Lazarus Group’s Strategic Pause: The $1.4 Billion Bybit Heist
![\"Lazarus](\"https://images.cointelegraph.com/images/840_aHR0cHM6Ly9zMy5jb2ludGVsZWdyYXBoLmNvbS91cGxvYWRzLzIwMjUtMDMvMDE5NWRjMWQtMjFmNy03NWUxLWIxYWUtODM2YjRhZTI5MDZj.jpg\")
The cryptocurrency world was stunned by the February 21st, 2025, Bybit hack, resulting in losses exceeding $1.4 billion. Evidence suggests the North Korea-linked Lazarus Group was behind this unprecedented cybercrime, and their actions in the latter half of 2024 point to meticulous planning.
Blockchain analytics firm, Chainalysis, revealed a significant drop in illicit activities tied to North Korean cyber actors after July 1st, 2024. This lull, following a period of heightened attacks, sparked concerns and fueled speculation.
Eric Jardine, Chainalysis’ lead cybercrimes researcher, highlighted the suspicious quiet period. He noted a possible correlation with a Russia-DPRK summit and subsequent resource reallocation, including military personnel to the Ukraine conflict. This shift, he suggested, could have freed up resources for the ambitious Bybit attack.
![\"North](\"https://s3.cointelegraph.com/uploads/2025-03/0195dc20-ef5e-724b-9c6f-a6437c926e8d\")
Jardine further elaborated on the possibility that the pause represented a strategic regrouping, allowing the Lazarus Group to identify new targets, test infrastructure vulnerabilities, or simply consolidate resources for a larger operation.
The Lazarus Group efficiently laundered the stolen funds, employing THORChain to move 100% of the $1.4 billion within ten days. Despite this swift action, blockchain investigators remain optimistic, with a significant portion of the funds still traceable as of March 20, 2025, leaving open the possibility of recovery.
The Bybit hack underscores the persistent vulnerability of even heavily secured centralized exchanges to sophisticated cyberattacks. The attack bears resemblance to previous incidents, including the WazirX and Radiant Capital hacks, highlighting a concerning pattern in attack methods.
According to Meir Dolev, co-founder and CTO at Cyvers, the Bybit attack involved compromising an Ethereum multisig cold wallet via a deceptive transaction. This tactic tricked signers into unknowingly approving malicious code, granting the attackers control of the wallet and facilitating the theft.
![\"North](\"https://s3.cointelegraph.com/uploads/2025-02/01952d2b-ba8a-7be4-badf-d4df9e1fbb2f\")
Chainalysis data reveals a stark increase in North Korean-attributed cryptocurrency theft in 2024, totaling over $1.34 billion across 47 incidents—a 102% rise from 2023. This alarming figure represents 61% of all cryptocurrency stolen that year.