Full Report
Investigators link the $1.4B Bybit hack to North Korea’s Lazarus Group, exposing a major crypto heist tied to state-backed cybercrime and money laundering.
Analysis Summary
# Threat Actor: Lazarus Group
## Attribution & Identity
**Attribution:** State-sponsored hacking organization linked to North Korea.
**Aliases/Associations:** Often discussed in the context of other North Korean threat groups, known for a long history of cyber attacks.
## Activity Summary
The Lazarus Group is directly implicated in a devastating **$1.4 billion Ethereum (ETH) hack against the Bybit cryptocurrency exchange on February 21, 2025**.
This activity was highly coordinated, as evidence showed the stolen funds were immediately commingled on-chain with funds stolen from two prior related hacks:
1. **Phemex Hack** (February 20, 2025).
2. **BingX Hack** (September 2024).
Investigators successfully linked the three exchange breaches via overlapping wallet addresses, proving the same entity was responsible for all three thefts.
## Tactics, Techniques & Procedures
- Tracing the stolen funds involved **on-chain analysis**, **forensic graphs**, and **timing analyses** to prove premeditation and linkage between separate thefts.
- The group utilizes **money laundering techniques** involving mixing services, decentralized exchanges, and cross-chain swaps to obscure trails.
- General TTPs include **social engineering**, **phishing**, and **exploiting security vulnerabilities** in crypto platforms.
- Specific actions included executing **test transactions** before the main hack.
## Targeting
- **Sectors:** Cryptocurrency exchanges and financial platforms.
- **Geography:** Global, demonstrated by targeting international crypto entities like Bybit, BingX, and Phemex.
- **Victims:** Bybit, Phemex, and BingX exchanges.
## Tools & Infrastructure
- **Malware Families Used:** Historically associated with various malware, though this report focuses on the exploitation/theft phase and subsequent laundering.
- **Infrastructure (C2, domains, IPs):** The report focuses on transaction hashes and wallet addresses used for commingling and laundering:
- Overlap Address (Bybit/Phemex): `0x33d057af74779925c4b2e720a820387cb89f8f65`
- Overlap Address (Bybit/BingX): `0xd555789b146256253cd4540da28dcff6e44f6e50`
- **Bybit Hack Transactions (Examples):**
- `0xc963e65b9ec39b11076f78990c31f29aaa80705c75312dafd1748479e3e94ed0`
- `0x411374feedcfa560335f00c0fcfa0a3906fdcc33687e6f924dd78ebecc45cd00`
- **Laundering Paths Mentioned:** Use of **Tornado Cash** (implied via context of crypto laundering) and laundering funds via **Tron**.
- **Stolen Address List:** Over 920 theft-linked wallet addresses were made public.
## Implications
Lazarus Group remains a primary financial threat with extensive resources. The sophistication of this attack, combining multiple high-value exchange hacks (Bybit, Phemex, BingX) into a single traceable cluster, highlights their operational continuity and dedication to financial theft. The estimated cumulative theft of over $3 billion since 2018 shows their critical role in supporting North Korea's sanctioned economy and military/nuclear programs. Exchanges must assume sophisticated, persistent state-sponsored attacks targeting core transactional security.
## Mitigations
- Enhanced, real-time **on-chain monitoring and tracing** capabilities are essential to identify and react to funds commingling across breaches quickly.
- Financial institutions and exchanges should **block or monitor addresses identified** by security researchers (like the 920+ addresses publicly released).
- Ensure robust internal security measures against the group’s preferred ingress vectors, including **social engineering** and **phishing**.
- Implement controls to mitigate risks associated with **mixing services** and **decentralized exchanges** used for laundering.
- Implement strong internal communication verification protocols to guard against scammers impersonating internal staff following a breach.