- Researchers said blockchain data suggest North Korea was the Bybit hacker.
- If confirmed, the pariah state would be one of the largest holders of Ether.
Hackers affiliated with North Korea likely carried out Friday’s record $1.5 billion hack of crypto exchange Bybit, according to security researchers.
Crypto analytics firm Arkham awarded pseudonymous blockchain investigator ZachXBT a $50,000 bounty for linking the hack to the Lazarus Group using an analysis of the hacker’s test transactions and connected wallets, among other things.
Lazarus is a hacking outfit sponsored by North Korea. US law enforcement say the pariah state is responsible for some of the largest crypto exploits, including the previous record-holder, the $600 million hack of the Ronin Network in March 2022.
ZachXBT said on X he and a collaborator had tied Friday’s hack to that of Phemex. He did not immediately return DL News’ request for comment Friday.
In January, hackers stole at least $70 million in crypto from Phemex, a crypto exchange based in Singapore.
Crypto security firm Halborn said the method they used was “a specialty of the Lazarus Group.” Phemex did not identify the hacker in a statement released three days after the exploit.
On Friday, a hacker gained access to the so-called cold wallet in which Bybit stored its Ether and sent more than 401,000 Ether — worth about $1.5 billion at Friday’s prices — to an unidentified address.
CEO Ben Zhou said that accounted for about 70% of Bybit’s Ether. The exchange has $20 billion in assets under management and has pledged to honour all customer withdrawals.
Bybit has yet to comment on the identity of the hacker. The company said it has reported the hack to law enforcement.
Taylor Monahan, the lead security researcher at the crypto wallet MetaMask, is among those who believe Lazarus was responsible for the Bybit hack.
“We know they did the Phemex hack,” she told DL News. “Malware analysis, IP, tradecraft, MO, laundering, it all connects. DPRK doesn’t hide.”
Ari Redbord, head of policy at crypto forensics firm TRM Labs, agreed.
“TRM has determined — with high confidence — that the Bybit hack was perpetrated by North Korean hackers,” Redbord wrote on LinkedIn.
“This assessment is based on substantial overlaps observed between addresses controlled by the Bybit hackers and those linked to prior North Korean thefts.”
Cut off from most of the world due to US sanctions, North Korea uses the proceeds from crypto hacks to fund its nuclear weapons programme. Because blockchain transactions are irreversible, crypto has proven an especially attractive target for the regime.
A DL News investigation last year found that fake applicants are flooding job boards with doctored CVs. Mounting evidence suggested many were North Korean nationals trying to infiltrate crypto projects for nefarious purposes.
North Korea stole an estimated $800 million in crypto in 2024, according to Redbord. In 2022, it stole an estimated $1.7 billion in crypto, enough to fund almost half the country’s military budget at the time, according to threat intelligence platform Recorded Future.
If North Korea was responsible for Friday’s hack, it would be the world’s 14th largest holder of Ether, surpassing the amount held by Ethereum co-founder Vitalik Buterin and the Ethereum Foundation, according to data from Arkham.
It also means Bybit could struggle to recover the stolen crypto.
“Partial recovery is more common (15-30% in a good scenario?),” ZachXBT said on X, “but it’ll also be a bit harder to launder $1.46B I think depending on how patient they are.”
Aleks Gilbert is DL News’ New York-based DeFi correspondent. You can reach him at aleks@dlnews.com.
