Hackers successfully siphoned approximately $1.4 billion in Ethereum from the cryptocurrency exchange Bybit this past Friday, marking the largest digital asset heist in history. Blockchain security experts and investigative firms have identified the North Korean state-sponsored hacking collective, known as the Lazarus Group, as the primary suspect behind the breach.
Tracing the Digital Footprints
Renowned crypto investigator ZachXBT was the first to sound the alarm, tracking the stolen assets from Bybit to specific digital wallets previously utilized in high-profile attacks against platforms such as Phemex, BingX, and Poloniex. When pressed on the level of certainty regarding North Korean involvement, ZachXBT expressed total confidence, noting that law enforcement agencies are currently operating under the same assumption.
Blockchain intelligence firm Elliptic has corroborated these findings. In a formal update, the firm stated its team has been working around the clock to trace the illicit funds, citing the Lazarus Group’s “characteristic pattern” in laundering stolen crypto assets as a key indicator of their involvement.
A Pattern of State-Sponsored Cybercrime
Tom Robinson, co-founder and chief scientist at Elliptic, confirmed that the stolen Bybit funds are being commingled with assets from other hacks attributed to the Democratic People’s Republic of Korea (DPRK). The laundering techniques observed in this incident mirror those previously deployed by North Korean actors.
Adding further weight to these claims, TRM Labs reported in a blog post released on Friday that they have reached the same conclusion with “high confidence.”
The Scale of North Korean Crypto Theft
The regime in Pyongyang has become a prolific actor in the digital theft space. According to a United Nations panel, North Korean hackers have been linked to at least 58 separate crypto heists. Government officials from the United States, Japan, and South Korea estimate that Kim Jong-Un’s administration successfully laundered over $650 million from various crypto attacks throughout 2024 alone.
Bybit spokesperson Tony Au declined to comment on the specific links to North Korea, stating that the company’s internal investigation remains ongoing. The North Korean Permanent Mission to the United Nations did not respond to requests for comment regarding the allegations.