Dark Discoveries Behind Bybit’s $1.5B Mega Heist
Bybit’s $1.5B hack is bullish - Lazarus has diamond hands.
Led by Park Jin Hyok, now wanted by the FBI.
They’ve just drained $1.46B in staked ETH & ERC-20 tokens from Bybit, making it the biggest crypto hack ever, twice the size of the second-largest breach.
How did they pull it off? Let’s break it down. 🧵👇
Lazarus have been behind some of the largest crypto hacks ever, including:
Axie Infinity (Ronin Bridge) - $625M
Harmony Bridge - $100M
Atomic Wallet - $100M
Stake - $41M
Alphapo Hot Wallet - $60M+
Wazirx - 230M
Their latest Bybit attack is now the biggest hack in history.
Hacker is now the largest $ETH bull holding 0.42% of $ETH
The Bybit attackers (Lazarus Group) orchestrated a social engineering campaign that exploited Bybit’s transaction authorization process.
Bybit’s multisig cold wallet required multiple signers to approve transfers, but the hackers deployed a fake interface resembling Safe Wallet’s legitimate UI.
Signers saw the correct destination addresses and URLs, but a hidden payload altered the wallet’s smart contract logic, granting Lazarus full control.
This allowed them to bypass cryptographic safeguards and drain $1.46B undetected.
One of their top operatives, Park Jin Hyok, is suspected to be the mastermind, using the same attack methods as the $230M WazirX hack just months ago.
Park Jin Hyok—the hacker behind WannaCry, Sony Pictures hack, and Bangladesh’s central bank theft—is also linked to Chosun Expo Joint Venture.
How North Korean Hackers Operate
Lazarus works differently from typical cybercriminals.
• State-sponsored: Their hacks fund North Korea’s military & nuclear programs.
Total they are linked to over $3B hacks worldwide
• Long-term planning: They infiltrate companies by impersonating recruiters or business partners.
• Advanced techniques: They use malware, phishing, and DeFi loopholes to cover their tracks.
Why Crypto Exchanges Are Prime Targets
Early on, Lazarus focused on South Korean exchanges, where Bitcoin hot wallets were exposed.
They planted malware in employees’ computers and extracted private keys.
• Bithumb was hacked 4 times.
• Other exchanges faced similar attacks.
How They Launder Stolen Crypto
Once the funds are stolen, moving them is the next challenge.
Criminals leverage DeFi platforms to swap tokens without KYC/AML, making it hard to trace.
Example: After KuCoin’s $275M hack, Lazarus used Uniswap to clean the funds.
Diamond Handing
Hackers don’t always cash out immediately. Instead, they sit on stolen crypto for years, waiting for the right moment.
• Funds from past hacks are still untouched.
• When they do move, they use crypto mixers to cover their tracks.
Bitfinex Hack
In 2018, Lazarus hacked Bitfinex for $250M in Bitcoin & Ethereum.
• The funds were laundered through fake KYC accounts.
• Two Chinese citizens, Tian & Li, moved millions via bank accounts.
• They remain fugitives today.
The Axie Infinity Hack
In 2022, Lazarus hacked Ronin ($625M) using LinkedIn phishing.
• They posed as recruiters.
• A senior engineer downloaded a fake job offer PDF.
• That single mistake let hackers take over 4 of 9 network validators.
Anne Neuberger, U.S. cybersecurity official, estimates 30% of North Korea’s missile program is funded by cybercrime.
• Hackers are trained in Shenyang, China.
• In 2022 alone, North Korea stole $1.7B in crypto.
The Bigger Picture
• Lazarus started with South Korea but expanded globally.
• Hacks are systematic, state-backed cyber warfare.
• Crypto exchanges remain high-risk targets.
TLDR on the state of ETH
• Bybit won’t recover the stolen ETH.
• Their bridge loan covers withdrawals, but they must buy back ETH later.
• Lazarus can’t liquidate all the ETH fast enough.
• This creates buying pressure, but ETH will still dump.