On-chain investigator ZachXBT has identified North Korea’s Lazarus Group as the team behind the billion-dollar Bybit hack, winning a 50k ARKM bounty for solving the case.
The breakthrough came when ZachXBT submitted conclusive evidence linking the attack to the hacking group at 19:09 UTC.
The investigation shared the hackers exploited Bybit’s Ethereum (ETH) multisig cold wallet during a routine transfer to the exchange’s warm wallet.
The attackers manipulated the signing interface, making it display the correct wallet address while altering the underlying smart contract logic.
Bybit CEO Ben Zhao confirmed the security breach resulted in losses exceeding $1.5 billion in cryptocurrency assets.
Despite the magnitude of the theft, Zhao assured users that all client withdrawals would be processed, even those under review.
ZachXBT reveals connections between Bybit and Phemex hack
ZachXBT’s investigation revealed direct on-chain connections between the Bybit incident and the recent Phemex exchange hack. The attackers also commingled funds from both thefts through the same initial theft addresses. This pattern matches the Lazarus Group’s known tactics of linking multiple exchange compromises.
The bounty submission included detailed analyses of test transactions conducted before the main attack, connected wallet tracking, and timing analyses that pointed to the North Korean state-sponsored group. Arkham has shared this forensic evidence with Bybit’s team to support their ongoing investigation.
The incident began when Bybit detected unauthorized transfers from one of their Ethereum (ETH) cold wallets. The exchange immediately launched an investigation, partnering with blockchain forensics experts to trace the stolen assets.
The company issued an open call for assistance from teams with expertise in blockchain analytics and fund recovery.
This hack represents one of the largest cryptocurrency exchange hacks in history.
The Bybit team received aid from other exchanges to keep the withdrawals open for users.
