Bybit Hack: How The $1.4B Exploit Happened, Funds Recovered, And Who's Responsible

Cryptocurrency exchange Bybit suffered a massive $1.4 billion exploit Friday, marking the largest single heist in the history of crypto and blockchain.

Crypto sleuths and blockchain analytics firms have since dug deep into the massive exploit and uncovered how the North Korea-linked hacking group Lazarus Group was responsible for the breach.

How did the exploiters carry out the attack?

Prominent crypto researcher ZachXBT initially said over $1.44 billion worth of "suspicious outflows" took place on Bybit on Friday.

Bybit CEO Ben Zhou later revealed that the exploiter breached the exchange's multisig cold wallet and "transferred all ETH (Ethereum) in the cold wallet" to an unidentified address. He noted that "all other cold wallets are secure" and withdrawals were working normally following the hack.

Which digital assets were stolen?

Rising onchain analytics firm Nansen has also looked into the incident. In data shared with International Business Times, Nansen revealed that the following cryptocurrencies were stolen in the hack:

• 401,347 ETH ($1.12 billion)
• 90, 376 stETH ($253.16 million)
• 15,000 cmETH ($44.13 million)
• 8,000 mETH ($23 million)

Nansen noted that the pilfered funds were initially transferred to a primary wallet, which then distributed the assets across over 40 other wallets.

The hackers converted all of the stETH, cmETH, and mETH into ETH before the Ethereum coins were transferred in $27 million increments to over 10 additional wallets.

Nansen is also tracking the wallet that saw a significant number of outgoing ETH transactions, as well as a wallet where the proceeds of the converted types of Ethereum were sent to.

Additionally, ZachXBT has made over 920 digital wallet addresses connected to the Bybit hack publicly available.

Were any funds recovered?

As Bybit continued to recover from the exploit, the exchange launched a recovery campaign for the stolen funds, pledging 10% of recovered funds for "ethical cyber and network security experts who play an active role in retrieving the stolen cryptocurrencies in the incident."

While Bybit has yet to confirm if any of the stolen funds have been recovered since Friday, Zhou said they have "already fully closed the ETH gap," citing data from blockchain analytics firm Lookonchain.

Onchain data showed that Bybit has nearly recovered the same amount of funds taken by the hackers in the form of "loans, whale deposits, and ETH purchases."

Tether freezes a portion of the funds

Stablecoin giant Tether has frozen 181,000 USDT "connected to the Bybit hack," Tether CEO Paolo Ardoino revealed Saturday.

"Might not be much but it's honest work," Ardoino added.

Tether is known to have cooperated with authorities in the past to freeze assets found to have been converted into USDT by exploiters.

Who carried out the exploit?

Onchain analytics and intelligence platform Arkham Intelligence on Saturday launched a bounty into the Bybit hack to trace the perpetrators.

Later in the day, the platform announced that ZachXBT solved the bounty after he submitted "definitive proof that this attack on Bybit was performed by the Lazarus Group."

The information uncovered has been shared with the Bybit team.

On Sunday, ZachXBT published his research on the exploit, revealing the "overlap" between the hackers of the Bybit, BingX, and Phemex exploits.

"Lazarus Group just connected the Bybit hack to the Phemex hack directly on-chain commingling funds from the initial theft address for both incidents," he wrote in a series of posts on X.

The notorious North Korea-linked hacking group has been a thorn in the side of the crypto industry for years. In July, ZachXBT provided evidence that the $230 million exploit of Indian crypto exchange giant WazirX "has the potential markings of a Lazarus Group attack (yet again)."

Meanwhile, Zhou said Bybit will soon release an audited report on the exchange's assets status to back Lookonchain's data regarding its Proof-of-Reserves (PoR) since the exploit.