Key Notes

On February 21, Bybit's Ethereum cold wallet was hacked, resulting in the theft of $1.46 billion. The attack ranks among the largest crypto heists in history.

A state-sponsored North Korean hacking group, known as Lazarus Group, has reportedly stolen $1.46 billion from cryptocurrency exchange Bybit.

The heist, which was carried out in February and later confirmed by the FBI, ranks among the largest crypto heists in history.

To infiltrate Bybit’s defenses, hackers used a “masked” transaction method and created a fake Safe wallet interface to deceive exchange security personnel into approving malicious transactions.

The incident began when a Bybit executive noticed an unusual transaction on Monday morning, an outgoing transfer from one of the exchange’s main hot wallets.

Upon closer inspection, the executive discovered that the transaction had been approved by a member of the exchange’s security team, despite the transaction details being visibly different from the original application submitted by the treasury department.

In a statement to Blockworks, Ben Zhou, co-founder and CEO of Bybit, said the hackers used a new variant of an old trick to carry out the heist.

“They applied for one transaction but, using a masked transaction method, made the outgoing transaction details look different from the applied transaction details. Finally, they got approval for a transaction that was not applied for,” Zhou said.

To complete the heist, hackers reportedly used a sophisticated phishing technique to create a fake version of the Safe wallet interface, which is used by exchange executives to approve large transactions.

After gaining access to one executive’s device, they displayed the fake interface, making it appear as though the exchange was receiving a large incoming transaction that needed approval. In reality, however, they were transferring funds out of the exchange.

“The difference in the transaction applied for and the transaction approved was clear, and our internal investigation is ongoing. But we are confident that our security team was tricked by the sophisticated phishing techniques used by the hackers,” Zhou said.

After several hours of transferring funds, hackers attempted to withdraw a final tranche of ETH to a UnionPay bank account in China. However, Bybit’s security team managed to identify and cancel the transaction in time.

In total, around $1.46 billion in crypto was stolen from Bybit’s Ethereum cold wallet over the course of several hours on Monday, February 20.

The stolen funds included ETH, BTC, USDC and several other tokens.

After the heist, the FBI confirmed that the hackers were part of the Lazarus Group, a group of North Korean state-sponsored hackers who have previously been linked to several high-profile cyberattacks.

In response to the heist, Zhou said that Bybit has declared “war” on the North Korean hackers.

“We will use all of our resources to bring these hackers to justice and recover the stolen funds,” he said.

The statement comes after the U.S. government last month placed sanctions on two North Korean officials for their role in cybercrime activities, including crypto theft.

According to the Treasury Department, the two officials, Park Jin Hyok and Kim Il, are members of the Reconnaissance Bureau 121, the main intelligence agency of the North Korean government.

The statement said that Park, who is also known as “Ha Dae Sung,” previously worked in software development in China before returning to North Korea in 2011 to contribute his technical expertise to the government.

He is described by the FBI as part of a conspiracy responsible for some of the most damaging cyber intrusions in the world.

“Park Jin Hyok is allegedly a state-sponsored North Korean computer programmer who is part of an alleged criminal conspiracy responsible for some of the costliest computer intrusions in history. These intrusions caused damage to computer systems of, and stole currency and virtual currency from, numerous victims,” the FBI said.

The agency said that the intrusions caused widespread disruption to businesses and institutions, and personally affected countless individuals.

The statement added that Park is part of a group of North Korean hackers who have been indicted by a federal grand jury in the United States for their role in a hacking spree that targeted U.S. banks and institutions.

The indictment alleges that the hackers stole nearly $1 billion in bitcoin from an exchange in 2014, and attempted to steal $1 billion more.

The indictment also said that the hackers used ransomware to encrypt the data of several U.S. hospitals, and threatened to delete the data unless they were paid a ransom.

The Treasury Department said that Kim, who is also known as “Maru,” is a subordinate of Park and has been involved in cybercrime activities since at least 2016.

He is said to have played a key role in developing and deploying malware that was used to steal cryptocurrencies from exchanges and individuals.

The statement said that Kim oversaw a group of hackers who used a variety of phishing techniques to compromise user credentials and gain access to exchange accounts.

He is also said to have been involved in laundering the stolen cryptocurrencies through a network of cryptocurrency mixers and exchanges.

“North Korean cyber actors are part of a state-