Bybit Hacking Draining Over $1.4B in Cryptocurrency Linked to the Lazarus Group

• Bybit authorities confirmed being hit by a cyber attack that disrupted some services.
• Researchers shared transaction addresses and timing analysis to prove the hand of the Lazarus group in the hacking.
• The cyber incident stemmed from a fraudulent transaction in one of the company’s ETH cold wallets.

Bybit, the global cryptocurrency exchange and Web3 platform suffered a cyber attack which originated in one of their ETH cold wallets. The presently unidentified hackers executed an attack by masking the signing interface, displaying a legitimate address while manipulating the underlying smart contract logic. 

After gaining access to the compromised ETH cold wallet through the malicious transaction the hackers transferred its holdings to their address, Bybit posted on their X account. 

This security incident at Bybit was being closely investigated by the independent researcher ‘ZachXBT’. He posted on his social media account on X proving that the malicious Bybit transactions were perpetrated by the Lazarus group.

He backed his findings with forensic graphs, test transactions, timing analysis and connected wallet analysis.  After proving Lazarus’s involvement in this heist, he notified the company to help with their investigations. 

The Bybit hacking that caused a damage of $1.4 Billion has been connected to the Phemex hack. After establishing the connection, ZachXBT posted, “Lazarus Group just connected the Bybit hack to the Phemex hack directly on-chain commingling funds from the initial theft address for both incidents.”

He shared the following information about the Bybit analysis with the readers:

• Overlap address: “0x33d057af74779925c4b2e720a820387cb89f8f65”
• Hacking transaction on February 22, 2025: 0xc963e65b9ec39b11076f78990c31f29aaa80705c75312dafd1748479e3e94ed0
• 0x411374feedcfa560335f00c0fcfa0a3906fdcc33687e6f924dd78ebecc45cd00
• Fradulent Phemex transaction on February 20, 2025: 0x6262a3339842240aeebae4ebfe338dbc771aa0e2df8f5a1ebcd7f9b090bedfe3

Ben Zhou, co-founder and CEO of Bybit addressed the ETH incident and published a statement on X. He wrote, “Bybit is Solvent even if this hack loss is not recovered, all of the clients assets are 1 to 1 backed, we can cover the loss.”

The updates by Bybit for users clarified that withdrawals were restricted until the systems were cleared from threat. Bybit borrowed ETH to help with withdrawals and increased liquidity for USDT and USDC. 

Cryptoscams enable hackers and threat actors to make huge profits. Scammers use infostealers and malware that steal user data and cryptocurrency via fake apps and emails with malicious links.