North Korea’s notorious cybercrime syndicate, Lazarus Group, is believed to be behind the historic $1.4 billion Bybit hack, as well as the $29 million attack on Phemex, according to fresh onchain data. The connection further cements Lazarus as one of the most dangerous threats in the crypto space.

The February 21 Bybit breach now stands as the largest crypto theft in history, targeting liquid-staked Ether, Mantle Staked ETH (mETH), and other ERC-20 tokens. Blockchain security experts, including Arkham Intelligence and ZachXBT, have linked the stolen funds to wallets associated with Lazarus Group. Further investigations revealed that the same wallets were behind January’s Phemex attack.

In a February 22 post, ZachXBT highlighted that Lazarus had directly linked the two incidents by moving funds from both hacks into a single wallet. Blockchain data shows that the Phemex exploit drained $29 million across 125 transactions spanning 11 blockchain networks. The attackers quickly converted the stolen assets into Ether using Tornado Cash, a crypto mixer designed to obfuscate transactions.

The Bybit attack alone represents more than half of the $2.3 billion lost to crypto hacks in 2024. Experts believe it shares similarities with previous high-profile breaches, such as the $230 million WazirX hack and the $58 million Radiant Capital hack. Security analysts suggest the attackers gained control of Bybit’s Ethereum multisig cold wallet by tricking signers into approving a malicious smart contract.

Lazarus Group has been linked to some of the largest crypto heists, including the infamous $600 million Ronin network hack. Chainalysis data reveals that North Korean hackers stole $1.34 billion across 47 attacks in 2024, a staggering 102% increase from the previous year.

In response, the U.S., Japan, and South Korea issued a joint warning in January about the growing cyber threat posed by North Korea. The warning followed sanctions against 15 North Korean individuals accused of using stolen crypto to fund the country’s nuclear weapons program.