Lazarus Group Linked to Bybit Hack and Solana Memecoin Scams, Investigation Reveals

On February 23, 2025, on-chain investigator ZachXBT published findings connecting North Korea's Lazarus Group to the massive $1.4 billion Bybit hack on February 21, 2025.

North Korea’s Lazarus Group has been linked to the massive $1.4 billion Bybit hack and recent memecoin scams on Solana’s Pump.fun platform, according to an investigation.

On February 23, on-chain investigator ZachXBT published his findings, shedding light on a complex laundering operation involving stolen funds from the Bybit hack.

The investigation revealed that on February 22, the attacker received $1.08 million from the Bybit hack, which was then bridged as USDC to Solana at a wallet address (0x363908df2b0890e7e5c1e403935133094287d7d1).

After being split between several wallets, several of the addresses were linked to memecoin scams. Through his analysis, ZachXBT identified over 920 cryptocurrency addresses involved in the hack, with Lazarus Group’s footprints being observed in Pump.fun memecoin launches.

Bybit Hack Funds Laundered Through Solana Memecoin Platforms

According to ZachXBT’s analysis, Lazarus Group laundered the stolen Bybit funds through multiple transactions. The $1.08 million USDC, which was bridged from Solana to Binance Smart Chain (BSC), was split across more than 30 addresses through a programmed mechanism.

The address (0x0beb8b5f899a15ed5e6be5c597f88b2c7d5b3a) collected the funds before returning them to Solana. Several wallets then distributed the funds, with one sending $106,000 USDC to ten Solana addresses belonging to coin scammers.

The investigator highlighted that Lazarus Group launched meme coins on Pump.fun, and 15 hours later, the activities showed that the cybercriminals used the platform to conceal the origins of their stolen funds. The exchanged funds were then moved to different exchanges, making it difficult to track and detect.

While ZachXBT’s findings were shared with several parties, including執法部门, the specific details of these parties were not disclosed to prevent interference. However, ZachXBT confirmed that the wallets were cleared from analytics tools.

Broader Crypto Attack Patterns by Lazarus Group

ZachXBT’s findings also extended beyond the Bybit hack. The same Lazarus Group wallets linked to the Bybit hack were also connected to the $29 million Phemex hack in January.

This pattern suggests a consistent strategy employed by the group, targeting cryptocurrency platforms and laundering funds across different blockchains, including Solana and BSC.

The report also highlighted the group’s role in Solana’s recent memecoin scams, including rug pulls on Pump.fun. These scams have impacted investor trust in Solana, with high-profile cases such as the LIbra token rug pull, where insiders allegedly drained over $107 million.

Such incidents have contributed to a decline in Solana’s user activity, with the number of active addresses dropping to 9.5 million in February 2025, compared to 15.6 million in November 2024.

The investigation underscores the challenges faced by blockchain networks in combating sophisticated cyber threats. Lazarus Group’s actions showcase a growing trend of exploiting decentralized platforms for money laundering, which ultimately affects the security and stability of the broader crypto industry.