North Korean hackers behind the $1.4 billion Bybit hack control more than 11,000 cryptocurrency wallets used to launder stolen funds, according to blockchain analytics firm Elliptic.
On Feb. 25, four days after the Bybit exploit, company co-founder and CEO Ben Zhou declared “war” on the Lazarus Group, the North Korea-linked hacking collective identified as the primary suspect. As part of the initiative to recover stolen assets, Bybit introduced a blacklist wallet application programming interface (API) and offered a bounty for tracing the funds.
At the same time, blockchain analytics firm Elliptic released a freely accessible data feed containing a list of wallet addresses attributed to North Korean hackers. The initiative aims to help community members minimize exposure to sanctions and prevent money laundering of stolen assets.
“Addresses associated with the Bybit exploit were identified and available to screen within just 30 minutes of the announcement, protecting customers without the need for them to conduct repetitive manual checks,” Elliptic said.
Source: Ben Zhou
Elliptic’s intelligence API flagged 11,084 crypto wallet addresses suspected of having links to the Bybit exploit. The list is expected to grow amid ongoing investigations.
Largest crypto heists of all time. Source: Elliptic
Zhou acknowledged Elliptic’s support, saying in an X post:
“Thx to the Elliptic team for putting up a real-time Bybit exploit data, really appreciate the effort and work put into helping us.”
Bybit engaged Web3 security firm ZeroShadow for blockchain forensics on Feb. 25. The security firm is tasked with tracing and freezing the stolen Bybit funds and maximizing the recovery.
Related: Bybit registers with Indian authorities, restores services in the country
According to blockchain analysis firm Chainalysis, the Bybit attack began with a phishing campaign targeting Bybit’s cold wallet signers and later intercepted a routine transfer from Bybit’s Ethereum cold wallet to a hot wallet.
Portions of stolen Ether (ETH) were converted to Bitcoin (BTC), Dai (DAI) and other cryptocurrencies and moved across different networks.
As the investigation continues, Bybit has taken steps to ensure platform stability. Despite the massive breach, the exchange kept withdrawals open, securing external liquidity through loans to maintain operations.
Bybit also began repaying the loans on Feb. 25, starting by transferring 40,000 ETH back to Bidget.
Magazine: Elon Musk’s plan to run government on blockchain faces uphill battle