Research indicates that North Korea’s Lazarus Group performed two cyberattacks together against the exchanges Bybit and Phemex. Hackers stole $1.4 billion worth of cryptocurrency assets including liquid-staked ETH and Mantle Staked ETH collected by Bybit exchange on February 21.
Cryptographic security experts from Arkham Intelligence and ZachXBT found that the hacking team behind these thefts comes from North Korea according to their detailed blockchain analysis. Data shows a team linked with Lazarus Group created both the Phemex theft in January and the Bybit theft on February 21.
Bybit And Phemex Attacks
ZachXBT stated in an X post on February 22 that the Lazarus Group had joined both hacks together since the attackers put money from the two incidents in a single wallet. The digital money thieves moved the stolen funds in 125 network swaps across 11 blockchain platforms during the Phemex robbery.
The hackers transformed the stolen digital assets into Ether through Tornado Cash and related mixing tools which made tracing them challenging. The Bybit cyber attack stole $1.16 billion out of $2.3 billion total stolen from cryptocurrency businesses during 2024 causing severe industry setbacks.
Cyvers co-founder and CTO Meir Dolev noted parallel security vulnerabilities exist between Bybit’s attack and well-known hacks like WazirX’s $230 million loss and Radiant Capital’s $58 million discrepancy. He discovered that someone exploited the Ethereum multisig cold wallet by using a deceptive transaction to fool signers into changing the smart contract logic without noticing.
Lazarus Group stands responsible for major digital thefts including its $600 million attack on Ronin Network and its take of $230 million from WazirX. According to Chainalysis data North Korean hackers made 102% more money in 47 attacks in 2024 taking $1.34 billion than the $660 million they stole last year. Crypto theft this year has totalled 61 percent of all thefts on the market.
On January 14 a united warning came from Japan, South Korea and the United States. Law enforcement confirmed Lazarus Group’s change in strategy toward cryptocurrency companies as they listed three major events including DMM Bitcoin, Upbit, and Rain Management. South Korea sanctioned 15 North Koreans in December to stop them from funding their nuclear weapons through cyber theft operations.
