North Korean Hacking Group Lazarus Involved in Significant Attack on Cryptocurrency Exchange ByBit

Silent Push analysts have uncovered critical infrastructure connected to the Lazarus Group, the notorious North Korean Advanced Persistent Threat (APT), involved in a high-profile cyberattack on the cryptocurrency exchange ByBit. This sophisticated attack, initially identified by crypto analyst ZachXBT, marks a significant escalation, highlighting the substantial financial risks posed by Lazarus's continued cyber operations.

Initial Detection and Attribution

On February 21, 2025, ZachXBT publicly disclosed a massive crypto theft at ByBit, linking the incident directly to the Lazarus Group—an APT known for its connection to North Korea's Reconnaissance General Bureau. Arkham Crypto Intelligence subsequently issued a bounty for additional information, accelerating investigative efforts. Silent Push analysts promptly joined the investigation, leveraging previous intelligence that confirmed Lazarus's involvement.

Early Warning Signs and Ongoing Threat Activity

The ByBit hack was part of a broader and persistent cyber campaign. In December 2024, researcher Tayvano highlighted employment phishing schemes targeting the crypto industry, involving deceptive domains such as "api.nvidia-release[.]org." These domains, typically associated with Lazarus’s BlueNoroff subgroup, were actively distributing malware targeting MacOS users through fraudulent job interviews.

Infrastructure and Indicators of Compromise

During their investigation, Silent Push analysts uncovered the domain “bybit-assessment[.]com,” registered just hours before the ByBit attack. The domain's registration email, "[email protected]," was previously linked to Lazarus activities. Additionally, analysts discovered internal Lazarus test records explicitly using the term "Lazaro," further indicating the group's direct involvement.

Notably, Lazarus operatives employed at least 27 unique IP addresses from Astrill VPN services to conceal their true locations. These VPN IP addresses appeared consistently in Lazarus’s internal infrastructure logs, reflecting their meticulous operational security measures.

Connection Between Bybit and Phemex Crypto Hacks

Blockchain analysis by ZachXBT revealed a direct financial link between the Bybit and Phemex crypto hacks. On-chain data demonstrated stolen funds from both exchanges converging at the Ethereum wallet address 0x33d057af74779925c4b2e720a820387cb89f8f65. This convergence provides compelling evidence of Lazarus’s coordinated management and laundering of stolen crypto assets.

Lazarus Group Tactics and Infrastructure

Recent intelligence further highlights Lazarus’s sophisticated methods, specifically their use of targeted social engineering. Lazarus deceived victims through fabricated technical error messages prompting users, especially on MacOS, to run malicious scripts (e.g., ffmpeg.sh) purportedly to resolve camera or microphone issues, resulting in device compromise.

Silent Push’s ongoing investigation confirmed the registration of the "bybit-assessment.com" domain under Lazarus’s persona "Trevor Greer." Trevor Greer has been extensively documented in prior research related to Lazarus’s BlueNoroff subgroup, known for financial cyber theft.

Internal logs demonstrated Lazarus’s thorough testing using disposable emails such as [email protected] and confirmed consistent use of Astrill VPN IP addresses (e.g., 104.223.97.2, 91.239.130.102), underscoring their disciplined preparation and operational security.

Employment Scam Techniques

The Lazarus subgroup known as "Contagious Interview" or "Famous Chollima" orchestrated these employment scams. They operated fraudulent domains like "Blockchainjobhub[.]com," tricking victims into downloading malware disguised as necessary camera driver updates. By infiltrating and examining this infrastructure, Silent Push analysts revealed further insights into Lazarus’s deceptive operational methods.

Impersonation of Reputable Brands

Silent Push also identified numerous Lazarus-controlled domains impersonating prominent financial and crypto entities such as Binance, Tether, Kraken, KuCoin, Bitstamp, Coinbase, and Robinhood, among others. These fake domains aimed to trick victims into sharing credentials or downloading malware, leading directly to financial loss and compromised systems.

Collaborative Intelligence Sharing

Recognizing Lazarus’s adaptability, Silent Push emphasizes proactive threat intelligence sharing. They have publicly shared Indicators of Attack (IOFAs) and continue to encourage organizations to enhance threat detection proactively. Comprehensive details remain accessible to enterprise subscribers and law enforcement to optimize defensive measures and response strategies.

Recommended Mitigation Strategies

Organizations should remain vigilant by monitoring identified Lazarus-associated IP addresses and domains, especially those linked to employment phishing campaigns. Regular cybersecurity training for employees and continuous enhancement of security infrastructure are essential to mitigating potential impacts from sophisticated threats posed by Lazarus and similar adversaries.