Bybit responded quickly by blacklisting wallet addresses and collaborating with security firms like Elliptic and ZeroShadow to recover assets. Chainalysis revealed that the attackers exploited a phishing campaign to replace Bybit’s multisignature wallet implementation, which allowed unauthorized fund transfers. Meanwhile, Jack Dorey’s Block Inc. is also dealing with crypto crime, and is facing regulatory scrutiny over AML and tax compliance issues. It is currently negotiating settlements with US authorities.
Experts Uncover North Korean Network
North Korean hackers linked to the notorious Lazarus Group are suspected to be behind the massive $1.4 billion exploit of crypto exchange Bybit, according to blockchain analytics firm Elliptic. In fact, the firm recently revealed that the hackers control more than 11,000 cryptocurrency wallets that are actively being used to launder the stolen funds.
Just days after the attack, Bybit’s co-founder and CEO Ben Zhou publicly declared “war” on the Lazarus Group after launching an initiative to recover the stolen assets. As part of its response, Bybit introduced a blacklist wallet API and offered a bounty for tracing the stolen funds. Elliptic stepped in to support the effort by publishing a freely accessible data feed that contains wallet addresses attributed to the North Korean hackers. The main goal of the initiative is to help the broader cryptocurrency community mitigate exposure to illicit funds and comply with sanctions.
Elliptic stated that within 30 minutes of Bybit announcing the exploit, it already flagged and made available a list of wallet addresses linked to the attack. This real-time response helped protect users by reducing the need for them to manually screen suspicious addresses. So far, Elliptic’s intelligence API identified 11,084 addresses associated with the exploit, and the number is expected to rise as more links are uncovered.
After acknowledging Elliptic’s assistance, Zhou shared his gratitude in a post on X, thanking the team for its efforts in providing real-time data on the exploit. In addition to Elliptic’s involvement, Bybit also engaged Web3 security firm ZeroShadow to help with blockchain forensics. ZeroShadow’s role includes tracing and freezing the stolen funds to maximize potential recovery.
Despite the scale of the attack, Bybit worked very hard to maintain platform stability and continued to allow withdrawals. To help with smooth operations, the exchange secured external liquidity through loans and started repaying them on Feb. 25. These repayments started with a 40,000 ETH transfer to Bidget. Bybit is still very much focused on asset recovery and reinforcing its security measures to prevent any more breaches.
Chainalysis Reveals How Bybit Lost $1.46 Billion
Blockchain analysis firm Chainalysis shared more of the details about how hackers were able to steal the $1.46 billion from Bybit, and specifically shed light on the very sophisticated laundering tactics employed by North Korea’s Lazarus Group. The exploit took place on Feb. 21, and resulted in the loss of a huge amount of Ethereum and other tokens. Security platform Blockaid labeled it the largest exchange hack in history.
(Source: Elliptic)
On Feb. 24, Chainalysis released a report outlining just how the attack unfolded, which revealed that the hackers followed a well-established playbook that is commonly used by North Korea-affiliated cybercriminals. According to the analysis, the attackers started their scheme with a phishing campaign targeting Bybit’s cold wallet signers. Once access was gained, they manipulated the exchange’s user interface, replacing a multisignature wallet implementation contract with a malicious version. This allowed them to process unauthorized fund transfers and execute the attack successfully.
The hackers intercepted a routine transfer from Bybit’s Ethereum cold wallet to a hot wallet, rerouting approximately 401,000 ETH, worth $1.46 billion, to their addresses. The funds were then divided among multiple intermediary wallets. THis is a tactic frequently used to obscure transaction trails and complicate tracking efforts by blockchain analysts.
Chainalysis mentioned that portions of the stolen ETH were converted into Bitcoin, Dai, and other assets. The attackers took advantage of decentralized exchanges, cross-chain bridges, and instant swap services that lack Know Your Customer protocols to move the funds across different blockchain networks.
After the theft, the funds remained mostly dormant across various addresses. Chainalysis believes that this is a deliberate strategy employed by North Korean hackers, who often delay laundering to avoid immediate scrutiny. By waiting out the initial surge of investigations, the hackers hope to make their transactions less detectable over time.
How the Bybit hack unfolded (Source: Chainalysis)
Despite these tactics, the transparency of blockchain networks allowed cybersecurity firms to track and monitor the movement of the stolen funds. Chainalysis already collaborated with industry partners to freeze more than $40 million in assets linked to the exploit. The firm also stated that it will work with both the public and private sectors to seize as much of the stolen money as possible.
Chainalysis believes it is very important to implement proactive threat prevention and transparency in user fund protection. The firm pointed out that crypto exchanges have to clearly communicate to regulators and users how they ensure the security of customer assets.
Block Under Pressure Amid AML and Tax Disputes
Bybit is not the only company dealing with crypto crime. Jack Dorsey’s payments firm Block Inc. is in negotiations with the New York State Department of Financial Services (NYDFS) to settle allegations related to its Anti-Money Laundering (AML) and Bitcoin programs.
In a Feb. 24 filing with the Securities and Exchange Commission (SEC), Block stated that discussions with NYDFS were ongoing about aspects of its Bank Secrecy Act compliance and AML measures. The company is exploring the possibility of reaching a settlement on mutually acceptable terms.
Block has been facing multiple legal, regulatory, and tax-related challenges, including investigations and settlements. In January, NYDFS proposed settlement terms, but details were not disclosed in the filing. While Block acknowledged that it accrued a liability for this matter, it maintained that the amount is not large enough to impact its 2024 financials. The company was previously under scrutiny from multiple US state money transmission regulators between January of 2021 and March of 2023, with an investigation finding deficiencies in its AML program, particularly regarding compliance with the Bank Secrecy Act.
In January, Block reached a settlement agreement with various state money transmission regulators but New York was not included. The firm neither admitted nor denied any wrongdoing but agreed to pay $80 million in penalties as part of the settlement, with payments expected to be completed by February of 2025. Additionally, Block committed to appointing an independent consultant to evaluate and enhance its AML program, while a Compliance Management Committee was established to oversee the implementation of corrective measures.
Part of Block’s settlement agreement
Even more regulatory scrutiny came from the Consumer Financial Protection Bureau, which investigated Cash App in January over how it handled customer complaints and disputes. As a result, Block agreed to pay a $55 million civil penalty and set aside between $75 million and $120 million for customer restitution.
Beyond regulatory matters, Block is also dealing with tax disputes. The San Francisco Treasurer and Tax Collector audited the firm’s tax receipts from 2020 to 2022, claiming that additional taxes were owed on Bitcoin-related revenue. Block remains under serious regulatory pressure while working to resolve its outstanding compliance and tax-related issues.
