North Korean hacker group Lazarus stole a large amount of Ethereum from crypto exchange Bybit through a sophisticated attack in February this year. What seemed like a movie plot was proven to be an attack larger than initially imagined. Now, months after the incident, the latest investigation and response measures are gradually being revealed, warranting our renewed attention to the development and impact of one of the largest crypto thefts in history.
Attack Background: 1.46 Billion USD ETH Vanishes
On February 21, 2025, the globally renowned crypto exchange Bybit was hacked, losing approximately 500,000 ETH, with a market value of 1.46 billion USD. The technical sophistication of this hacker operation was astonishing: the hackers did not directly infiltrate Bybit's main system, but instead penetrated the Safe{Wallet} third-party wallet service provider by infiltrating developers' computers and implanting a malicious signing module.
This attack method is called a "supply chain attack", which essentially means poisoning an seemingly harmless process, ultimately stealing users' ETH into the hacker's address during fund transfers.
North Korean Lazarus Strikes Again
This attack is similar to multiple high-value theft cases in recent years, ultimately pointing to the same organization: North Korea's Lazarus Group. The group has previously been accused of infiltrating platforms like Axie Infinity, Harmony, and Coincheck, specializing in crypto asset infiltration and money laundering.
According to cross-referencing by the FBI and blockchain analysis companies like Elliptic, the attack method, highly dispersed money laundering pattern, and mixing tools used are consistent with Lazarus's historical actions, almost certainly confirming their involvement.
How Did Hackers Launder Money? Fund Flow Exposed
The hackers did not hold the ETH for long; approximately 84% of the funds were quickly converted to BTC and dispersed across over 35,000 different wallet addresses. Each address's token amount was controlled at an extremely low level, averaging around 0.28 BTC, attempting to evade on-chain analysis tool tracking.
Furthermore, they utilized various anonymization tools, such as:
- Tornado Cash (mixer)
- THORChain (cross-chain bridge)
- Wasabi Wallet (privacy wallet)
- Railgun (decentralized privacy protocol)
These tools not only obscure fund sources but also enable cross-chain asset conversion, further whitewashing.
Current estimates:
- Approximately 28% of funds are untraceable
- Approximately 4% have been successfully frozen
- The remaining nearly 70% are traceable but currently in rapid transfer
Bybit's Response and "Bounty Hunt"
After the incident, Bybit quickly launched the "Lazarus Bounty Program", issuing a bounty to global white hat hackers and cybersecurity personnel. Those who help track and stop fund transfers can receive substantial rewards. To date, 22 experts have received total compensation exceeding 4.3 million USD.
Additionally, Bybit stated that their financial system is robust enough to absorb this loss, and user assets remain unaffected. They have strengthened cold wallet management processes and hired external cybersecurity consultants to review the overall architecture, preventing similar vulnerabilities.
Market Response: Short-term Volatility and Emotional Anxiety
During the week Bybit's hack was announced, the crypto market experienced significant volatility. ETH price briefly dropped by about 4.8%, triggering a chain reaction across the market, with BTC, Solana, and other DeFi tokens falling over 3% within 24 hours.
Although the incident was an individual platform's cybersecurity issue, the hackers' sophisticated methods, massive involved amount, and sensitivity of potential North Korean government connections created a "trust stress test effect" in the market.
Investors worried about:
- Whether other exchanges have similar vulnerabilities
- If international regulations might upgrade, causing fund withdrawal
- Whether North Korean hackers still hold large amounts of unprocessed stolen coins that could trigger future market dumps
However, with Bybit's proactive handling and community communication, and BTC remaining in a bull market cycle, prices gradually recovered within two weeks, and the market stabilized. Yet, this hack remains a warning for investors and regulators, creating long-term pressure on trading platforms' trust foundation.
International Response: FBI Formally Indicts, International Cooperation Upgrades
The FBI formally indicted Lazarus in March 2025 and launched the "TraderTraitor" counteraction, tracking the stolen assets' subsequent flow. The US Treasury will also collaborate with multiple financial institutions to block and sanction anonymous wallets receiving or assisting in processing related funds.
This incident again highlighted crypto asset security issues, prompting the tech community to re-examine wallet module development processes, and global regulators to more strongly urge exchanges to enhance KYC, AML, and supply chain reviews.
Future Impact and Insights
This Bybit incident left several key warnings:
- Supply chain attack risks are higher than expected, no longer just a technical issue but a comprehensive security challenge.
- Mixers and cross-chain tools will become regulatory focus, potentially requiring reporting and review.
- Exchange transparency and responsiveness are trust keys; although Bybit responded quickly, overall market confidence was still shaken.
For general users, this is a reminder that security risks cannot be completely eliminated even on mainstream platforms. Choosing reliable platforms and using cold wallets to store assets might be a more stable approach.
〈Is the Strongest Crypto Hacker Actually North Korean? Latest Follow-up on Bybit Theft Incident〉 This article was first published on 《NONE LAND Wave Chain》.
