North Korea's Lazarus Group Suspected in $1.4 Billion Bybit Crypto Hack

Bybit, one of the world's largest cryptocurrency exchanges, has fallen victim to a massive hack, with over $1.4 billion worth of ETH stolen from its cold wallet. The incident, which occurred on February 21, 2025, has raised concerns about the security of crypto exchanges and the potential involvement of state-sponsored hacking groups.

The hack was carried out by exploiting a "masked" UI and URL, deceiving wallet signers into approving a malicious transaction. This allowed the attacker to alter the smart contract logic and gain control of the ETH cold wallet, draining its funds. While the investigation is ongoing, Bybit co-founder and CEO Ben Zhou has reassured users that other cold wallets are secure and withdrawals remain operational.

Market Reaction: Initial Speculation and Volatility
Following the announcement of the hack, the crypto market reacted with heightened volatility. Initially, speculation arose that Bybit would need to buy back ETH on a 1:1 basis to compensate affected users, potentially driving a significant price rally. This speculation briefly caused ETH to bounce back after an initial drop. CMC data shows ETH fell from $2,828 to $2,708 (a 4.2% decline) before rebounding 3.36% to $2,759 within 10 minutes.

However, Zhou later clarified in a live stream that Bybit had secured a bridge loan covering 80% of the lost ETH and had no immediate plans to buy large amounts of ETH in the spot market. This led to a swift shift in sentiment, turning the market bearish amid concerns over selling pressure from the hacker and broader risk aversion among investors.

Will the Hacker Sell?
The hacker now holds over 500,000 ETH—more than Ethereum co-founder Vitalik Buterin, who has 240,000 ETH. The stolen ETH has been distributed across 53 wallets, which are being actively monitored by blockchain security and smart contract auditing teams. Given the high-profile nature of the attack, selling such a large amount of ETH poses a challenge. The wallets are tracked in real time, making it difficult for the hacker to offload the funds without detection.

Additionally, the current market conditions are not favorable for liquidating such a large amount of ETH. If the hacker were to sell at scale, it would likely trigger a major market downturn—akin to Vitalik Buterin dumping his holdings at twice the magnitude. However, since the hacker acquired the ETH essentially at zero cost, achieving the highest selling price may not be a priority.

Broader Implications for ETH
The timing of the hack coincides with ETHDenver, one of the largest annual Ethereum ecosystem conferences where projects typically announce major updates and new releases. ETHDenver has historically been a bullish event for the market, with ecosystem projects unveiling their latest developments. However, sentiment in the Ethereum community has been weak over the past five weeks, exacerbated by internal controversies, criticism of Vitalik Buterin, and concerns over the Ethereum Foundation’s future. The hack further dampens enthusiasm, casting a bearish shadow over an event that would usually drive positive momentum for ETH.

North Korea's Lazarus Group Suspected
An on-chain investigation has proven that the Bybit hack was carried out by the infamous North Korean Lazarus Group. Arkham Intelligence offered a bounty for strong evidence, which ZachXBT was able to provide. Apparently, Lazarus hackers used the same wallets today as in last month's Phemex hack. Bybit becomes the biggest crypto target for Lazarus.

The involvement of North Korea's Lazarus Group in the Bybit hack significantly impacts the global perception of crypto exchange security and trust. This high-profile incident highlights the vulnerability of even the most prominent exchanges to sophisticated cyberattacks. The fact that a state-sponsored hacking group was behind the attack further exacerbates concerns about the security of crypto platforms and the trust that users place in them.

The hack serves as a stark reminder that crypto exchanges, despite their best efforts, can still fall victim to advanced and well-resourced cybercriminals. This realization may lead to a decrease in user confidence and trust in the security measures implemented by exchanges. Additionally, the incident could potentially discourage new users from entering the crypto market, as they may be hesitant to invest in an environment perceived as insecure.

In the aftermath of the Bybit hack, it is crucial for exchanges to be transparent about their security measures and to communicate effectively with users about the steps they are taking to prevent similar incidents in the future. By doing so, exchanges can help to rebuild trust and restore confidence in the security of crypto platforms.

Sources:
- "An on-chain investigation proved that the Bybit hack earlier today was carried out by the infamous North Korean Lazarus Group." (Arkham Intelligence)
- "The hack is the latest incident in which the crypto industry has been targeted." (The New York Times)
- "The Bybit hack, which involved the compromise of a multi-signature cold wallet, has resulted in significant financial losses." (Bybit Hack Update)