On-chain analytics platform Arkham Intelligence reported that North Korean hacker group Lazarus Group was behind the $1.5 billion hack of Bybit.

BREAKING: BYBIT $1 BILLION HACK BOUNTY SOLVED BY ZACHXBT

At 19:09 UTC today, @zachxbt submitted definitive proof that this attack on Bybit was performed by the LAZARUS GROUP.

His submission included a detailed analysis of test transactions and connected wallets used ahead of… https://t.co/O43qD2CM2U pic.twitter.com/jtQPtXl0C5
— Arkham (@arkham) February 21, 2025

“Today [February 21] at 19:09 UTC, on-chain analyst ZachXBT provided undeniable evidence linking Lazarus Group to the Bybit hack. His analysis includes a detailed breakdown of test transactions, associated wallets used prior to the attack, and various charts and timestamps. This information has been shared with the exchange’s team to assist in the investigation,” Arkham representatives stated.

Dmitry Machikhin, founder of AML service BitOK and a crypto investor, told Cryptol that the stolen cryptocurrency is actively being moved out of Ethereum into other blockchains.

Stay Calm

During a special livestream, Bybit CEO Ben Zhou announced that the exchange is in discussions with partners about securing an ETH loan. The platform remains solvent, and the funds are needed to maintain Ethereum liquidity during the crisis.

Binance founder Changpeng Zhao offered assistance to Bybit in dealing with the aftermath of the incident and advised suspending withdrawals as a precautionary measure.

Coinbase Head of Product Conor Grogan revealed that Binance and Bitget have deposited over 50,000 ETH into Bybit’s cold wallets.

Binance and Bitget just deposited 50k+ ETH directly into Bybit's cold wallets. Bitget's deposits are especially interesting; its 1/4 of all of the exchange's ETH! (that I can see)

Since they skipped a deposit address, these funds were coordinated directly by Bybit themselves pic.twitter.com/yimpcYpLx7
— Conor (@jconorgrogan) February 21, 2025

According to journalist Colin Wu, MEXC sent 12,652 stETH (approximately $33.75 million) to Bybit’s cold wallet.

Chinese crypto entrepreneurs are supporting Bybit’s liquidity by actively transferring ETH to the affected platform. Huobi co-founder Du Jun deposited 10,000 ETH and promised not to withdraw it for a month. Founders of Conflux and Mask Network also stated they had deposited ETH into Bybit’s cold wallets.

Bybit representatives confirmed that information about the incident has been shared with relevant authorities. Additionally, cooperation with on-chain analytics providers helped identify and isolate related addresses, limiting the hackers’ ability to cash out ETH through legitimate markets.

Bitget CEO Gracy Chen stated that despite the significant losses, they are equivalent to Bybit’s annual profit of $1.5 billion. She emphasized that customer funds remain fully secure, and there is no reason to panic.

Chen also clarified that the deposited assets belong to Bitget itself, not its users.

Zhou revealed that within about 10 hours after the hack, Bybit recorded a record number of withdrawal requests—over 350,000. About 2,100 requests are still pending, but 99.994% of transactions have already been processed.

“The Biggest Heist”

Grogan called the Bybit hack “the biggest heist in history.”

The NK hack of Bybit is the largest heist of all time, of any medium (Central Bank of Iraq Heist (was ~$1B)

Its ~10x in $ terms of the 2016 DAO hack (That was a much higher % of supply though, 15% versus <0.5%)

Expect we see some calls for an Ethereum fork here
— Conor (@jconorgrogan) February 21, 2025

He believes the incident could reignite discussions about Ethereum hard forks.

Former BitMEX CEO Arthur Hayes stated that, as an investor holding significant ETH reserves, he would support the community’s decision if it chose to roll back the blockchain to an earlier state—similar to the 2016 The DAO hack response.

.@VitalikButerin will you advocate to roll back the chain to help @Bybit_Official ?
— Arthur Hayes (@CryptoHayes) February 21, 2025

What’s Next?

According to Taproot Wizards co-founder Eric Wall, North Korean hackers are likely converting all ERC-20 tokens into ETH, then exchanging ETH for BTC, and eventually moving the Bitcoin into yuan via Asian exchanges. These funds may be used to finance North Korea’s nuclear and missile programs.

If you want to understand what happens to funds after they’re stolen by North Korea/Lazarus Group, the Chainalysis 2022 report is great

Step 1: Swap any ERC20s (like stETH) into ETH

Step 2: Swap any ETH into BTC

Step 3: Cash out BTC to cash (Chinese Renminbi) using Asian… pic.twitter.com/cmxUEAHRZN
— Eric Wall | BIP-420 🐱 (@ercwl) February 21, 2025

Similar laundering patterns were described in a 2022 Chainalysis report.

“This process could take years. They’re in no hurry,” Wall noted. He also emphasized that “it’s unlikely the stolen funds will ever be recovered, given that Lazarus Group is behind this.”

ZachXBT reported that Lazarus transferred 5,000 ETH to a new address and started laundering the funds through the centralized mixer eXch before converting them to Bitcoin via Chainflip.

Bybit CEO Ben Zhou expressed hope that the cross-chain service could help block and prevent further transfers of stolen assets to other networks.

We are starting to see some funds being moved to https://t.co/O4AqIJo81z as bridge to convert to BTC: bc1qlu4a33zjspefa3tnq566xszcr0fvwz05ewhqfq

with below transactions:
0x4f5f7ba657bf518d383828183087978b452b99da6cde0c9b94739b8d72a8c5ef…
— Ben Zhou (@benbybit) February 22, 2025

Chainflip stated that they detected attempts by the hackers to withdraw stolen Bybit funds in Bitcoin through their platform.

To counteract this, the developers disabled some frontend services, though completely halting the protocol is impossible due to its decentralized nature with 150 nodes.

Researchers from Lookonchain hypothesized that the same person or group responsible for the Bybit hack may have also attacked Phemex: