The dreaded North Korean cyberattacker, Lazarus Group, has been identified as the mastermind behind the theft of over $1.4 billion in ETH from the Bybit crypto wallet on February 21, 2025, just hours after the launch of Pi Coin.
The hack, one of the largest in crypto history, caused panic among Bybit users, leading to a spiral of withdrawals from the exchange.
Lazarus Group’s long history of hacking
Lazarus Group, also known by other names such as Guardians of Peace and Whois Team, is allegedly sponsored by North Korea. The group has been accused multiple times of executing finance-related hacks and cyberattacks, resulting in billions of dollars in losses for its victims.
The group has a long history of cyberattacks. In 2019, it was alleged to have stolen $49 million from UpBit, followed by $275 million from KuCoin in 2020. Harmony Bridge lost $100 million to its activities in 2022, while Horizon Bridge and WazirX suffered losses of $100 million and $235 million in 2023 and 2024, respectively.
The Bybit hack marks its most audacious “achievement” in 2025, with the theft of $1.4 billion in ETH.
Unraveling the Bybit Hack
To track down the group or individuals behind the attack, which sent shockwaves through the crypto community, intelligence trading platform Arkham placed a bounty of 50K ARKM for anyone who could identify the culprit.
In a post on its X account, Arkham stated:
“We’ve created & funded a bounty to help identify the person or organization behind today’s >$1B Bybit hack. Submissions to this bounty will be shared with the Bybit team to support their investigation. Reward: 50K ARKM.”
Ethical hackers quickly responded with their findings.
Within minutes, Arkham provided an update, announcing that ZachXBT had submitted sufficient proof linking the attack to Lazarus Group. He further analyzed how the hackers moved 10,000 ETH across 39 addresses and urged crypto exchanges to blacklist these addresses on all EVM chains.
“@zachxbt submitted definitive proof that this attack on Bybit was performed by the Lazarus Group. His submission included a detailed analysis of test transactions, connected wallets used before the exploit, multiple forensic graphs, and timing analyses,” Arkham revealed. “The submission has been shared with the Bybit team to support their investigation.”
How Lazarus Group Hacked Bybit’s Multisig Cold Wallet
The attackers executed what analysts described as a social engineering campaign, targeting Bybit’s transaction authorization process.
While Bybit’s multisig cold wallet required multiple signers to approve transfers, the hackers created a fraudulent interface mimicking Safe Wallet’s legitimate UI.
During the process, signers saw what appeared to be correct destination addresses and URLs, while hidden payloads modified the wallet’s smart contract logic. This allowed the Lazarus Group to bypass cryptographic safeguards and gain full control over the cold wallet.