Timeline: How Bybit's lost Ethereum went through North Korea's washing machine

The $1.4 cardinal hack against Bybit wasn’t conscionable the largest exploit successful crypto past — it was a large trial of the industry’s situation absorption capabilities, highlighting its maturation since the illness of FTX.

On Feb. 21, North Korea’s Lazarus Group made disconnected with $1.4 billion successful Ether (ETH) and related tokens successful a breach that initially sent chills passim the full crypto satellite but was rapidly quelled arsenic the manufacture rallied down Bybit to negociate the fallout.

Here’s a look astatine however the onslaught unfolded, however Bybit responded, and wherever the stolen funds are moving.

Source: Elliptic

Feb. 21: Bybit hacked 

The Bybit hack was archetypal spotted by onchain sleuth ZachXBT, who warned platforms and exchanges to blacklist addresses associated with the hack.

Soon thereafter, Bybit co-founder and CEO Ben Zhou confirmed the exploit and began providing updates and accusation connected the breach.

A post-mortem from Chainalysis initially stated that Lazarus executed phishing attacks to entree the exchange’s funds, but the investigation was aboriginal updated to study that the hackers gained power of a Safe developer’s machine alternatively than compromising Bybit’s systems.

The attackers managed to “reroute” immoderate 401,000 ETH, worthy $1.14 cardinal astatine the clip of the exploit, and determination it done a web of intermediary wallets.

The analyzable web of wallets, swaps and crosschain transfers the hackers person utilized to obscure the funds. Source: Chainalysis

Feb. 21: Bybit assures wallets are safe, Ethena solvency 

The speech was speedy to guarantee users that its remaining wallets were safe, announcing conscionable minutes aft Zhou confirmed the exploit that “all different Bybit acold wallets stay afloat secure. All lawsuit funds are safe, and our operations proceed arsenic accustomed without immoderate disruption.”

A fewer hours aft the hack, lawsuit withdrawals remained open. Zhou stated successful a Q&A session that the speech had approved and processed 70% of withdrawal requests astatine that time. 

Decentralized concern level Ethena told users that its yield-bearing stablecoin, USDe, was inactive solvent aft the hack. The level reportedly had $30 cardinal of vulnerability to fiscal derivatives connected Bybit but was capable to offset losses via its reserve fund. 

Feb. 22: Crypto manufacture lends Bybit a helping hand, hackers blacklisted

A fig of crypto exchanges reached retired to assistance Bybit. Bitget CEO Gracy Chen announced that her speech had lent Bybit immoderate 40,000 ETH (around $95 cardinal astatine the time).

Crypto.com CEO Kris Marszalek said helium would nonstop his firm’s information squad to connection assistance. 

Other exchanges and outfits began freezing funds connected with the hack. Tether CEO Paolo Ardoino posted connected X that the steadfast had frozen 181,000 USDt (USDT) connected with the hack. Polygon’s main accusation information officer, Mudit Gupta, said the Mantle squad was capable to retrieve immoderate $43 cardinal successful funds from the hackers. 

Related: Adam Back slams ‘EVM mis-design’ arsenic basal origin of Bybit hack

Zhou posted a convey you enactment connected X, tagging a fig of salient crypto firms helium said helped Bybit, including Bitget, Galaxy Digital, the TON Foundation and Tether. 

Source: Ben Zhou

Bybit besides announced a bounty programme with a reward of up to 10% of recovered funds, placing up to $140 cardinal up for grabs.

Feb. 22: Run connected withdrawals, Lazarus moves funds

Following the incident, idiosyncratic withdrawals brought the exchange’s total plus value down by implicit $5.3 billion.

Despite the tally connected withdrawals, the speech kept withdrawal requests open, albeit with delays, and Bybit’s autarkic proof-of-reserves auditor, Hacken, confirmed that reserves inactive exceeded liabilities.

Meanwhile, blockchain trails showed that Lazarus had continued splitting the funds into intermediary wallets, further obfuscating their movement.

In 1 example, blockchain investigation steadfast Lookonchain stated that Lazarus had transferred 10,000 ETH, worthy astir $30 million, to a wallet identified arsenic “Bybit Exploiter 54” to statesman laundering funds. 

Blockchain information steadfast Elliptic wrote that the funds were apt headed for a mixer — a work that conceals the links betwixt blockchain transactions — though “this whitethorn beryllium challenging owed to the sheer measurement of stolen assets.”

Feb. 23: eXch, Bybit continues restoring funds, blacklists grow

Blockchain analysts ZachXBT and Nick Bax some alleged that hackers were capable to launder funds connected the non-Know Your Customer crypto speech eXch. ZachXBT claimed that eXch laundered $35 cardinal of the funds and past accidentally sent 34 ETH to a blistery wallet of different exchange.

Source: Nick Bax

EXch denied that it laundered funds for North Korea but admitted to processing an “insignificant information of funds from the ByBit hack.”

The funds “eventually entered our code 0xf1da173228fcf015f43f3ea15abbb51f0d8f1123 which was an isolated lawsuit and the lone portion processed by our exchange, fees from which we volition beryllium donated for the nationalist good,” eXch said.

To assistance place wallets that were progressive successful the incident, Bybit released a blacklisted wallet application programming interface (API). The speech said the instrumentality would assistance achromatic chapeau hackers successful its aforementioned bounty program. 

Related: In pictures: Bybit’s record-breaking $1.4B hack

Bybit besides managed to reconstruct its Ether reserves to astir fractional of wherever they were earlier the hack, mostly done spot buys successful over-the-counter trades pursuing the incidental but besides including the Ether lent from different exchanges.

Feb. 24: Lazarus spotted connected DEXs, Bybit closes the ETH gap

Blockchain sleuths continued to show the travel of funds present associated with Lazarus. Arkham Intelligence observed addresses associated with the hackers connected decentralized exchanges (DEXs) trying to commercialized the stolen crypto for Dai (DAI). 

A wallet receiving immoderate of the stolen ETH from Bybit reportedly interacted with Sky Protocol, Uniswap and OKX DEX. According to trading level LMK, the hacker managed to swap astatine slightest $3.64 million. 

Unlike different stablecoins specified arsenic USDT and USDC (USDC), Dai can’t beryllium frozen.

Zhou announced that Bybit had “fully closed the ETH gap” — i.e., replenishing the $1.4 cardinal successful Ether mislaid successful the hack. His announcement was followed by a third-party proof-of-reserves report.

Bybit got its Ether reserves backmost to pre-hack levels. Source: Darkfost

Feb. 25: War connected Lazarus

Bybit launched a dedicated website for its betterment efforts, which Zhou promoted portion calling connected the cryptocurrency assemblage to unite against Lazarus Group. The tract distinguishes betwixt those who helped and those who reportedly refused to cooperate.

Almost $95 cardinal successful reported funds were moved to eXch. Source: LazarusBounty

It highlights the individuals and entities who assisted successful freezing stolen funds, awarding them a 10% bounty divided evenly betwixt the newsman and the entity that froze the funds. 

It besides names eXch arsenic the sole level that refused to help, claiming it ignored 1,061 reports.

Feb. 26: FBI confirms reports astir Lazarus and Safe compromise

The US Federal Bureau of Investigation (FBI) confirmed the wide reported suspicion that North Korean hackers perpetrated the Bybit exploit, naming TraderTraitor actors, amended known arsenic Lazarus Group among cybersecurity circles. 

In a nationalist work announcement, the FBI urged the backstage assemblage — including node operators, exchanges and bridges — to artifact transactions coming from Lazarus-linked addresses.

Source: Pascal Caversaccio

The FBI identified 51 suspicious blockchain addresses linked with the hack, portion cybersecurity steadfast Elliptic has identified implicit 11,000 intermediaries.

Meanwhile, post-hack investigations recovered that compromised SafeWallet credentials led to the exploit, not via Bybit’s infrastructure, arsenic antecedently reported. 

Feb. 27: THORChain measurement explosion

Security steadfast TRM Labs flagged the velocity of the Bybit hackers’ laundering efforts arsenic “particularly alarming,” with the hackers reportedly moving implicit $400 cardinal by Feb. 26 done intermediary wallets, crypto conversions, crosschain bridges and DEXs. TRM besides noted that astir of the stolen proceeds were being converted into Bitcoin (BTC), a maneuver commonly linked to Lazarus. Most converted Bitcoin remains parked.

Meanwhile, Arkham Intelligence found that Lazarus had moved astatine slightest $240 cardinal successful ETH done embattled crosschain protocol THORChain by swapping it into Bitcoin. Cointelegraph recovered that THORChain’s total swap measurement exploded past $1 billion successful 48 hours.

THORChain developer “Pluto” announced their immediate departure from the project aft a ballot to artifact transactions linked to the North Korean hackers was overturned. Meanwhile, Lookonchain reported that the hackers had laundered 54% of stolen funds.

What the Bybit hack means for crypto

Bybit whitethorn person been capable to afloat reconstruct its mislaid reserves, but the incidental has raised larger questions astir the blockchain manufacture and however hacks tin beryllium addressed.

Ethereum developer Tim Beiko swiftly dismissed a telephone to rotation backmost the Ethereum network to refund Bybit. He said the hack was fundamentally antithetic from erstwhile incidents, adding that “the interconnected quality of Ethereum and colony of onchain offchain economical transactions, marque this intractable today.”

The fallout from the Bybit exploit suggests Lazarus Group is becoming much businesslike astatine moving blockchain-based funds. Investigators astatine TRM Labs fishy this whitethorn bespeak an betterment successful North Korea’s crypto infrastructure oregon enhancements successful the underground fiscal network’s quality to sorb illicit funds.

As the worth locked successful blockchain platforms grows, truthful does the sophistication of attacks. The manufacture remains a premier people for North Korean authorities hackers who reportedly funnel their net to money its weapons program. 

Magazine: ETH whale’s chaotic $6.8M ‘mind control’ claims, Bitcoin powerfulness thefts: Asia Express