Just after 2pm last Friday, a notorious group of hackers – responsible for some of the worst cyber crimes of the 21st century – pulled off what may well be their magnum opus.
In the space of just a few minutes, approximately $1.46 billion worth of digital currency was stolen from Bybit, one of the world’s most popular crypto exchanges, and funnelled across the internet to anonymous wallets. It marked the biggest heist in history.
For comparison, the amount stolen is nearly 30 times greater than the £53 million taken during the 2006 Securitas depot robbery in Tonbridge, the UK’s largest-ever cash heist. It is also nearly 500 million dollars greater than the amount Saddam Hussein stole from the Iraqi Central Bank on the eve of the 2003 Iraq War, which is commonly listed as the largest theft of all time.
Details of the operation are still emerging, but what is unique to crypto exchange breaches is that funds can be tracked in real-time over the blockchain. Serving as an online ledger, blockchain technology provides transparency of every transaction and movement of funds between wallet addresses, even if the owner of each individual wallet is unknown.
This has allowed investigators to follow the stolen assets in real-time as the hackers attempt to launder them through various wallets and exchanges, with the pattern closely mirroring a technique used by one of the world’s most sophisticated hacking operations: The Lazarus Group.
Allegedly backed by North Korea since its inception in 2009, the group has previously caused worldwide chaos through the 2017 WannaCry ransomware attacks, which infected 200,000 computers across 150 countries, including those of the NHS.
The Lazarus Group has also carried out numerous cryptocurrency attacks in the past, though Friday’s haul represents the largest strike to date, with the hackers making away with the equivalent to North Korea’s annual defence budget ($1.47bn in 2023).
Crypto investigation firm Chainalysis noted that the Bybit hack followed a common playbook used by Lazarus, which involves a social engineering attack to initially compromise the funds. It occurred during a routine transfer from Bybit’s Ethereum cold wallet – an offline crypto storage device – to its online hot wallet.
By targeting those responsible for verifying the wallet addresses with personalised phishing attacks, the hackers tricked them into signing-off the transactions to wallets owned by Lazarus.
“A security system is only as strong as its weakest link. In Bybit’s case, there was a security loophole when Ledger [a hardware wallet] and Safe{Wallet} [a digital wallet app] were used together,” Shahar Madar, vice president of security and trust at blockchain platform Fireblocks, told The Independent.
“Hackers likely used malware to secretly modify what users saw on the Safe{Wallet} interface. Users thought they were approving a normal transaction, when in reality, they were approving a different, manipulated one. Ledger required users to approve transactions without showing full details (known as “blind signing”). This meant users couldn’t see what they were actually approving, making it easy for hackers to trick them.”
Within two hours of the Bybit theft, researchers from blockchain analytics firm Elliptic observed stolen funds being sent to 50 different wallets, each holding approximately 10,000 ETH (ethereum).
These wallets were then systematically emptied through decentralised exchanges in a laundering process known as “layering”, which attempts to conceal the transaction trail.
“North Korea’s Lazarus Group is the most sophisticated and well-resourced launderer of cryptoassets in existence, continually adapting its techniques to evade identification and seizure of stolen assets,” Elliptic noted in a blog post. “The transparency of blockchains means that this transaction trail can be followed, but these layering tactics can complicate the tracing process, buying the launderers valuable time to cash-out the assets.“
Working alongside Bybit, Elliptic claims to have already seized some of the funds stolen from the Dubai-based exchange, but says the biggest challenge is the sheer volume of stolen assets.
Crypto intelligence platform Arkham noted that the Bybit hackers were making multiple transactions every minute for 45 minutes, before pausing for 15 minutes. The pattern seems to suggest that the process was not automated, as whoever is doing it needs to take periodic breaks.
“Did Lazarus get an intern to wash their funds manually,” the firm questioned in a post to X.
.png)
The massive heist caused crypto markets to tumble, but it also served as an inadvertent demonstration of the industry’s resilience. Within 72 hours of the attack, Bybit had restored its reserve to a 1:1 ratio, meaning no customer funds were lost.
“Through it all, the crypto community, our partners, and our users have shown unwavering support,” the exchange said in a statement. “We know where our funds have gone, and we’re committed to turning this experience into an opportunity to strengthen the ecosystem… Today marks a new week and a new chapter.”
The scale of the attack could ultimately fuel broader efforts to take down Lazarus. In response to the hack, Bybit CEO Ben Zhou, which is the world’s second largest crypto exchange by trading volume, called for a “war against Lazarus”, issuing a $140 million bounty to recover the funds and provide information about the group.
The move, which is an industry first, could mark the beginning of coordinated global action to finally neutralise the Lazarus Group’s cyber-terror campaigns.
“We have shared in a dark moment of crypto history, and we’ve proven we are better than the malicious actors”, said Mr Zhou. “We will not stop until Lazarus or bad actors in the industry are eliminated.”
