Crypto’s largest heist part 2: The billion-dollar hunt

Getting your Trinity Audio player ready...

The frantic hours following Bybit’s announcement of a billion-dollar hack felt more like days. Word spread like wildfire across social media: Lazarus Group, the infamous North Korean state-sponsored hacking collective, was suspected of orchestrating the audacious theft.

Overnight, Bybit became the epicenter of the largest known crypto heist in history, and the industry watched its every move.

For outsiders, the hack was both a technological marvel and a sobering lesson in security vulnerabilities. Even revered protections like multi-signature wallets had proven fallible. The attackers exploited trust, manipulating a signer’s device to falsify transaction prompts while executing malicious commands in the background. This seamless illusion allowed hackers to reroute over 400,000 ETH, including staked derivatives, into their own addresses.

After initially identifying the breach and confirming that the compromised wallet was confined to Bybit’s Ethereum cold storage, the exchange’s security team scrambled to understand the scale of damage. While Bybit CEO Ben Zhou was projecting a picture of calm publicly on social media, the real challenge was only beginning behind the scenes. The stolen funds were on the move.

Crypto analytics firms, including Arkham Intelligence, Chainalysis, and Nansen, sprang into action, mapping the labyrinth of addresses connected to the hack. It was like watching a colony of ants scatter: huge transfers landed in newly created Ethereum wallets, split into smaller amounts, then bridged across different blockchains, from Polygon to Tron to BNB Chain. Every time one cluster of funds was identified, Lazarus adapted, consolidating and dispersing tokens elsewhere.

Using sophisticated mixing services and chain-hopping techniques, the hackers systematically laundered their loot. Derivatives were converted into liquid ETH before off-ramping into BTC or fiat. Tainted addresses surfaced across decentralized exchanges, where anonymity offered a shield against blacklisting. For Bybit’s pursuers, it was a high-stakes chase with no guarantee of a finish line.

In a display of cooperation that transcended typical competitive boundaries, exchanges worldwide began blacklisting wallets flagged by ZachXBT and other blockchain sleuths as belonging to the Bybit hacker.

“We just froze 181k USDT connected to the ByBit hack,” Tether CEO Paolo Ardoino wrote on X. “Might not be much, but it’s honest work.”

Likewise, bridging protocols attempted to prevent illicit flows from crossing their networks, some even suspending front-end services to frustrate the hackers’ progress. Yet decentralized finance (DeFi) protocols, by their very nature, typically lack enforcement mechanisms that can halt transactions mid-flow. As soon as the hacker’s addresses were blocked on one platform, they would pop up somewhere else, metamorphosing in the blink of an eye.

Critics and supporters alike noted that while Bybit’s internal user data and operational systems were intact, it was precisely the cold storage—the vault of the vaults—that had been tricked open.

Although no direct evidence suggested collusion by staff, rumors persisted that a hack of this magnitude required inside help. Multi-signature wallets require more than one private key to move funds, so how could multiple signers’ devices have all been manipulated without an insider tipping them off?

Security analysts pointed to Lazarus Group’s established playbook of targeted phishing and Trojan horse infiltration. Members of the group have allegedly infiltrated crypto and fintech companies under false identities, occasionally worming their way into positions of trust. Others argued that remote compromise, though challenging, was still within the realm of possibility for a state-sponsored group as well-funded and experienced as Lazarus.

For investigators, the hunt to reclaim lost digital assets is a perpetual game of cat and mouse. With each passing hour, the network of addresses storing the stolen Ether becomes more fragmented. Even if investigators identify them, that might happen after the coins have traversed multiple mixing protocols, re-emerged as different tokens, or been withdrawn as cash by intermediaries halfway around the world.

Adding to the complexity, the Lazarus Group was known to perform dry runs—testing infiltration methods on smaller or mid-tier exchanges before a large-scale strike. On-chain sleuth ZachXBT noted that addresses tied to the Bybit hack overlapped with previous Lazarus activity at Phemex and BingX, strongly reinforcing the group’s involvement.

Determined to at least slow the hackers, Bybit offered a recovery bounty. If any entity managed to freeze or recover the stolen funds, Bybit would pay out 10%, up to $140 million. But the reality is that the prospects of recovery are typically bleak; ZachXBT places a good result at 15-30%.

As the dust settles, the Bybit hack stands as a stark reminder that even the most fortified digital vaults are susceptible to sophisticated attack vectors. As investigators continue tracking the scattered funds, the crypto world is learning a painful lesson—trust in technology is fragile, especially when human error is involved.

The billion-dollar hunt is about more than just recovering funds. It’s about safeguarding an industry that remains a prime target for those willing to exploit its weakest links.

And if Lazarus can dismantle a fortress like Bybit, what exchange is truly safe?

Watch: Digital Asset Recovery takes token recovery seriously