort to freeze stolen funds, securing $42.89 million in just one day. The following platforms contributed to blocking and freezing illicit assets:

Tether: Flagged address and froze 181K USDT
THORChain: Blocked the blacklist
ChangeNOW: Froze 34 ETH
FixedFloat: Froze 120K USDC + USDT
Avalanche (AVAX): Froze 0.38755 BTC
CoinEx: Blocked the blacklist and provided key insights
Bitget: Blocked the blacklist and froze 84 USDT
Circle: Assisted in connecting investigators and provided crucial clues

A coordinated effort led to the freezing of $42.89M in just one day. Thanks to the following teams for their swift action: @Tether_to: Flagged address and froze 181K USDT @THORChain: Blocked the blacklist @ChangeNOW_io: Froze 34 ETH @FixedFloat: Froze 120K USDC + USDT…

— Bybit (@Bybit_Official) February 23, 2025

Lazarus Bounty Hunt

Zhou announced the launch of Lazarus Bounty (lazarusbounty.com), an industry-first bounty platform aimed at tracking and freezing funds laundered by North Korea’s Lazarus Group.

Key features include:

Bounty System: Users can connect wallets, trace stolen funds, and receive instant payouts if their reports lead to asset freezing.
5% Freezer Reward: Exchanges, mixers, and individuals involved in freezing funds receive a 5% bounty.
Live Transparency: A ranking system highlights actors’ responses to sanctioned transactions—bad actors risk being flagged for facilitating illicit activities.
Real-Time API Updates: Wallet address tracking for exchanges and blockchain analytics firms like Chainalysis, Arkham, and Elliptic.

Bybit has dedicated a team to maintain the site and aims to expand it to other victims of Lazarus.

Laundered all Stolen Funds

In a March 4 report from blockchain security firm Lookonchain, it was revealed that the Bybit hacker laundered the entire $1.4 billion stolen in the biggest crypto hack in history within 10 days, primarily using THORChain.

Despite this, blockchain security firms believe some funds may still be recoverable.

Bybit CEO: Funds are retrievable

Bybit CEO Ben Zhou stated that 77% of the stolen funds remain traceable, though $280 million is unaccounted for, and 3% has been frozen.

3.4.25 Executive Summary on Hacked Funds:
Total hacked funds of USD 1.4bn around 500k ETH, 77% are still traceable, 20% has gone dark, 3% have been frozen.
Breakdown:
– 83% (417,348 ETH, ~$1B) have been converted into BTC with 6,954 wallets (Average 1.71 btc each) . This and…

— Ben Zhou (@benbybit) March 4, 2025

Fully Reimbursed Losses

Bybit has fully closed the ETH gap and will soon release a new audited Proof-of-Reserves (POR) report using a Merkle tree to confirm that client assets are back to 100% 1:1 backing.

Latest Update: Bybit has already fully closed the ETH gap, new audited POR report will be published very soon to show that Bybit is again Back to 100% 1:1 on client assets through merkle tree, Stay tuned. https://t.co/QLa1vOujM6

— Ben Zhou (@benbybit) February 24, 2025

Timeline of Events as per Bybit

Weeks after hackers breached Bybit’s system by manipulating contract logic and using blind signature tactics to bypass security, the crypto platform released its timeline of the attack from their perspective.

February 21, 2025

13:30 – Bybit initiated a routine cold wallet transfer of 30,000 ETH to its warm wallet. Cold wallets, being offline, are considered more secure, but funds must be periodically transferred to warm wallets to facilitate withdrawals and trading.
14:13 – Hackers exploited vulnerabilities in the transfer process by manipulating contract logic and using blind signature tactics to bypass security protocols. This allowed them to drain a significant amount of funds from the platform.
15:44 – Bybit CEO Ben Zhou publicly confirmed the breach. He reassured users that the team was working to contain the damage, secure assets, and investigate the attack.

February 21-22, 2025

19:09 – On-chain investigator ZachXBT linked the attack to North Korea’s Lazarus Group, a well-known cybercrime syndicate responsible for multiple high-profile crypto heists. The group has previously targeted exchanges, DeFi platforms, and bridges.
00:54 – Despite the attack, Bybit successfully processed 99.99% of pending withdrawals, ensuring minimal disruption to user funds.

February 22, 2025

07:29 – Bybit received a $4 billion liquidity injection, likely from internal reserves or external funding, to cover the losses and maintain platform stability. This ensured continued operations and restored user confidence.
13:15 – Tether froze $181,000 worth of fraudulent USDT linked to the stolen funds. This move prevented the hackers from cashing out a portion of their illicit gains, though the majority of the stolen ETH remained in motion.

February 24, 2025

02:35 – Bybit successfully recovered $1.23 billion in ETH, significantly reducing the financial impact of the attack. While details of the recovery were not immediately disclosed, this could have involved negotiations, on-chain tracking, or cooperation with security firms and law enforcement.

February 26, 2025

Bybit offered a 140millionbountytohelptraceandfreezefundsstoleninthe140 million bounty to help trace and freeze funds stolen in the 140millionbountytohelptraceandfreezefundsstoleninthe1.4 billion hack, the largest crypto heist in history. 5% of recovered funds go to the finder and 5% to the entity freezing them. So far, Bybit has awarded $4.23 million in bounties.

$300M impossible to recover

In a report, it was revealed that North Korea’s Lazarus Group already laundered 300millionfromthe300 million from the 300millionfromthe1.5 billion Bybit hack, making recovery difficult.

Analysts estimate that 20% of the stolen funds have “gone dark”, meaning they are likely unrecoverable. Moreover, with $1.2 billion still missing, the race to prevent further laundering continues.

This article is published by BitPinas: Bybit Hack Update Timeline: North Korea’s Lazarus Group Responsible for Largest Crypto Hack in History

What else is happening in Crypto Philippines and beyond?