North Korean Hackers Blamed for Record-Breaking Cryptocurrency Theft from ByBit

The largest cryptocurrency theft in history was carried out by the hacker group Lazarus Group, which is believed to be of North Korean origin. This was stated by the blockchain intelligence company Arkham Intelligence, citing the authoritative anonymous crypto detective ZachXBT. The day before, unknown individuals stole digital assets worth almost $1.5 billion from the ByBit cryptocurrency exchange.

Image source: appshunter.io / unsplash.com

Arkham offered a reward of 50,000 of its ARKM tokens to anyone who could identify the perpetrators of the theft; the platform’s administration later said that ZachXBT had provided “comprehensive evidence” that the North Korean hacker group had committed the crime. “His documentation included a detailed analysis of test transactions and associated wallets used before the exploit was implemented, as well as multiple forensic graphs and timing summaries,” Arkham said.

«”The stolen funds were initially transferred to a main wallet, which then distributed them to more than forty [other] wallets. The attackers transferred all stETH, cmETH, and mETH to ETH before systematically transferring ETH in $27 million increments to more than ten additional wallets,” the administration of the Nansen platform, which analyzes the blockchain, told CoinDesk about the incident.

The hackers carried out the theft of funds using a technique called “blind signing,” in which a smart contract transaction is approved without full knowledge of its contents. “This attack vector is quickly becoming a favorite form of cyberattack by sophisticated criminals, including North Korea. It’s the same type of attack used in the Radiant Capital hack [on October 16, 2024, in which $50 million was stolen in a protocol attack] and the WazirX incident [on July 18, 2024, in which approximately $239.4 million was stolen from the Indian crypto exchange],” said Ido Ben Natan, CEO of blockchain security firm Blockaid. “The problem is that even with the best key management solutions today, much of the signing process is delegated to the APIs that interface with dApps.” This creates a critical vulnerability – it opens the door to malicious manipulation of the signing process, which is what happened in this attack.”

The hacker managed to “take control of a specific ETH cold wallet and transferred all the ETH to this unidentified address,” Bybit CEO Ben Zhou admitted. The exchange will remain “solvent even if this loss from the hack is not recouped,” he assured.