Bybit, the world’s second-largest cryptocurrency exchange, suffered a devastating $1.4 billion Ethereum (ETH) hack from a cold wallet breach on February 21, 2025. In the days following the attack, independent blockchain investigator ZachXBT traced the stolen funds directly to North Korea’s Lazarus Group, a notorious state-backed hacking organization. His findings were confirmed by Arkham Intelligence, a blockchain analysis firm, and shared with the Bybit team for further investigation.
ZachXBT Uncovers Lazarus Group’s Crypto Trail
On February 21 at 19:09 UTC, Arkham tweeted that ZachXBT had submitted definitive proof linking the attack to the Lazarus Group. His submission included detailed test transactions, connected wallet addresses, forensic graphs, and timing analyses; all of which suggested the hack was premeditated.
The next day, February 22, ZachXBT posted further evidence revealing that Lazarus had not only executed the Bybit hack but had also directly connected the stolen funds on-chain to the recent Phemex hack, which occurred on February 20. He identified a key overlapping address (0x33d057af74779925c4b2e720a820387cb89f8f65) where funds from both hacks had been commingled, effectively proving the same entity was responsible.
On-Chain Evidence of Lazarus Group’s Activity
Bybit Hack Transactions (Feb 22, 2025):
0xc963e65b9ec39b11076f78990c31f29aaa80705c75312dafd1748479e3e94ed00x411374feedcfa560335f00c0fcfa0a3906fdcc33687e6f924dd78ebecc45cd00
Phemex Hack Transactions (Feb 20, 2025):
0x6262a3339842240aeebae4ebfe338dbc771aa0e2df8f5a1ebcd7f9b090bedfe3
ZachXBT later tweeted that, before these transactions surfaced, he and another blockchain investigator, Josh from CF (Cryptoforensic Investigators), had already traced Bybit-related testing addresses that were involved in laundering funds from the Phemex hack via Tron. Their findings helped them secure a bounty from Arkham, which had launched a reward for anyone who could identify the Bybit hackers.
Lazarus Group just connected the Bybit hack to the Phemex hack directly on-chain commingling funds from the intial theft address for both incidents.
— ZachXBT (@zachxbt) February 22, 2025
Overlap address:
0x33d057af74779925c4b2e720a820387cb89f8f65
Bybit hack txns on Feb 22, 2025:… pic.twitter.com/dh2oHUBCvW
New Findings Connect Bybit Hack to BingX Hack
Later on February 22, ZachXBT made another major revelation: Lazarus Group had also linked an address used in the September 2024 BingX hack to the same cluster of addresses responsible for the Bybit and Phemex hacks. This means that the three hacks: Bybit, BingX, and Phemex, are all connected through on-chain transactions.
Overlap Address:
0xd555789b146256253cd4540da28dcff6e44f6e50
Bybit Hack Transaction:
0x4a366130118d750715c2d35fdc07509cf943fcc988fa5e6d02211e3d5472796e
BingX Hack Transaction:
0x93424aa87731bb9b1d8cc1f708d2ac9f3faf914f368a00494d87cba3e7719e8c
Lazarus Group just linked an address tied to the BingX hack to this same cluster a few minutes ago which now connects the Bybit, BingX, & Phemex hacks on-chain.
— ZachXBT (@zachxbt) February 22, 2025
Overlap
0xd555789b146256253cd4540da28dcff6e44f6e50
Bybit hack txn:… pic.twitter.com/CGh7pB31Xa
Investigators Publish 920+ Addresses Linked to the Hack
On February 22 at 9:05 PM UTC, ZachXBT tweeted that he had spent the entire day graphing the laundering movements of the stolen Bybit funds. He also made 920+ theft-linked wallet addresses publicly available to help exchanges and security teams block illicit transactions.
Bybit responded to his findings with a tweet on February 23 at 9:17 AM, thanking ZachXBT for his work, stating: “Big shoutout to @ZachXBT for always keeping the space sharp. 👀🔍 Your work didn’t go unnoticed—much respect.”
Bybit Resumes Operations and Warns of Scammers
Despite the massive theft, Bybit announced that deposits and withdrawals on the platform had returned to normal. However, the exchange warned users of scammers impersonating Bybit employees, urging them to verify all communications and avoid sharing personal information.
“Scammers are out there pretending to be Bybit employees. Stay sharp! Bybit will never ask for your personal info, deposits, or passwords,” Bybit tweeted.
Coordinated Effort Freezes $42.89M in Stolen Funds
A coordinated global effort among crypto security teams led to the freezing of $42.89 million in stolen assets within a single day. According to ByBit’s tweet, several key players in the industry, including stablecoin issuers and exchanges, helped track and block the movement of the hacked funds.
Funds Frozen by Various Entities:
- ChangeNOW: Froze 34 ETH
- Circle: Assisted with crucial clues
- THORChain: Blocked the blacklist
- FixedFloat: Froze 120K USDC + USDT
- Avalanche (AVAX): Froze 0.38755 BTC
- Bitget: Blocked the blacklist and froze 84 USDT
- Tether: Flagged an address and froze 181K USDT
- CoinEx: Blocked the blacklist and provided key insights
Bybit acknowledged and praised these companies for their swift response, stating that their efforts were essential in tracking and freezing the hacked funds.
Who is the Lazarus Group?
The Lazarus Group is a state-sponsored North Korean hacking organization responsible for some of the biggest cyber heists in history. First identified in the early 2010s, the group has been linked to multiple high-profile financial and cyber attacks, including the 2014 Sony Pictures hack, the 2017 WannaCry ransomware attack, and a long list of crypto exchange breaches.
Their primary objective is stealing funds to support North Korea’s heavily sanctioned economy, which struggles under international financial restrictions. According to intelligence agencies and blockchain analytics firms, Lazarus has stolen over $3 billion in cryptocurrency since 2018, with much of the funds being funnelled into North Korea’s nuclear weapons program and military operations.
The group typically executes attacks through social engineering, phishing, and exploiting security vulnerabilities in crypto platforms. Their laundering methods often involve mixing services, decentralized exchanges, and cross-chain swaps to cover transaction trails before cashing out.
Nevertheless, the ByBit incident is one of the largest crypto hacks in history, backing concerns about security vulnerabilities in centralized exchanges. The rapid response from blockchain investigators like ZachXBT, exchanges, and security teams has helped mitigate the impact, but the attack further highlights the sophisticated tactics of hacking groups like Lazarus.
With Bybit now operational again, the industry remains on high alert as investigations continue into the laundering of the stolen funds.
