The $1.4 billion hack against Bybit wasn’t just the largest exploit in crypto history — it was a major test of the industry’s crisis management capabilities, highlighting its maturation since the collapse of FTX.
On Feb. 21, North Korea’s Lazarus Group made off with $1.4 billion in Ether (ETH) and related tokens in a breach that initially sent chills throughout the entire crypto world but was quickly quelled as the industry rallied behind Bybit to manage the fallout.
Here’s a look at how the attack unfolded, how Bybit responded, and where the stolen funds are moving.
Source: Elliptic
Feb. 21: Bybit hacked
The Bybit hack was first spotted by onchain sleuth ZachXBT, who warned platforms and exchanges to blacklist addresses associated with the hack.
Soon thereafter, Bybit co-founder and CEO Ben Zhou confirmed the exploit and began providing updates and information on the breach.
A post-mortem from Chainalysis initially stated that Lazarus executed phishing attacks to access the exchange’s funds, but the analysis was later updated to report that the hackers gained control of a Safe developer’s computer rather than compromising Bybit’s systems.
The attackers managed to “reroute” some 401,000 ETH, worth $1.14 billion at the time of the exploit, and move it through a network of intermediary wallets.
The complex network of wallets, swaps and crosschain transfers the hackers have used to obscure the funds. Source: Chainalysis
Feb. 21: Bybit assures wallets are safe, Ethena solvency
The exchange was quick to assure users that its remaining wallets were safe, announcing just minutes after Zhou confirmed the exploit that “all other Bybit cold wallets remain fully secure. All client funds are safe, and our operations continue as usual without any disruption.”
A few hours after the hack, customer withdrawals remained open. Zhou stated in a Q&A session that the exchange had approved and processed 70% of withdrawal requests at that time.
Decentralized finance platform Ethena told users that its yield-bearing stablecoin, USDe, was still solvent after the hack. The platform reportedly had $30 million of exposure to financial derivatives on Bybit but was able to offset losses via its reserve fund.
Feb. 22: Crypto industry lends Bybit a helping hand, hackers blacklisted
A number of crypto exchanges reached out to help Bybit. Bitget CEO Gracy Chen announced that her exchange had lent Bybit some 40,000 ETH (around $95 million at the time).
Crypto.com CEO Kris Marszalek said he would direct his firm’s security team to offer assistance.
Other exchanges and outfits began freezing funds connected with the hack. Tether CEO Paolo Ardoino posted on X that the firm had frozen 181,000 USDt (USDT) connected with the hack. Polygon’s chief information security officer, Mudit Gupta, said the Mantle team was able to recover some $43 million in funds from the hackers.
Related: Adam Back slams ‘EVM mis-design’ as root cause of Bybit hack
Zhou posted a thank you note on X, tagging a number of prominent crypto firms he said helped Bybit, including Bitget, Galaxy Digital, the TON Foundation and Tether.
Source: Ben Zhou
Bybit also announced a bounty program with a reward of up to 10% of recovered funds, placing up to $140 million up for grabs.
Feb. 22: Run on withdrawals, Lazarus moves funds
Following the incident, user withdrawals brought the exchange’s total asset value down by over $5.3 billion.
Despite the run on withdrawals, the exchange kept withdrawal requests open, albeit with delays, and Bybit’s independent proof-of-reserves auditor, Hacken, confirmed that reserves still exceeded liabilities.
Meanwhile, blockchain trails showed that Lazarus had continued splitting the funds into intermediary wallets, further obfuscating their movement.
In one example, blockchain analysis firm Lookonchain stated that Lazarus had transferred 10,000 ETH, worth nearly $30 million, to a wallet identified as “Bybit Exploiter 54” to begin laundering funds.
Blockchain security firm Elliptic wrote that the funds were likely headed for a mixer — a service that conceals the links between blockchain transactions — although “this may prove challenging due to the sheer volume of stolen assets.”
Feb. 23: eXch, Bybit continues restoring funds, blacklists grow
Blockchain analysts ZachXBT and Nick Bax both alleged that hackers were able to launder funds on the non-Know Your Customer crypto exchange eXch. ZachXBT claimed that eXch laundered $35 million of the funds and then accidentally sent 34 ETH to a hot wallet of another exchange.
Source: Nick Bax
EXch denied that it laundered funds for North Korea but admitted to processing an “insignificant portion of funds from the ByBit hack.”
The funds “eventually entered our address 0xf1da173228fcf015f43f3ea15abbb51f0d8f1123 which was an isolated case and the only part processed by our exchange, fees from which we will be donated for the public good,” eXch said.
To help identify wallets that were involved in the incident, Bybit released a blacklisted wallet application programming interface (API). The exchange said the tool would help white hat hackers in its aforementioned bounty program.
Related: In pictures: Bybit’s record-breaking $1.4B hack
Bybit also managed to restore its Ether reserves to nearly half of where they were before the hack, largely through spot buys in over-the-counter trades following the incident but also including the Ether lent from other exchanges.
Feb. 24: Lazarus spotted on DEXs, Bybit closes the ETH gap
Blockchain sleuths continued to monitor the flow of funds now associated with Lazarus. Arkham Intelligence observed addresses associated with the hackers on decentralized exchanges (DEXs) trying to trade the stolen crypto for Dai (DAI).
A wallet receiving some of the stolen ETH from Bybit reportedly interacted with Sky Protocol, Uniswap and OKX DEX. According to trading platform LMK, the hacker managed to swap at least $3.64 million.
Unlike other stablecoins such as USDT and USDC (USDC), Dai can’t be frozen.
Zhou announced that Bybit had “fully closed the ETH gap” — i.e., replenishing the $1.4 billion in Ether lost in the hack. His announcement was followed by a third-party proof-of-reserves report.
Bybit got its Ether reserves back to pre-hack levels. Source: Darkfost
Feb. 25: War on Lazarus
Bybit launched a dedicated website for its recovery efforts, which Zhou promoted while calling on the cryptocurrency community to unite against Lazarus Group. The site distinguishes between those who helped and those who reportedly refused to cooperate.
Almost $95 million in reported funds were moved to eXch. Source: LazarusBounty
It highlights the individuals and entities who assisted in freezing stolen funds, awarding them a 10% bounty split evenly between the reporter and the entity that froze the funds.
It also names eXch as the sole platform that refused to help, claiming it ignored 1,061 reports.
Feb. 26: FBI confirms reports about Lazarus and Safe compromise
The US Federal Bureau of Investigation (FBI) confirmed the widely reported suspicion that North Korean hackers perpetrated the Bybit exploit, naming TraderTraitor actors, better known as Lazarus Group among cybersecurity circles.
In a public service announcement, the FBI urged the private sector — including node operators, exchanges and bridges — to block transactions coming from Lazarus-linked addresses.
Source: Pascal Caversaccio
The FBI identified 51 suspicious blockchain addresses linked with the hack, while cybersecurity firm Elliptic has identified over 11,000 intermediaries.
Meanwhile, post-hack investigations found that compromised SafeWallet credentials led to the exploit, not via Bybit’s infrastructure, as previously reported.
Feb. 27: THORChain volume explosion
Security firm TRM Labs flagged the speed of the Bybit hackers’ laundering efforts as “particularly alarming,” with the hackers reportedly moving over $400 million by Feb. 26 through intermediary wallets, crypto conversions, crosschain bridges and DEXs. TRM also noted that most of the stolen proceeds were being converted into Bitcoin (BTC), a tactic commonly linked to Lazarus. Most converted Bitcoin remains parked.
Meanwhile, Arkham Intelligence found that Lazarus had moved at least $240 million in ETH through embattled crosschain protocol THORChain by swapping it into Bitcoin. Cointelegraph found that THORChain’s total swap volume exploded past $1 billion in 48 hours.
THORChain developer “Pluto” announced their immediate departure from the project after a vote to block transactions linked to the North Korean hackers was overturned. Meanwhile, Lookonchain reported that the hackers had laundered 54% of stolen funds.
What the Bybit hack means for crypto
Bybit may have been able to fully restore its lost reserves, but the incident has raised larger questions about the blockchain industry and how hacks can be addressed.
Ethereum developer Tim Beiko swiftly dismissed a call to roll back the Ethereum network to refund Bybit. He said the hack was fundamentally different from previous incidents, adding that “the interconnected nature of Ethereum and settlement of onchain <> offchain economic transactions, make this intractable today.”
The fallout from the Bybit exploit suggests Lazarus Group is becoming more efficient at moving blockchain-based funds. Investigators at TRM Labs suspect this may indicate an improvement in North Korea’s crypto infrastructure or enhancements in the underground financial network’s ability to absorb illicit funds.
As the value locked in blockchain platforms grows, so does the sophistication of attacks. The industry remains a prime target for North Korean state hackers who reportedly funnel their earnings to fund its weapons program.
Magazine: ETH whale’s wild $6.8M ‘mind control’ claims, Bitcoin power thefts: Asia Express
