A few reports offer an early glimpse into the largest-ever crypto hack, even though the exact details remain unclear.
Last week’s hack of cryptocurrency exchange Bybit raised concerns in the cybersecurity community, highlighting that no one is immune to attacks.
In the largest-ever crypto hack, criminals stole around $1.4 worth of Ethereum using social engineering and bypassing safeguards deployed by the Dubai-based crypto exchange Bybit.
Blockchain investigator ZachXBT claimed the attack was linked to the North Korean Lazarus group.
While many unanswered questions about the breach remain, a few recent reports provide an initial glimpse into how the hackers executed it.
What is known about the hack
The attack started with social engineering targeting Bybit employees. Blockchain analysis firm Chainaslysis claims that the hackers used phishing against cold wallet signers, leading them to sign malicious transactions.
These transactions replaced the multi-signature wallet contract implemented by a company called Safe with a malicious one. Multi-signature wallets require multiple approvals from different parties before a transaction can be executed, making them one of the safest ways to protect crypto assets.
Next, the attackers intercepted a routine transfer from Bybit’s cold wallet to a hot wallet and managed to reroute their stolen assets, approximately 401,000 ETH, to their own address.
After that, the assets were moved through a complex web of intermediary addresses, a typical move to hide traces after hackers steal crypto.
London-based blockchain analysis company Elliptic notes that Lazarus Group has developed sophisticated schemes to launder assets through thousands of blockchain transactions.
Typically, the first step involves exchanging all of the stolen secondary tokens for native ones, such as ETH, as issuers of some tokens in some cases can “freeze” wallets containing stolen assets.
In Bybit’s case, the hackers stole various staked ethereum assets, such as stETH, cmETH, and mETH, and converted them to ETH using decentralized exchanges.
The second step of the laundering process is to “layer” the stolen funds in order to attempt to conceal the transaction trail. This involves multiple transactions cross-chain bridges, and instant swap services such as eXch, that do not require KYC before receding in multiple wallets.
Around $75 million worth of assets out of $1.4 billion were reportedly transferred via eXch, which declined to block the transaction despite Bybit’s request.
Lazarus has started laundering the $1.4B stolen ETH.
undefined vxdb (@vxdb) February 22, 2025
Exch[.]cx, a no-KYC exchange, has recorded an abnormal spike in ETH volume—20K ETH in the past 24 hours versus its usual 800 ETH.
Their Bitcoin reserves are also empty, but their ETH reserves have increased by 900%. pic.twitter.com/WBcbBrqPjR
According to Chainalysis, a significant portion of the stolen funds has remained idle across various addresses. In such a move, North Korea-affiliated hackers typically want to outlast the heightened scrutiny that typically immediately follows such high-profile breaches.
For now, Bybit has managed to freeze around $40 million worth of crypto assets. Following the theft, the exchange offered a 10% reward for those who help to trace the stolen funds.
Your email address will not be published. Required fields are markedmarked