North Korean cybercrime organization, the Lazarus Group, is suspected to be behind both the $1.4 billion Bybit hack and the $29 million Phemex hack, according to the latest onchain evidence.
The Feb. 21 Bybit exchange hack resulted in the largest crypto theft in history, with attackers stealing more than $1.4 billion in liquid-staked Ether (stETH), Mantle Staked ETH (mETH) and other ERC-20 tokens.
Blockchain security analysts, including Arkham Intelligence and onchain sleuth ZachXBT, have traced the attack to the Lazarus Group.
New onchain findings have revealed that the same Lazarus Group-affiliated wallets were behind January’s $29 million Phemex hack in January.
“Lazarus Group just connected the Bybit hack to the Phemex hack directly on-chain commingling funds from the initial theft address for both incidents,” ZachXBT wrote in a Feb. 22 X post.
Source: ZachXBT
According to onchain data, Phemex’s hot wallets were drained for $29 million worth of digital assets through over 125 individual transactions recorded across 11 blockchain networks before the attackers started converting the funds into Ether (ETH) via crypto mixing protocols like Tornado Cash, making them difficult to trace.
The Bybit hack alone accounts for more than half of the $2.3 billion stolen in crypto-related hacks in 2024, marking a significant setback for the industry.
According to Meir Dolev, co-founder and chief technical officer at Cyvers, the attack shares similarities with the $230 million WazirX hack and the $58 million Radiant Capital hack. Dolev said the Ethereum multisig cold wallet was compromised through a deceptive transaction, tricking signers into unknowingly approving a malicious smart contract logic change.
“It seems that Bybit’s ETH multisig cold wallet was compromised through a deceptive transaction that tricked signers into unknowingly approving a malicious smart contract logic change.”
This allowed the hacker to gain control of the cold wallet and transfer all ETH to an unknown address,” Dolev told Cointelegraph.
Related: Pig butchering scams stole $5.5B from crypto investors in 2024 — Cyvers
Lazarus Group linked to some of the biggest crypto heists
The North Korean Lazarus Group is the primary suspect in some of the most notorious hacking incidents, including the $600 million Ronin network hack and the $230 million hack on the WazirX exchange.
Throughout 2024, North Korean hackers stole over $1.34 billion worth of digital assets across 47 incidents, a 102% increase from the $660 million stolen in 2023, according to Chainalysis data.
North Korea hacking activity. Source: Chainalysis
This accounted for 61% of the total crypto stolen in 2024.
Related: 3 crypto predictions going into 2025: SOL ETFs, AI trading, new threats
The United States, Japan and South Korea issued a joint warning on Jan. 14, cautioning about the growing threat of North Korean hackers targeting the crypto industry.
Over the past year, North Korean hackers were also responsible for the $305 million DMM Bitcoin hack, the $50 million Upbit hack, the $50 million Radiant Capital hack and the $16 million Rain Management hack, according to joint statement.
The statement came nearly three weeks after South Korean authorities sanctioned 15 North Koreans for allegedly generating funds for North Korea’s nuclear weapons development program through cryptocurrency heist and cyber theft.
Magazine: ETH whale’s wild $6.8M ‘mind control’ claims, Bitcoin power thefts: Asia Express