How Bybit’s lost Ethereum went through North Korea’s washing machine

The $1.4 billion hack against Bybit wasn’t just the largest exploit in crypto history — it was a major test of the industry’s crisis management capabilities, highlighting its maturation since the collapse of FTX.

On Feb. 21, North Korea’s Lazarus Group made off with $1.4 billion in Ether (ETH) and related tokens in a breach that initially sent chills throughout the entire crypto world but was quickly quelled as the industry rallied behind Bybit to manage the fallout.

Here’s a look at how the attack unfolded, how Bybit responded, and where the stolen funds are moving.

Feb. 21: Bybit hacked 

The Bybit hack was first spotted by onchain sleuth ZachXBT, who warned platforms and exchanges to blacklist addresses associated with the hack.

Soon thereafter, Bybit co-founder and CEO Ben Zhou confirmed the exploit and began providing updates and information on the breach.

A post-mortem from Chainalysis initially stated that Lazarus executed phishing attacks to access the exchange’s funds, but the analysis was later updated to report that the hackers gained control of a Safe developer’s computer rather than compromising Bybit’s systems.

The attackers managed to “reroute” some 401,000 ETH, worth $1.14 billion at the time of the exploit, and move it through a network of intermediary wallets.

Feb. 21: Bybit assures wallets are safe, Ethena solvency 

The exchange was quick to assure users that its remaining wallets were safe, announcing just minutes after Zhou confirmed the exploit that “all other Bybit cold wallets remain fully secure. All client funds are safe, and our operations continue as usual without any disruption.”

A few hours after the hack, customer withdrawals remained open. Zhou stated in a Q&A session that the exchange had approved and processed 70% of withdrawal requests at that time. 

Decentralized finance platform Ethena told users that its yield-bearing stablecoin, USDe, was still solvent after the hack. The platform reportedly had $30 million of exposure to financial derivatives on Bybit but was able to offset losses via its reserve fund. 

Feb. 22: Crypto industry lends Bybit a helping hand, hackers blacklisted

A number of crypto exchanges reached out to help Bybit. Bitget CEO Gracy Chen announced that her exchange had lent Bybit some 40,000 ETH (around $95 million at the time).

Crypto.com CEO Kris Marszalek said he would direct his firm’s security team to offer assistance. 

Other exchanges and outfits began freezing funds connected with the hack. Tether CEO Paolo Ardoino posted on X that the firm had frozen 181,000 USDt (USDT) connected with the hack. Polygon’s chief information security officer, Mudit Gupta, said the Mantle team was able to recover some $43 million in funds from the hackers. 

Related: Adam Back slams ‘EVM mis-design’ as root cause of Bybit hack

Zhou posted a thank you note on X, tagging a number of prominent crypto firms he said helped Bybit, including Bitget, Galaxy Digital, the TON Foundation and Tether. 

Bybit also announced a bounty program with a reward of up to 10% of recovered funds, placing up to $140 million up for grabs.

Feb. 22: Run on withdrawals, Lazarus moves funds

Following the incident, user withdrawals brought the exchange’s total asset value down by over $5.3 billion.

Despite the run on withdrawals, the exchange kept withdrawal requests open, albeit with delays, and Bybit’s independent proof-of-reserves auditor, Hacken, confirmed that reserves still exceeded liabilities.

Meanwhile, blockchain trails showed that Lazarus had continued splitting the funds into intermediary wallets, further obfuscating their movement.

In one example, blockchain analysis firm Lookonchain stated that Lazarus had transferred 10,000 ETH, worth nearly $30 million, to a wallet identified as “Bybit Exploiter 54” to begin laundering funds. 

Blockchain security firm Elliptic wrote that the funds were likely headed for a mixer — a service that conceals the links between blockchain transactions — although “this may prove challenging due to the sheer volume of stolen assets.”

Feb. 23: eXch, Bybit continues restoring funds, blacklists grow

Blockchain analysts ZachXBT and Nick Bax both alleged that hackers were able to launder funds on the non-Know Your Customer crypto exchange eXch. ZachXBT claimed that eXch laundered $35 million of the funds and then accidentally sent 34 ETH to a hot wallet of another exchange.

EXch denied that it laundered funds for North Korea but admitted to processing an “insignificant portion of funds from the ByBit hack.”

The funds “eventually entered our address 0xf1da173228fcf015f43f3ea15abbb51f0d8f1123 which was an isolated case and the only part processed by our exchange, fees from which we will be donated for…