North Korea’s Lazarus hackers appear to have pulled off another record-setting crypto theft as security researchers are attributing the $1.5 billion Bybit hack to them. The exact cause of the breach is not yet known to the public, but Bybit insists that it has not found any breach of its own computers and that the incident must have something to do with the Safe smart wallet.
The crypto theft apparently took place during a regular transfer from Bybit’s offline cold wallets to their online trading wallets, with the Lazarus hackers able to somehow manipulate a smart contract. In spite of a $4 billion “bank run” on top of the theft, Bybit says that it obtained enough emergency funding to fully back all investments and remain solvent.
Lazarus Hackers Poised for Another Record Year
Though the Bybit incident is not their only caper thus far in 2025, the Lazarus hackers have already topped their prior annual record for crypto theft. The group’s best previous year was 2022, in which it racked up a total of $1.43 billion with almost half of that coming from the attack on Ronin Bridge and its companion game Axie Infinity.
Bybit has suggested that their Safe smart wallet was involved, but not necessarily at fault. What exactly that means is still not clear, but CEO Ben Zhou said that his company’s laptops were not at fault. More information is obviously needed to determine exactly how the Lazarus hackers got in.
The prior crypto thefts demonstrate that the group uses a mix of approaches, ranging from extremely sophisticated social engineering to scanning for vulnerabilities in wallet infrastructure. They also show a preference for decentralized platforms, and North Korea is willing to put major money behind these groups (reportedly numbering over 6,000 hackers between Lazarus and other teams) as the thefts prop up its heavily sanctioned government and its weapons programs.
Crypto Theft Mostly Involved ETH
The $1.5 billion in value stolen by the Lazarus hackers was in the form of over 400,000 ETH and stETH. That cascaded into another $4 billion flowing off of the platform as about 580,000 withdrawal requests were made when news of the theft broke. Bybit says that there were some delays in processing these requests due to volume but that they were not halted at any time, and despite the massive outflow the exchange secured enough emergency funding to cover everything and remains in good shape.
Security firms have fingered Lazarus by tracing the movement of funds, with the stolen tokens eventually winding up in wallets known to previously be used by the group. One of its wallets was also shared with the January breach of Phemex, a theft of about $85 million USD in assets. Bybit is offering a 10% reward for return of the stolen funds, and security firm Elliptic says that it has recovered a small portion of the assets thus far.
