Bybit sics entire crypto sector on North Korean hackers with Lazarus Bounty platform

Following the recent theft of $1.4B from Bybit’s reserves, the exchange has launched “Lazarus Bounty.” The bounty tracking platform aims to recruit the global crypto community to aid in the recovery of the stolen funds. 

The Bybit hack is said to have been perpetuated by the same group of North Korean-backed hackers responsible for the $620 million Ronin Network exploit in 2022. Now, the crypto exchange has gone on the offensive to deal with the group as best as it can, at least until law enforcement comes up with a more permanent solution. 

Bybit introduces the Lazarus Bounty platform

Bybit’s Lazarus Bounty platform, named after the infamous North Korean hacking group believed to be responsible for the breach, is its latest effort to retrieve the cryptocurrency it lost. 

The North Korean hacking group was linked to the crime by popular blockchain investigator, ZachXBT. Arkham made a post on its X account stating that ZachXBT had “submitted definitive proof” linking the Lazarus group to the attack. The submission was shared with the Bybit team to aid their investigation into the matter. 

The Lazarus Group has a documented history of targeting cryptocurrency platforms and pulling off large scale heists. The group has been involved in other high profile incidents including the $620 million theft from the Ronin Network in March 2022 and a $41 million theft from Stake.com in September 2023. 

The methods and scale of these attacks have similar patterns with that of the Bybit incident, giving even more validity to ZachXBT’s accusation. 

Arkham continued to monitor the activity of the hacker’s account across the cryptocurrency network. “The Bybit Hacker is making 2-3 transactions per minute, and stops every 45 minutes for a 15 minute break. They move ETH from one address at a time, before moving onto the next one,” the blockchain data tracking platform said. 

Bybit built the Lazarus bounty platform in two days due to the urgency of the situation. Ben Zhou, Bybit’s CEO, mentioned on X that a newer version of the site will be released soon as it makes more improvements to make the site look and function better. He also stated his openness to suggestions and feedback.

We only pre entered some of your findings , which might not be full, if you have more, please help to submit a bounty on the site, or send to me through dm, really appreciate your help all the way. We want to give you the full credits for your hard work. The site was built in 2…

— Ben Zhou (@benbybit) February 25, 2025

The Lazarus bounty platform serves as a centralized hub for cybersecurity experts, blockchain analysts, and ethical hackers to collaborate on a global scale. Each of these individuals can come together through the platform to track and recover the stolen assets. 

There’s also the attractive 10% incentive that would make anyone willing to help. 10% of the stolen $1.4B would amount to a whopping $140M, the largest bounty in the history of cryptocurrency.

The 10% is split 50:50 between individuals that successfully freeze the stolen funds and those who contribute by helping trace the funds. 

Individuals can become bounty hunters by connecting their wallets on the site and helping to trace the fund. When a submitted trace leads to some of the funds being frozen the 5% bounty is paid upfront. 

Bybit also introduced a blacklisted wallet API that provides a continuously updated list of wallet addresses identified as suspicious or associated with the hack, enabling security pros and other cryptocurrency platforms to monitor and or prevent transactions involving these addresses. 

The aftermath of the Bybit heist 

On February 21, 2025, Bybit experienced a security breach during a routine transfer from its cold wallet to a warm wallet. Hackers exploited this process, seizing control of the cold wallet and siphoning 401K ETH, valued at around $1.5B, to an unknown address. This incident is now recognized as the largest cryptocurrency heist in history. 

Despite the significant loss, Bybit’s CEO, Ben Zhou, reassured the platform’s users of the company’s solvency. He stated that all client assets remained backed 1:1 and that wallets unaffected by the security breach and withdrawals from the platform would continue to operate normally. 

Bybit is actively collaborating with blockchain forensic analysts to trace the stolen funds, and so far, the exchange has been successful in recovering some of the lost funds. 

The mETH, Mantle, and SEAL teams successfully recovered 15K cmETH tokens worth around $43M.

First recovery in the ByBit hack.

~$43m (15,000 cmETH) has been clawed back from the hacker.

I saw the recovery possibility soon after the hack and SEAL connected me with Mantle/mETH team who made it happen.

Huge shoutout to SEAL, Mantle, and mETH teams for their quick action.

— Mudit Gupta (@Mudit__Gupta) February 22, 2025

Tether CEO Paolo Ardoino announced that his company froze 181K USDT connected to the hack as well. 

Bybit has also introduced a bounty program to aid the recovery of the stolen funds. The exchange is offering up to 10% of the recovered amount to ethical hackers who assist in the retrieval of the stolen cryptocurrency.

Security professionals monitoring the situation have received thousands of tips about the hack and the hacker’s efforts to split up the loot. Bybit is also working with law enforcement agencies in Singapore and is in discussions with the Ethereum Foundation about potential solutions.

Several cybersecurity firms and blockchain security teams such as  Mandiant, Verichain ZeroShadow, and Chainalysis, to name a few, joined in the effort to trace bad actors and prevent the hackers from laundering the funds. Crypto exchanges such as Binance, Coinbase, and Bitget, along with blockchain networks including Polygon, Arbitrum, Optimism, and AVAX, are working to restrict the movement of the stolen assets.

To prevent future security vulnerabilities and incidents, Bybit has committed to a comprehensive review and enhancement of its security infrastructure. This review entails implementing advanced authentication measures, conducting regular security audits, and educating its users on best practices to safeguard their assets.

Cryptopolitan Academy: Want to grow your money in 2025? Learn how to do it with DeFi in our upcoming webclass. Save Your Spot