## Arkham Intelligence Links North Korea’s Lazarus Group to Bybit Hack
With some details still under wraps, Arkham Intelligence, a blockchain analysis firm, has determined that North Korea’s Lazarus group was behind the staggering $1.46 billion hack of the Bybit exchange. On platform X, Arkham announced a reward of 50,000 ARKM tokens, valued at approximately $30,000, for anyone who could help identify the attackers involved in Friday’s breach. Shortly thereafter, Arkham revealed that freelancer ZachXBT had provided “definite proof” linking the North Korean hacking group to the incident.
Current reports indicate that Lazarus, North Korea’s elite state-sponsored hacking unit, executed the largest hack ever recorded on a centralized crypto exchange, resulting in the withdrawal of Ethereum tokens totaling around $1.5 billion. Ethereum security researchers are working diligently to analyze the event, aiming to uncover the methods used in the attack and assess the potential for similar breaches on other exchanges. Within days, crypto enthusiast ZachXBT pinpointed the Lazarus group as the likely perpetrator. This group has been implicated in numerous high-profile attacks on digital assets.
Blockchain firm Nansen disclosed that the hackers initially funneled the stolen funds into a single wallet before dispersing them across multiple wallets. “Initially, the stolen funds were transferred to a primary wallet, which then distributed them across more than 40 wallets,” Nansen reported. “The attackers converted all stETH, cmETH, and mETH to ETH before systematically transferring ETH in $27 million increments to over 10 additional wallets.”
Ben Zhou, CEO of Bybit, reassured customers to stay calm, stating that 80% of the funds had been recovered through bridge loans to compensate for the stolen assets. Despite the ongoing bank run on Bybit, Zhou confirmed that withdrawals would remain open and that customers would have access to their funds. Utilizing bridge loans enables Zhou to fulfill withdrawal requests, although the chances of recovering the stolen tokens appear slim at this point.
ZachXBT has yet to disclose all evidence linking the Lazarus group to the hack. He explained that his investigation involved tracing online connections between wallet addresses, ultimately narrowing down the suspects to the North Korean hacking group with the help of a colleague. ZachXBT also discovered a connection between the wallets used in the Bybit hack and those involved in the $85 million breach of Singapore-based exchange Phemex.
At this stage, the attack seems to have been facilitated by Blind Signing, a process where a smart contract is approved without full awareness of its contents. “This attack vector is quickly becoming the preferred method of cyber attack among advanced threat actors, including North Korea,” noted Blockaid’s CEO Ido Ben Natan. “It’s the same type of attack that was employed in the Radiant Capital breach and the WazirX incident.” “The challenge is that even with the best key management solutions, most of the signing process is currently delegated to software.”
