On , blockchain analytics firm Arkham Intelligence attributed an exploit of Bybit‘s Ethereum cold wallet to the Lazarus Group, a North Korean state-sponsored hacking entity. This attack led to the unauthorized transfer of approximately 401,000 Ethereum (ETH) and stETH, valued at over $1.5 billion, marking it as potentially the largest single cryptocurrency theft in history. Bybit confirmed unauthorized activity and stated it possessed sufficient assets to cover the losses, processing 70% of withdrawal requests. The U.S. Federal Bureau of Investigation (FBI) officially confirmed the Lazarus Group’s involvement on .
Separately, Coinbase disclosed that a cyberattack, which came to light following a $20 million Bitcoin ransom demand on , could cost the company between $180 million and $400 million for remediation and customer reimbursements. The incident involved criminals bribing overseas subcontractors to access sensitive customer data, including names, addresses, phone numbers, emails, government IDs, and partial Social Security numbers. While Coinbase asserted no funds, passwords, or private keys were directly compromised in the initial breach, some affected users were subsequently targeted by phishing and social engineering schemes. Coinbase co-founder Brian Armstrong offered a $20 million bounty for information leading to the perpetrators.
Other incidents attributed to the Lazarus Group include a , attack on Iranian crypto exchange Nobitex, draining $90 million in crypto. On , Turkish exchange BtcTurk suspended withdrawals after approximately $48 million in assets were siphoned from its hot wallets, primarily Ethereum. This marked BtcTurk‘s second major breach in 14 months. Furthermore, South Korean authorities suspect the Lazarus Group was behind an exploit on , where approximately $36 million in various tokens were stolen from Upbit‘s Solana hot wallets.
The cumulative financial impact of these security breaches is substantial. The Bybit hack alone represents a loss exceeding $1.5 billion. For Coinbase, the estimated $180 million to $400 million cost includes investigation, cleanup, and potential customer reimbursements for funds lost through social engineering, though the company declined to pay the initial $20 million ransom demand. The Lazarus Group‘s laundering techniques have also evolved, with Ari Redbord, global head of policy at TRM Labs, noting the “extraordinary pace of post-hack laundering,” where $160 million was funneled illicitly within two days of the Bybit attack. The group reportedly bridged 500,000 ETH (approximately $1.3 billion) from Ethereum to native Bitcoin, primarily using THORChain.
The Lazarus Group, believed to be operated by the North Korean government, is known for its sophisticated cybercrime activities aimed at generating revenue, often to circumvent international sanctions and support its regime. Their tactics frequently involve exploiting vulnerabilities in cryptocurrency platforms, including hot wallets, and employing social engineering to compromise personnel or systems. For instance, the Coinbase incident highlights insider threats where subcontractors were bribed to gain access to customer data. In the Nobitex attack, the group allegedly targeted the exchange due to perceived links with the Islamic Revolutionary Guard Corps.
The precise number of Coinbase users directly affected by subsequent social engineering scams, beyond the initial data breach impacting less than 1% of its users, remains unspecified. The full timeline for all ongoing investigations and potential recovery of stolen funds from the various hacks is also not yet publicly detailed.
Ongoing investigations by law enforcement agencies, including the FBI and South Korean authorities, are expected to continue tracking the stolen funds and identifying perpetrators. Cryptocurrency exchanges are likely to face increased pressure to bolster internal security protocols, particularly concerning third-party vendors and employee access to sensitive data. The industry may also see further collaboration among blockchain analytics firms and exchanges to improve tracing and recovery efforts for stolen assets. Users of affected platforms will likely await further updates on reimbursements and enhanced security measures.
Users of cryptocurrency exchanges are advised to enable multi-factor authentication (MFA) on all accounts and use unique, strong passwords. Remain vigilant against phishing attempts and social engineering scams, especially those impersonating exchange support staff. Regularly monitor transaction histories for any suspicious activity and report unauthorized transactions immediately to the respective platform. Consider using hardware wallets for storing significant amounts of cryptocurrency to reduce exposure to hot wallet vulnerabilities.
Follow us on Bluesky , LinkedIn , and X to Get Instant Updates
