Following what is speculated to be the biggest hack in the cryptocurrency world, Bybit announced on February 26, 2025, in a post on X formerly twitter “ We are close to 100% on our ETH reserves, and deposits & withdrawals are back to normal”.
In an article by CNBC, it is stated that “Bybit replenished its reserves by securing nearly 447,000 ether tokens through emergency funding from Galaxy Digital, FalconX and Wintermute. This was done through a mix of emergency loans and large deposits”. Whilst the stolen ether has not been fully recovered, this step taken by Bybit helped keep the exchange balance open.
On February 21, 2025, Bybit suffered a $1.5 billion hack whilst in the process of transferring funds from an ETH multisignature cold wallet (a cryptocurrency wallet not connected to the internet) to a warm wallet. In a public service announcement released by the FBI, on the 26th of February it was confirmed that a group from North Korea was behind the hack.
In further reports by CNBC, blockchain analytics firm Elliptic identified the North Korean group responsible for the hack to be the Lazarus Group. Reports by Elliptic show that the North Korean group has stolen over $6 billion crypto assets since 2017.
In 2022, the Lazarus group was responsible for the $600 million heist from Axie infinity. With all efforts and cooperation with law enforcement groups, only $30 million was recovered from the heist.
Bybit has offered a 10% bounty for the return on any successfully frozen or recovered assets. With 5% awarded to the entity that successfully froze the funds and 5% to the first reporters that helped trace the funds, leading to their freezing. However, the chances of the full recovery of the assets are quite slim as seen with the track record of the Lazarus group.
The recent hack showed a repetition in the “pattern” commonly employed by this group. The group exchanges stolen tokens for a “native” blockchain asset such as Ether, because unlike other tokens that have issuers that can “freeze” wallets containing stolen crypto assets, Ethereum and Bitcoin have none.
After the theft, the group then “layers” the stolen cryptoassets to conceal the transaction trail by sending the assets through numerous crypto wallets, moving the assets to other exchanges using exchanges or cross-chain bridges, or using “mixers” like Tornado Cash or Cryptomixer.
This process was carried out shortly after the Bybit $1.5 billion hack by the group. The stolen tokens were exchanged for Ethereum using decentralised exchanges (DEXs) to prevent any action of freezing the assets when the laundering commenced.
Within the span of two hours following the theft, the stolen assets were transferred to over 50 different wallets, with each holding 10,000 ETH. From analysis conducted by Elliptic, the wallets are being systematically emptied and as at March 2nd 2025, almost $906 million of the stolen crypto assets have been moved from the said wallets.
In a post by Bybit on X, the company stated “ we know where our funds have gone, and we are committed to turning this experience into an opportunity to strengthen the ecosystem”. Since the hack, Bybit has been able to freeze $42.89 million within 24 hours of the attack. However, the hunt tagged “LazarusBounty” is still ongoing and 90.15% of the stolen assets are being tracked.
