Who Are the Lazarus Group Hackers? Unveiling the Mystery Behind Bybit’s $1.4B Breach

On February 21, 2025, a $1.4 billion breach struck Bybit, a major player in the cryptocurrency exchange sector, alarming the entire industry. Blockchain investigator ZachXBT quickly identified the Lazarus hacker Group, the infamous state-sponsored hacking team from North Korea, as the culprits behind the scheme. Regarded as the biggest cryptocurrency heist in history, this breach has brought the elusive Lazarus Group back into the spotlight. So, who are these cyber criminals, and how did they capture such a huge bounty? Let’s unravel the puzzle of Bybit’s hack and peek behind the curtain at this mysterious.

The Bybit ‘s Lazarus Group Hackers Incident: A Masterclass in Cybercrime

The Bybit’s hack occurred with unsettling accuracy. Bybit’s Ethereum (ETH) cold wallet—allegedly an extremely secure offline storage solution—was breached during a routine transfer to a warm wallet. Hackers deceived Bybit’s team by disguising a malicious transaction as legitimate, modifying the smart contract rules to gain control.

In an instant, 401,347 ETH (valued at over $1.4 billion) disappeared into a network of wallets. Ben Zhou, CEO of Bybit, quickly assured users that the exchange is solvent, with all customer funds supported 1:1, but the harm was done—both financially and to the sector’s credibility.

ZachXBT, a famous blockchain investigator, solved the case thoroughly. His proof—trial transactions, wallet associations, and forensic timestamps—connected the theft to the Lazarus Group, a name associated with crypto chaos.

Arkham Intelligence, which placed a $50,000 reward for information on the attackers, validated ZachXBT’s discoveries within hours, solidifying Lazarus group as responsible in this extraordinary hack.

Who Are the Lazarus Group?

The Lazarus Group is not just any other average band of hackers—it’s a powerhouse backed by North Korea’s Reconnaissance General Bureau. Since emerging around 2007, they’ve sharpened their skills over nearly 20 years, mixing spying, cash grabs, and global chaos. Nicknames like APT38 and TraderTraitor only hint at their operation.

Their resume reads thrillers—think the 2014 Sony Pictures takedown and the 2016 Bangladesh Bank attack, pocketing $81 million.

In crypto, they’re infamous heavyweights. They’ve raked in billions, including:

• Ronin network heist (March 2022): Snagged $620 million from Axie Infinity’s blockchain backbone.
• Horizon bridge raid (June 2022): Lifted $100 million from Harmony’s cross-chain bridge.
• Phemex exchange breach (January 2025): Nabbed over $70 million from Singapore’s Phemex exchange, echoing their signature moves.

The Bybit deal, securing 500,000 ETH, elevates them beyond Ethereum’s Vitalik Buterin, making them the 14th largest Ether holder globally. These scores emphasize their smooth, constantly changing strategies and ability to target crypto’s vulnerabilities.

How Lazarus Group Operate

The Lazarus Group’s playbook is as sophisticated as it is ruthless. They utilize custom malware—think Manuscrypt, AppleJeus, and FALLCHILL—to infiltrate systems. Phishing is their specialty, often through fake LinkedIn profiles or spear-phishing emails that dupe employees into handing over credentials.

The Bybit hack showcased their latest trick: “blind signing,” where a legit-looking user interface hides a malicious payload. They’ve also mastered social engineering—like luring victims with fake job offers, as seen in the 2023 CoinsPaid breach.

Once inside, they move fast. Funds get split across dozens of wallets, laundered through DeFi platforms like Uniswap (no KYC required), and obscured with mixers. The Bybit loot, now tracked across 53 wallets, exemplifies their knack for disappearing into the blockchain’s shadows—though dumping 500,000 ETH in a bearish market could prove tricky even for them.

Why It Matters

The Bybit breach isn’t just a headline—it’s a wake-up call. The Lazarus Group’s relentless attacks expose gaping vulnerabilities in even the most fortified crypto platforms. For Singapore-based Bybit users (and beyond), it’s a stark reminder: not your keys, not your coins.

Yet, CEO Zhou’s pledge to cover losses offers some relief, backed by the exchange’s $20 billion in assets. Still, Ethereum price was impacted, crashing 8% after the Bybit hack

This isn’t random crime—it’s statecraft. The U.S. estimates North Korea’s crypto thefts bankroll 30% of its missile program, turning digital wallets into geopolitical weapons. ZachXBT’s swift unmasking, paired with efforts from firms like Elliptic and Chainalysis, shows the industry’s fighting back—but recovery remains a long shot against a nation-state foe.

What’s Next?

The Lazarus Group isn’t slowing down. Discussions in the crypto space assert that, they have been behind January’s $30 million Phemex hack too, hinting at a spree targeting exchanges.

For Bybit, it’s about rebuilding trust with beefed-up security. For the crypto world, it’s a race to outpace hackers who evolve as fast as the tech they exploit. Self-custody, multisig wallets, and sharper vigilance are trending as users rethink centralized platforms.

Conclusion

The Lazarus Group’s $1.4 billion Bybit heist is more than a record-breaking theft—it’s a glimpse into a shadowy war where code meets geopolitics. Revealed through ZachXBT’s investigation, these North Korean hackers continue to be a significant threat, combining technological skill with state-backed boldness. As crypto grows, so does their shadow. The question isn’t just “Who are they?”—it’s “Who’s next?”

You can also read: Changpeng Zhao Denies Binance’s Involvement In ETH Moves Post Bybit Hack