Dubai-based crypto exchange Bybit has traced nearly 89% of the $1.4 billion stolen in a February cyberattack, with much of the funds still recoverable, according to CEO Ben Zhou.
The attack, attributed to North Korea’s Lazarus Group, targeted liquid-staked Ether (stETH), Mantle Staked ETH (mETH), and other digital assets, making it the largest crypto hack on record.
The breach, which occurred on Feb. 21, stemmed from a security lapse within the infrastructure of Safe, a multi-signature wallet provider. Investigators, including cybersecurity firms Arkham Intelligence and Verichains, determined that Lazarus operatives exploited a compromised developer laptop to plant malicious code. The attackers then bypassed Safe’s multi-factor authentication, hijacking active session tokens on its Amazon Web Services (AWS) account.
Bybit’s security team and blockchain analysts have tracked the stolen assets, with Zhou revealing that 88.87% of the hacked funds remain traceable. He detailed the movement of the funds, stating that 86.29%—approximately 440,091 ETH, valued at $1.23 billion—were converted into 12,836 BTC and spread across 9,117 wallets.
Most of the funds were funneled through Bitcoin mixers, including Wasabi, CryptoMixer, Railgun, and Tornado Cash, in an attempt to obfuscate their origin.
Despite these laundering efforts, only 7.59% of the stolen assets have gone completely dark, while investigators have successfully frozen 3.54%. Zhou emphasized the importance of continued tracking efforts to recover additional funds before they are fully laundered.
Bounty Hunters and Law Enforcement Collaboration
Bybit has offered a 10% bounty on any recovered funds to incentivize blockchain security experts and ethical hackers. The exchange has paid out over $2.2 million to 12 bounty hunters who provided key insights into Lazarus Group’s transaction patterns.
In the past month, Bybit received 5,012 bounty reports, with 63 deemed valid. Zhou acknowledged the ongoing difficulty of decoding transactions that pass through cryptocurrency mixers and urged more blockchain investigators to join the effort.
“This incident is another stark reminder that even the strongest security measures can be undone by human error,”
Said Lucien Bourdon, an analyst at Trezor. He noted that the attackers used advanced social engineering tactics to deceive Safe’s signers into approving a malicious transaction, which led to the theft of Bybit’s cold wallet funds.
The Bybit hack surpassed the infamous $600 million Poly Network exploit in August 2021, making it the biggest breach in crypto exchange history.
