Bybit, a leading crypto exchange, has declared war on “notorious” Lazarus group, a hacker group made up of an unknown number of individuals, alleged to be run by the government of North Korea.
This is coming after the crypto exchange experienced a security breach resulting in the unauthorized transfer of over $1.4 billion in liquid-staked Ether (ETH) and MegaETH (mETH). The exchange reported unauthorized access to one of its Ethereum cold wallets on February 21, 2025.
Following the hack, Blockchain security firms, including Arkham Intelligence, identified North Korea’s Lazarus Group as the likely culprit behind the hack. This has spurred Bybit to declare war on the group, offering a $140M bounty reward.
Register for Tekedia Mini-MBA edition 17 (June 9 – Sept 6, 2025) today for early bird discounts. Do annual for access to Blucera.com.
Tekedia AI in Business Masterclass opens registrations.
Join Tekedia Capital Syndicate and co-invest in great global startups.
Register to become a better CEO or Director with Tekedia CEO & Director Program.
Announcing this move, Bybit CEO Ben Zhou announced on X the launch of the first bounty site that shows full transparency on the money laundering activities of the sanctioned Lazarus Group dubbed Lazarusbounty.com.
He wrote,
“Join us on war against Lazarus. Industry-first bounty site that shows aggregated full transparency on the sanctioned Lazarus money laundering activities. V1 includes:
– Becoming a bounty hunter by connecting your wallet and help tracing the fund, when your submitted bounty leads to freeze, bounty is paid upfront upon instantly at freezing.
-All freezer gets 5% of the bounty, exchange, mixers, and all.
– live ranking of good and bad actor and their response time to deal with the sanctioned Lazarus group transactions. You don’t want to end up on the bad actor list, it’s a record of you helping to facilitate sanctioned transactions.
– Live API wallet address update for exchange, Chainanalysis”.
Zhou added that the exchange has assigned a team dedicated to maintaining and updating the website, stating that the hunt will not stop until Lazarus group or bad actors in the industry are eliminated.
Several users on X commended the initiative with others expressing the desire to provide necessary information to ensure that the perpetrators of the hack are exposed.
Here are some reactions;
@tallmetommy wrote,
“This is a game-changer for the industry. Transparency, accountability, and real-time action finally, a bounty system that incentivizes cleaning up the space while putting pressure on bad actors.”
@henlomeme wrote,
“Unity wins! The whole Web3 fam stands strong with ByBit to take down Lazarus and all da bad actors. Let’s keep our space clean, decentralized, and fair for ALL.”
@dcryptodragons wrote,
“Now this has become interesting. We will witness the first ever live hunt of thieves where the people from the whole world will take part to catch them”.
@HIVFOREVER wrote,
“Just when you thought cyber warfare couldn’t get any wilder. A ‘war’ on Lazarus, huh? I love how this industry’s first bounty site is all about transparency and accountability. It’s like the crypto community finally saying, ‘Hey, we’re not just a bunch of rebels – we’re team players!’ And that 5% cut for freezers? That’s some creative incentivization right there. But seriously, can’t help but wonder what kind of resources will be needed to take down these bad actors. Anyone have any ideas or expertise they’d like to share?”
@Derichio wrote,
“Good to see the transparency on your end @benbybit I And by involving the crypto community you have for sure a higher chance at succeeding! It is time to send a clear message: Even if you succeed in stealing tokens, you will not be able to use them. This should be rolled out!”
Bybit $1.4 Billion Hack
Bybit, announced Friday that a hack attack related to a cold wallet caused a loss of 401,346 Ethereum ($1.4 billion). Chief Executive and co-founder Ben Zhou announced on X that the theft is only related to Ethereum cold wallet, “warm wallet and all other cold wallets are fine.”
Bybit immediately sought to reassure its customers that their cryptocurrency holdings were safe, while its chief executive said on social media that Bybit would refund all those affected, even if the hacked currency was not returned.
“Bybit is solvent even if this hack loss is not recovered, all of clients assets are 1 to 1 backed, we can cover the loss,” Ben Zhou, Bybit’s co-founder and chief executive said.
He added that the company held $20bn in customer assets and would be able to cover any unrecovered funds itself or through loans from partners. Bybit, which has more than 60 million users worldwide and is the world’s second-largest cryptocurrency exchange by trading volume, said news of the hack had led to a surge in withdrawal requests.
In a positive development, the exchange disclosed that it recovered its $1.46 billion stolen, through a combination of loans, whale deposits, and Ethereum (ETH) purchases, according to Lookonchain data.
On Monday 24, 2025, Bybit CEO Ben Zhou announced on X that Bybit has already fully closed the ETH gap, noting that a new audited POR report will be published very soon to show that the crypto exchange is again Back to 100% 1:1 on client assets through Merkle Tree.
Notorious Lazarus Group
The Lazarus Group is a notorious cybercrime organization widely believed to be backed by the North Korean government. Active since at least 2009, they are known for carrying out sophisticated cyberattacks targeting a variety of sectors, including financial institutions, cryptocurrency platforms, and critical infrastructure worldwide. Experts link them to North Korea’s Reconnaissance General Bureau, a key intelligence agency, suggesting their operations serve both financial and geopolitical goals, such as funding the regime and gathering intelligence.
They first gained attention with attacks like “Operation Troy” (2009-2012), a cyber-espionage campaign using basic denial-of-service tactics against South Korea. Over time, their methods evolved significantly. High-profile incidents include the 2014 Sony Pictures hack, which exposed sensitive data in retaliation for a film mocking North Korea’s leader, and the 2016 Bangladesh Bank heist, where they stole $81 million through fraudulent SWIFT transactions. They’re also tied to the 2017 WannaCry ransomware attack, which disrupted systems globally using an NSA exploit.
The group’s focus has shifted in recent years toward cryptocurrency theft, reflecting North Korea’s need for foreign currency under sanctions. Notable crypto heists include the $625 million Axie Infinity hack in 2022 and a staggering $1.46 billion Ethereum theft from Bybit in 2025, showcasing their growing expertise in exploiting digital finance. They often use social engineering—like fake job offers or phishing emails—and custom malware to infiltrate systems, adapting tactics to evade detection.
While their exact membership is unknown, estimates suggest subgroups like Bluenoroff, with around 1,700 members, specialize in financial crimes, and their total network could involve thousands of operatives. Despite their sophistication, occasional operational slip-ups, like exposing infrastructure in 2023, reveal they’re not infallible. Their persistence and adaptability make them one of the most significant cyber threats today, with losses attributed to them exceeding $2 billion by some accounts.
Moving Forward
The crypto space, with its billions in custodial assets have become a prime target for increasingly creative and well-resourced attackers. The Bybit hack, which occurred on February 21, 2025, stands as a stark reminder of the vulnerabilities that persist in the cryptocurrency space, even among major exchanges.
The sophistication of recent attacks, such as leveraging advanced phishing, social engineering, and user interface manipulation highlights the urgent need for equally sophisticated security measures to protect digital assets.