With not all information public, Arkham Intelligence, a blockchain analysis firm, has concluded that North Korea’s Lazarus group was responsible for the $1.46 billion hack on the Bybit exchange. On platform X, Arkham offered a bounty of 50,000 ARKM tokens, worth around $30,000, for anyone who could identify the attackers responsible for Friday’s hack. Not long after, Arkham announced that freelancer ZachXBT had provided “definite proof” that the North Korean hacking group was behind the hack. According to current information, Lazarus, North Korea’s elite state-sponsored hacking group, pulled off the largest hack in history on a centralized crypto exchange. The hack resulted in the withdrawal of Ethereum tokens amounting to around $1.5 billion. Ethereum security researchers are scrambling to investigate the incident to understand how the attack happened and whether the hack may spread to other exchanges. Within days, crypto enthusiast ZachXBT identified the Lazarus group as the likely culprit. Lazarus has been responsible for many of the top attacks on digital assets. Blockchain firm Nansen revealed that the attackers first withdrew the funds into a single wallet and then distributed them to multiple wallets. “Initially, the stolen funds were transferred to a primary wallet, which then distributed them across more than 40 wallets”, Nansen said. “The attackers converted all stETH, cmETH, and mETH to ETH before systematically transferring ETH in $27 million increments to over 10 additional wallets”. Ben Zhou, Bybit CEO, urged customers to remain calm and assured them that 80% of funds were recovered by using bridge loans to replace the stolen money. Despite the current bank run on Bybit, Zhou assured users that withdrawals would not be blocked and that customers would have access to their funds. Leveraging bridge loans allows Zhou to honour withdrawal requests. At this stage, the return of stolen tokens is highly unlikely. ZachXBT has yet to release all data pointing to the Lazarus group. He says his analysis involved tracking online connections between wallet addresses until, with the assistance of a colleague, he was able to narrow down the suspects to the North Korean hacking group. ZachXBT found a connection between the wallets used in the Bybit hack and the wallets used in the $85 million hack of Singapore-based exchange Phemex. At this stage, at least, the attack appears to be caused by Blind Signing, in which the smart contact is approved without complete knowledge of its contents. “This attack vector is quickly becoming the favorite form of cyber attack used by advanced threat actors, including North Korea”, said Blockaid’s CEO Ido Ben Natan. “It’s the same type of attack that was used in the Radiant Capital breach and the WazirX incident.” “The problem is that even with the best key management solutions, today most of the signing process is delegated to software interfaces that interact with dApps.” “This creates a critical vulnerability- it opens the door for malicious manipulation of the signing process, which is exactly what happened in this attack,” he said. The stolen funds are unlikely to be returned because North Korea does not have an extradition agreement with the United States. The North Korean hacking group was able to attain more money in this single hack than in all of its hacks last year. This hack contrasts with other previous large-scale attacks, such as the 2016 Bitfinex hack, in that the people behind this attack will likely get away with it and will most likely keep the stolen money. This shows that the American justice system is limited to countries with extradition agreements. Although America focuses on retrieving lost funds through tax, there’s not much they can do about large-scale hacks. Tom Robinson, Elliptic’s chief scientist, described the attack as the “largest crypto theft of all time.” “The next largest crypto theft would be the $611 million stolen from Poly Network in 2021. In fact it may even be the largest single theft of all time”. Bybit appears to be processing withdrawals just fine after their hack,” wrote Coinbase executive Conor Grogan. They have $20B+ in assets on the platform, and their cold wallets are untouched. “Given the isolated nature of the signing hack and how well capitalized Bybit is, I don’t expect there to be contagion.” “A minute into the FTX bankrun it was clear they had no funds to withdraw. I know everyone has PTSD but Bybit is not an FTX situation, if it was I would be screaming it out. They will be fine”. The Lazarus group’s history can be traced back to 2017 when they hacked South Korean exchanges and stole over $200 million in Bitcoin. Crypto bank robberies seem to be here to stay and will need to be a major focus within the crypto industry.
