Background Introduction
The Bybit hot wallet was stolen, involving assets in eth.
Although this is a multi-signature, $15 billion worth of ETH has been withdrawn to a new address and is currently being sold
Official response:
Bybit discovered an unauthorized operation involving one of our ETH cold wallets. The incident occurred while we were transferring from the ETH multi-signature cold wallet to the warm wallet. The attacker used a complex attack method to mask the signature interface—displaying the correct address on the surface, but actually tampering with the underlying smart contract logic, thereby illegally controlling the affected ETH cold wallet and transferring its assets to an unknown address.
Currently, our security team is working with top blockchain forensic experts and partners to fully investigate this matter. Teams with blockchain on-chain analysis and fund recovery capabilities are welcome to contact us for collaboration.
Immediately after the incident, SlowMist speculated the attacker's identity as North Korean hackers based on the techniques used to obtain Safe multi-signature and money laundering methods.
ZachXBT also confirmed that this attack is related to the North Korean hacker organization Lazarus Group, which has been mainly engaged in transnational cyber attacks and stealing cryptocurrencies. According to the evidence provided by ZachXBT, including test transactions, associated wallets, forensic charts, and time analysis, all show that the attacker used common techniques of the Lazarus Group in multiple operations. Meanwhile, Arkham stated that all relevant data has been shared with Bybit to help further the investigation.
North Korean Hackers
On February 21, the cryptocurrency exchange Bybit suffered a $1.5 billion hacker attack, once again spotlighting the North Korean hacker organization Lazarus Group.
In recent years, this organization has repeatedly succeeded, from the theft at KuCoin exchange to the theft at Ronin cross-chain bridge, and even the personal wallet of the founder of Defiance Capital being hacked, all orchestrated by this mysterious hacker organization.
You might wonder, how does one of the most closed countries in the world cultivate such astonishing power in the digital battlefield?
In the traditional military field, North Korea struggles to compete with the US-South Korea alliance, but cyber warfare provides it with a strategic leverage of "using a lever to move a heavy object."
Thus, since the 1980s, the North Korean government has spent a great deal of effort on hacker training, internally designated as "Secret War."
Jang Se-yul, a North Korean who defected to South Korea in 2007, previously studied at North Korea's top engineering school, Mirim University (now renamed University of Automation). During his university years, Jang took courses offered by Bureau 121.
After graduation, Jang joined the North Korean Reconnaissance General Bureau, where Bureau 121 is an elite spy agency. It was then that he began to interact with top hackers in Bureau 121.
Jang Se-yul later told Business Insider in an interview that compared to North Korea's nuclear threats, its cyber warfare threats are more real and dangerous. He said, "This is a silent war. The war has started without a single shot being fired."
The question is, how can such a poor and resource-scarce country put so much effort into cyber warfare?
Jang Se-yul's answer is: because training a hacker is very cheap.
Typically, North Korea is divided into basic masses (core class), complex masses (ordinary middle class), and remnants of hostile classes (landlords, rich peasants' descendants, and other hostile classes), further divided into 56 subclasses. These class classifications are recorded in the residents' ledger and used in the cadre recruitment process.
An Zanri, chairman of the World North Korea Research Center, stated that in the past, North Korean hackers also had to consider their background because if their loyalty to the party decreased, it would pose a threat to the regime.
It was not until later when the international community imposed comprehensive sanctions on North Korea, blocking its avenues for earning foreign exchange, that North Korea could only earn foreign exchange through cyber attacks.
This also opened a special channel for cyber warfare talent, allowing for exceptional recruitment.
Jang's alma mater—University of Automation, is the core base for training North Korean hackers. He mentioned, "Each class only recruits 100 students, but there are as many as 5000 applicants."
This is essentially an advanced version of the college entrance examination. Once admitted, becoming a hacker means joining the top 1% of North Korea, although the process is also extremely arduous.
Before these young hackers graduate, they undergo nearly nine years of rigorous training, starting from the age of 17.
At school, they attend six classes a day, each lasting 90 minutes, learning various programming languages and operating systems. They spend a lot of time analyzing programs like Microsoft's Windows operating system to study how to break into the computer information systems of hostile countries like the US and South Korea.
Moreover, their core task is to develop their own hacker programs and computer viruses, without relying on existing hacker programs from outside.
In Jang's view, North Korean hackers are technically no less skilled than top programmers at Google or the CIA, and possibly even better.
From the first day of their education, these "young black generals" are given missions and targets, divided into different groups focusing on attacking different countries and regions, such as the US, North Korea, and Japan. Once hackers are assigned to a specific "country group," they spend nearly two years undercover in that country, learning the local language and cultural knowledge to avoid exposing flaws beyond their technical skills.
Jang mentioned that one of his friends works for an overseas department of Bureau 121, but he outwardly appears as an employee of a North Korean trading company. No one knows his real identity, and his company is operating normally.
Due to the special nature of cyber warfare, these young hackers have free access to the internet, keeping up with the latest international trends, and they are well aware of their country's "closed and conservative" nature, but this does not shake their patriotism or loyalty to their leader.
"Even if others try to persuade them forcefully, even offering them jobs at the South Korean Presidential Office, they would not betray their country," Jang stated.
Of course, becoming a hacker also means money and privileges.
Young hackers can earn a monthly salary of $2,000, twice that of an ambassador stationed abroad. In addition, they can obtain luxury apartments over 185 square meters in the center of Pyongyang and can move their families to the capital, which are undoubtedly very tempting conditions.
In the new era where keyboards replace missiles, the keyboards of young hackers will become the Sword of Damocles for cryptocurrencies.
