Bybit has suffered what is now confirmed to be one of the largest crypto hack in history, with over $1.46 billion stolen in an exploit linked to North Korea’s Lazarus Group.
Below is a timeline of how events unfolded.
Bybit Hack Timeline
Initial Reports of Suspicious Outflows
ZachXBT reports $1.46 billion in suspicious outflows from Bybit. BitPinas was first alerted by a post from Aleksander Larsen, founder of Sky Mavis, whose own blockchain Ronin experienced a similar attack in 2022.
- Transactions involving mETH and stETH are detected being swapped for ETH on decentralized exchanges (DEXs).
Confirmation of Security Incident
ZachXBT confirms the incident as a security breach, citing sources familiar with the situation.
Bybit Confirmation and Livestream Conference
Bybit CEO Ben Zhou was the first to confirm the hack within the organization.
“Bybit ETH multisig cold wallet just made a transfer to our warm wallet about 1 hour ago. It appears that this specific transaction was masked; all the signers saw a masked UI that displayed the correct address, and the URL appeared to be from Safe. However, the signing message actually changed the smart contract logic of our ETH cold wallet. This resulted in the hacker taking control of that specific ETH cold wallet, transferring all ETH to an unidentified address. Please rest assured that all other cold wallets are secure. All withdrawals remain normal.”
Explanation
Simplifying Zhou’s statement:
- Bybit’s security team was tricked by a fake user interface (UI) when approving a transaction.
- The hackers made it look like they were signing a normal transfer to a wallet, but in reality, they were unknowingly giving the hacker control over Bybit’s Ethereum cold wallet. Once the hacker gained control, they emptied the wallet by transferring all ETH to an unknown address.
- The key trick here was that the real transaction details were hidden (masked) from Bybit’s team.
- They saw a legitimate-looking transaction, but what they were actually signing was something different—a change to the wallet’s smart contract logic that handed control over to the attacker.
Zhou said that only this one ETH cold wallet was affected. Their other wallets—hot wallets, warm wallets, and other cold wallets—remain secure and withdrawals for users are still working normally.
Lazarus Group Identified as Attackers
Arkham Intelligence announces that ZachXBT has submitted definitive proof linking the attack to Lazarus Group, a North Korean cybercriminal organization notorious for targeting crypto firms.
- ZachXBT’s report includes test transactions, connected wallets, forensic graphs, and timing analyses used in the attack.
- Bybit confirms they are working with on-chain analytics providers to track and mitigate further movement of the stolen funds.
Bybit Hack Connected to Phemex Hack
- ZachXBT and Josh from Chainalysis Forensics (CF) reveal that on-chain evidence connects the Bybit exploit to the recent Phemex hack.
- Analysts speculate this could be part of a coordinated Lazarus Group operation targeting multiple crypto platforms.
Recovery Efforts Begin
- ZachXBT estimates that partial recovery (15-30%) could be possible, though laundering $1.46 billion remains difficult.
- Bybit officially reports the case to law enforcement authorities and is working to blacklist attacker addresses across EVM chains.
This article is published by BitPinas: Bybit Hack Update Timeline: North Korea’s Lazarus Group Responsible for Largest Crypto Hack in History
What else is happening in Crypto Philippines and beyond?
