After suffering a massive hack estimated at $1.4 billion, Bybit, a leading cryptocurrency exchange, has declared open war on the Lazarus Group, hackers linked to North Korea, who have been identified as the main suspects. Bybit, in collaboration with blockchain analytics firms, has stepped up its efforts to track and recover the stolen funds, and has already identified over 11,000 wallets linked to the North Korean hackers.
Bybit Brings Out the Big Guns: API Blacklist and Bounty
On February 25, four days after the exploit, Ben Zhou, Bybit’s co-founder and CEO, declared “war” on the Lazarus Group. As part of this effort to recover the stolen assets, Bybit introduced a wallet blacklist application programming interface (API) and offered a bounty for tracing the funds. The goal is to allow community members to report and block wallets linked to the hack.
In parallel, blockchain analytics firm Elliptic has published an open-source data feed containing a list of wallet addresses attributed to the North Korean hackers. The move is intended to help community members minimize sanctions exposure and prevent money laundering of stolen assets. Elliptic said addresses associated with the Bybit exploit were identified and made available for screening within 30 minutes of the announcement, protecting customers without the need for repetitive manual checks. Elliptic’s intelligence API identified 11,084 crypto wallet addresses suspected of having links to the Bybit exploit, and this list is expected to grow as the investigation progresses.
Phishing and Crypto Conversion: Hackers’ Tactics
According to blockchain analytics firm Chainalysis, the Bybit attack began with a phishing campaign targeting Bybit cold wallet signers, and then intercepted a routine transfer from Bybit’s Ethereum cold wallet to a hot wallet. Portions of the stolen Ether (ETH) were converted into Bitcoin (BTC), Dai (DAI), and other cryptocurrencies, and moved across different networks.
Despite the massive breach, Bybit took steps to ensure the stability of the platform. The exchange kept withdrawals open, securing external liquidity through loans to maintain operations. Bybit also began repaying the loans on February 25, starting with a transfer of 40,000 ETH to Bidget. These measures demonstrate Bybit’s determination to weather this crisis and protect its users.
