On Thursday, February 27, 2025, Merkle Science and Halborn hosted a livestream called Crypto’s Biggest Hack: Inside the Bybit Attack & How to Prevent the Next One.
The event featured Halborn co-founder and CTO Steven Walbroehl, along with
Merkle Science's Director of Law Enforcement Affairs Robert Whitaker and Senior Manager of Blockchain Investigations Guru Rajam Ravi.
The full seminar can be watched on-demand here
The speakers discussed how the Lazarus Group breached Bybit to steal $1.4 billion, how the funds were laundered and, more importantly, what measures can stop similar attacks in the future.
According to Walbroehl, the root cause of the attack was blind signing. Bybit used an on-chain multi-sig wallet, and each signatory signed from their hardware device. The Lazarus Group used a malicious code update in the JavaScript of the front-end interface of the multi-sig wallet, which led to what Walbroehl said was “blind reliance.”
“They’re using this front-end that they trust and what they see is what they expect to happen,” he said. The Lazarus Group, however, was able to redirect the signing transaction to execute an implementation contract that granted the hackers access to sweep the $1.4 billion assets from the multi-sig wallet.
In this way, the multi-sig wallet was technically not itself hacked. The implementation contract had a proxy pattern that redirected the transaction to another malicious contract that the Lazarus Group had prepared in advance.
Although Walbroehl described the attack as “sophisticated,” the initial attack vector was likely an employee, like in previous Lazarus Group attacks. He speculated that an API key or GitHub code credentials could have been accidentally leaked, allowing the hackers the initial access into Bybit’s systems.
“So I guess at the end of the day, the contracts, the crypto side of it was safe, but it came back down to a human somewhere in a loop,” he said.
This initial attack vector may have occurred months prior, which Whitaker said is consistent with the “advanced persistent threat” that the Lazarus Group typically maintains.
“The Lazarus Group is very, very patient. If you are running a company who is doing anything in this space of value, then you might want to look at your code now because it's not unusual for them to set and wait for months before they strike. This is a great time to take a look at not only the front end, but the back end, and every part of your structure to see if you might be compromised by something,” said Whitaker.
The Lazarus Group’s laundering processes are as sophisticated as its means of attack. Ravi said that the illicit trail from Bybit is characteristic of the criminal organization’s typical methodology for laundering and obfuscation.
Using DeFi solutions, the Lazarus Group first converts stolen funds into native assets like BTC and ETH which have higher liquidity. Then they break up the funds into increasingly smaller increments in what is known as a peel chain, with the output often going to an instant exchange, which has no KYC. In the Bybit hack, the Lazarus Group specifically tried to output funds through eXch, a fact its representatives have since denied, saying only a negligible portion of funds was sent to its platform.
Although the Lazarus Group has complex obfuscation methods, Ravi was able to follow the on-chain movement of funds through Merkle Science’s Tracker tool. He said that they have started to auto-trace the movement of the stolen Bybit funds and tag them automatically because of the Lazarus Group’s status as a sanctioned entity. To date, Tracker already auto-tagged over 10,000 addresses.
Through this exercise, Ravi identified links to four previous Lazarus Group hacks, including WazirX, BingX, Phemex, and Poloniex.
Though the Lazarus Group has a regular playbook for crypto money laundering, there is added pressure on them to experiment with other tactics because the crypto community is closely monitoring their activity on-chain.
“So every time they're going to try something innovative. This time, they even tried creating their own meme coin on Solana and then they laundered close to a few million there using the pump.fun platform,” said Ravi.
Despite these new tactics, Whitaker said that the crypto community is tightening its control over the channels that the Lazarus Group uses for laundering. For example, he said that any exchange culpable in laundering funds may soon face prosecution from law enforcement groups like the FBI.
“I think the crypto community learns from its mistakes. And we have very highly technical people like Steven and Ravi who understand this stuff really well. And they start plugging those holes: a little gum here, little gum there, and then pretty soon you have a really good system that's working like it should,” he said.
The full seminar can be watched on-demand here. To get a demo on Tracker, the tool that Ravi used to track the Bybit stolen funds and connect it to past Lazarus Group attacks, contact us for a free demo.
