Cryptocurrency exchange Bybit is scrambling to recover approximately $2.4 billion worth of digital assets pilfered by suspected North Korean cybercriminals.
Marking the “biggest cryptocurrency heist ever recorded”, the Dubai-based company reported Saturday morning that an attacker had manipulated a routine transaction between two crypto wallets (one offline and one online) to effectively gain control over billions in Ethereum cryptocurrency.
After the hacker sent some $2.4 billion ($US1.5 billion) of the currency to an unidentified address, co-founder and chief executive Ben Zhou described the incident as the “the worst hack in history”.
“We have been hit by the worst hack possibly in the history of any medians, [including] banks, crypto and finance,” Zhou said on social media platform X.
While Zhou assured clients their assets were backed “one-to-one” and the company could “cover the loss,” Bybit customers submitted some 350,000 requests to withdraw their funds within only 10 hours of the incident.
By Saturday afternoon, Zhou said the company had processed all withdrawal requests and would allow users to withdraw any amount with “no delays”.
“Most of the team [hasn’t slept],” he said.
Bybit confirmed it is investigating the incident, while multiple blockchain bridges and analysts have cooperated in efforts to prevent unauthorised transfers.
The price of Ethereum plunged nearly 4 per cent following news of the hack, though it regained some value Monday morning.
Bounty points to North Korean hacker
Bybit promptly launched a “recovery bounty program” which promised to reward up to 10 per cent of stolen funds to those who “play an active role in retrieving the stolen cryptocurrencies”.
Blockchain analytics firm Arkham Intelligence backed the effort with a comparatively modest bounty of its own, which crypto investigator ‘ZachXBT’ solved within four hours by uncovering a North Korean connection to the attack.
Arkham said ZachXBTt gave “definitive proof” the attack was performed by Lazarus Group; a North Korean hacking group which has long-plagued blockchain providers with repeated, record-breaking attacks.
While Bybit has not confirmed the perpetrators in a statement, Lazarus is also believed responsible for stealing $US600 million from the Ronin Network in April 2022 – which until now marked the largest crypto-heist in history.
Threat researcher ‘vxdb’ further observed Lazarus has already “started laundering” the Ethereum stolen from Bybit.
North Korean hackers stole some $2.1 billion ($US1.34 billion) from crypto platforms in 2024, according to blockchain analysis firm Chainalysis.
Simple human error
Bybit emphasised “all client funds are safe” and that its operations would continue as usual “without any disruption”, though respondents on X were quick to accuse the company of having lax security measures or an unknown insider-threat in its ranks.
Paul Quickenden, chief commercial officer of New Zealand-based cryptocurrency exchange Easy Crypto, meanwhile suggested human error was to blame.
“This was a case of 'hack the humans',” said Quickenden.
“Cold [or offline] wallets like this require multi sign-offs, and in this case, the humans assumed they were signing off on a routine transfer.
“In a hi-tech world, this underlines the importance of not relying on assumptions when it comes to underlying tech's ability to keep us safe.”
On X, Zhou emphasised the hacker altered the user interface of the crypto-wallet software used by Bybit staff, effectively deceiving them into believing the compromised transaction was secure.
Zhou quick to take blame
In a livestream conducted only one hour after the attack, Zhou boldly admitted he was the last person to approve or “sign” the hacked transaction.
“I signed it, and thirty minutes later we got the emergency call that our cold Ethereum wallet was drained” said Zhou.
He explained that while both the URL and destination address for the funds appeared correct and secure, it was later found some underlying code had been tampered with.
Bybit said its “prompt and open communication effectively prevented panic”, before affirming it had worked closely with regulators and law enforcement to address the hack.
On Sunday, the company warned of scammers “pretending to be Bybit employees” in the wake of the attack.
“Stay sharp – Bybit will never ask for your personal info, deposits, or passwords,” Bybit said.
