OVERVIEW OF THE LATEST BYBIT SCAM ATTRIBUTED TO LAZARUS GROUP
In February 2025, the cryptocurrency exchange Bybit suffered a record-breaking hack, resulting in a loss of approximately $1.4–$1.5 billion in digital assets, primarily Ethereum and related tokens. This incident is widely recognized as the largest crypto heist to date and has been officially attributed to the North Korea-backed Lazarus Group, also known as TraderTraitor, APT38, and Blue Noroff.
HOW THE HEIST WAS EXECUTED
ATTACK VECTOR: The hackers exploited a vulnerability in Bybit's cold wallet infrastructure. Specifically, they used a "signing interface masking technique" during an Ethereum transfer, which allowed them to gain unauthorized control over a cold wallet and move its contents to addresses they controlled.
FUNDS MOVEMENT: Once the assets were stolen, the attackers quickly began laundering the proceeds. They dispersed the stolen crypto across thousands of addresses on multiple blockchains, converting some assets to Bitcoin and other cryptocurrencies to obscure the trail and facilitate eventual cash-out.
LAUNDERING TACTICS: The Lazarus Group utilized decentralized exchanges, instant swap bridges lacking KYC requirements, and cross-chain bridges to convert and move the stolen funds. According to reports, nearly 69% of the stolen Ethereum was laundered within days of the attack.
ATTRIBUTION AND INVESTIGATION
ATTRIBUTION: Blockchain analysis firms such as Elliptic and Arkham Intelligence, as well as independent investigators like ZachXBT, were among the first to link the hack to Lazarus Group based on on-chain activity, wallet movements, and known tactics. The FBI later officially confirmed Lazarus Group's involvement in a public statement.
INFRASTRUCTURE CLUES: Security researchers discovered that Lazarus registered the domain "bybit-assessment[.]com" just hours before the attack, using an email address previously linked to other Lazarus operations. Logs also revealed the use of Astrill VPN IPs and the reuse of known Lazarus personas and infrastructure.
Related Scams: The same wallets and laundering methods used in the Bybit hack were also linked to other scams, including Solana memecoin rug pulls and the earlier $29 million Phemex hack, indicating a broader campaign by the group targeting the crypto sector.
LAZARUS GROUP’S BROADER TACTICS
SOCIAL ENGINEERING: Lazarus continues to use fake job interviews on platforms like LinkedIn to lure victims into downloading malware.
BRAND IMPERSONATION: The group impersonates major crypto brands (e.g., Coinbase, Binance, Ripple, Kraken) to enhance the credibility of their phishing and social engineering campaigns.
CONTINUOUS ADAPTATION: The group is known for rapidly changing infrastructure and tactics to evade detection and maximize the impact of their attacks
IMPACT AND RESPONSE
BYBIT’S RESPONSE: Bybit assured users that all affected funds would be refunded, and the exchange remains solvent. The company worked with authorities and blockchain analytics firms to identify and block the implicated addresses, aiming to mitigate further losses.
INDUSTRY REACTION: The incident prompted renewed calls for increased security, especially around large transactions and cold wallet management, and highlighted the persistent threat posed by state-sponsored cybercriminals in the crypto space.
CONCLUSION
The Bybit hack orchestrated by Lazarus Group stands as the largest crypto theft to date, showcasing the group's evolving technical sophistication and persistent targeting of the digital asset sector. The incident underscores the urgent need for enhanced security measures and vigilance across the crypto industry.
