Bybit vs. North Korean Hackers: 11K Wallets Exposed in Ongoing Cyber Battle

In the aftermath of the staggering $1.4 billion Bybit hack, the exchange has launched an aggressive counteroffensive against the North Korean-linked Lazarus Group, the suspected masterminds behind the breach. Bybit’s co-founder and CEO, Ben Zhou, made a bold statement on Feb. 25, vowing to track down the stolen funds and prevent further illicit activity.

Bybit Declares War on Lazarus Group

As part of its response, Bybit introduced a wallet application programming interface (API) to help trace funds linked to the exploit. It has also put out a bounty, incentivizing blockchain sleuths and security firms to assist in recovering the stolen assets.

Blockchain analytics firm Elliptic has stepped up in support, revealing that Lazarus Group controls at least 11,084 cryptocurrency wallets used to launder stolen digital assets. The firm has made this data publicly accessible, enabling exchanges and financial institutions to screen addresses and prevent further illicit transactions. Elliptic stated:

“Addresses associated with the Bybit exploit were identified and available to screen within just 30 minutes of the announcement, protecting customers without the need for them to conduct repetitive manual checks.”

The Battle for Recovery

Bybit has also enlisted the help of Web3 security firm ZeroShadow, which specializes in blockchain forensics. The firm’s mandate is to trace, freeze, and recover as much of the stolen cryptocurrency as possible.

Meanwhile, blockchain intelligence firm Chainalysis has been investigating how the hackers orchestrated the attack. Preliminary findings indicate that the breach began with a sophisticated phishing campaign, targeting Bybit’s cold wallet signers. Once the attackers infiltrated the system, they intercepted a routine Ethereum transfer from a cold wallet to a hot wallet, siphoning off significant sums.

The hackers converted portions of the stolen Ether into Bitcoin, Dai, and other cryptocurrencies, moving them across multiple blockchain networks.

Bybit’s Resilience Amid Crisis

Despite the massive heist, Bybit has remained operational, keeping withdrawals open and securing external liquidity through emergency loans. The company has now begun repaying these loans, starting with a 40,000 ETH repayment to Bitget on Feb. 25.

Zhou publicly acknowledged Elliptic’s efforts, posting on X:

“Thx to the Elliptic team for putting up a real-time Bybit exploit data, really appreciate the effort and work put into helping us.”

With investigations ongoing and new wallet addresses being identified daily, Bybit’s fight against Lazarus Group is far from over.