How the world's largest heist happened

In February 2025, the world’s second-largest cryptocurrency exchange, the Dubai-based Bybit, lost $1.5 billion in Ethereum (401,346.769 ETH) to the North Korean state-sponsored hacking collective, Lazarus Group. This unprecedented breach surpassed previous records.

Lazarus Group is a hacker organization consisting of an unknown number of individuals, allegedly operated by the North Korean government. Initially a criminal group, it has now been designated as an advanced persistent threat (APT) due to its intent, threat level, and wide array of attack methods. Unlike conventional criminal organizations, Lazarus employs specialized teams with expertise in social engineering, malware development, and blockchain analysis. Their operations blend technical precision with psychological manipulation, often targeting developers and third-party service providers to infiltrate high-value systems.

The hack targeted the movement of ETH from a cold wallet to a warm wallet—a type of transaction used to transfer funds from secure, offline storage to wallets that clients use for transactions. It is akin to moving funds from a locked vault to a cashier's till.


Stage 1: Initial Compromise via Supply Chain Attack


According to a post by Ben Zhou, CEO of Bybit, Lazarus gained access to Safe{Wallet}’s infrastructure through a social engineering campaign, likely involving fake job interviews or phishing emails tailored to developers.

Once inside, they injected malicious JavaScript code into Safe{Wallet}’s frontend interface. This code specifically targeted Bybit’s Ethereum cold wallet, altering transaction details during routine fund transfers between cold and hot wallets.


Stage 2: Installation of Malicious Code


On February 19, Lazarus replaced a Safe{Wallet} JavaScript file with malicious code designed to activate during the next Bybit transaction. When Bybit initiated a routine transfer on February 21, the code modified the transaction’s destination address to a Lazarus-controlled wallet. The interface displayed legitimate details to the three signers, who unknowingly approved the fraudulent transfer using hardware devices.


Stage 3: Covering Tracks


The malware then erased traces of its activity, restoring the original code to avoid detection. This went unnoticed due to failures in multi-factor authentication and hardware wallet safeguards.


Stage 4: Laundering and Evasion


Immediately after the breach, Lazarus began converting the stolen assets into Ether via decentralized exchanges (DEXs) to evade asset freezes. They utilized 50 wallets and employed various techniques to obscure the money trail and avoid wallet freezes.

 


 

 

Follow This, That and (Maybe), the Other:

 

 

Comments

Post a Comment

Popular posts from this blog

20150628 Giarratana Circular

Statistics Date: Jun 28, 2015 4:34 pm Distance: 15.21 km Duration: 2h:35m:36s Avg Speed: 5.87 km/h Max Speed: 7.40 km/h Min Altitude: 489 m Max Altitude: 594 m Ascent: 249 m Descent: 261 m Route Open route in new window: https://www.google.com/maps/d/edit?mid=z6HKMq7G_wEk.keh2K8cXD6Cc&usp=sharing Photos (Geotagged) Open photos in new Windows: https://plus.google.com/photos/105470926677245165774/albums/6166646868710719889
Read more

HOWTO setup OpenVPN server and client configuration files using EasyRSA

Image
Introduction OpenVPN allows client computers to tunnel into a server over a single UDP or TCP port securely. This HOWTO article is a step-by-step guide that explains how to create the server and client OpenVPN configuration files that makes this possible. In the process this article explains how to create the public key infrastructure (PKI) so that a client can securely communicate with the server. OpenSSL is the foundation for the security functionality of OpenVPN. For this tutorial you will need the following software: OpenVPN. You can download the latest version of OpenVPN from https://openvpn.net/index.php/open-source/downloads.html EasyRSA is the tool people use to create the Public Key Infrastructure (PKI) for OpenVPN. Download the latest release of EasyRSA from https://github.com/OpenVPN/easy-rsa/releases . There is not installation required. Extract the contents of the archive into a folder. OpenVPN is available on various platforms. The generation of the...
Read more

How to clone and synchronise a GitHub repository on Android

Image
Introduction This project describes how I synchronise my  LogSeq  folder on GitHub on Android devices. I wanted to be able to work on topics in LoqSeq on my Android devices besides my PCs. Most of the screen shots and references relate to LogSeq, but you can adjust them to your needs. The solution described here is one in which the synchonization with the repository will be manual. In this scenario, one would synchronise with the repo before opening the tool (LogSeq in my case) and update the repo again when you're done. The Steps ( skip if you want to jump directly to the actions ) This tutorial describes how to install  Termux  on an Android device.  Termux  is an open-source Android terminal emulator and Linux environment application. After Termux is updated and running, a folder on the Android device is mapped to Termux.  GitHub  is installed, and the repo is cloned to this folder. The Termux folder used for the repo has to be  refle...
Read more