Blockchain investigator ZachXBT has linked the recent $1.46 billion Bybit hack to North Korea’s Lazarus Group, according to a submission made to Arkham Intelligence at 19:09 UTC.
Notably, the finding, which includes an extensive forensic analysis of wallet movements and test transactions, has been shared with Bybit’s security team to support its ongoing investigation.
Bybit, one of the world’s largest cryptocurrency exchanges, suffered a major security breach when hackers exploited its cold wallet infrastructure.
The attackers drained approximately $1.46 billion worth of Ethereum (ETH) in what has been described as a sophisticated blind-signing exploit, a technique that deceives signers into approving unauthorized transactions.
Arkham Bounty Played Key Role
Arkham Intelligence had previously launched a bounty worth 50,000 ARKM [about 31,000 USD] to incentivize blockchain researchers to uncover the identity of the attackers. The bounty led to ZachXBT’s discovery, revealing that Lazarus Group had conducted test transactions ahead of the exploit and used multiple wallets to obfuscate the stolen funds.
The Lazarus Group, a state-backed hacking collective tied to North Korea, has been responsible for multiple high-profile cryptocurrency thefts in recent years, including the $620 million Ronin Network exploit in 2022 and several attacks on decentralized finance (DeFi) platforms.
Bybit CEO Ben Zhou has reassured users that the exchange remains solvent and all client funds are secure. While some industry figures, including former Binance CEO Changpeng Zhao, have advised Bybit to temporarily halt withdrawals as a precautionary measure, the exchange has not announced any suspension of services.
Blockchain security firm Cyvers Alerts previously confirmed that the hack involved a malicious contract modification, which granted the attackers control over the exchange’s cold wallet without requiring further authentication.
Implications for Crypto Security
Significantly, the Bybit breach marks one of the largest exchange hacks in history, surpassing previous attacks on platforms such as WazirX and Radiant Capital. It also highlights the persistent threat of state-sponsored hacking groups targeting digital assets.
Identifying Lazarus Group as the perpetrator of the attack provides investigators with key insights into the movement of the stolen funds.
Blockchain analysts and law enforcement agencies can now track the flow of assets through known laundering channels used by the group, potentially freezing funds before they are fully liquidated.
