Bybit declares war on North Korea's Lazarus crime-ring to regain $1.5B stolen from wallet

Cryptocurrency exchange Bybit, just days after suspected North Korean operatives stole $1.5 billion in Ethereum from it, has launched a bounty program to help recover its funds.

In announcing the initiative, CEO and co-founder Ben Zhou claimed Kim Jong Un's crack cyber-crime ring Lazarus pilfered the digital dosh, which would be a record for the Norks.

The lazarusbounty.com program claims to have already paid out more than $4 million in rewards to those who have helped Bybit in its quest to claw back its stolen coins.

"We will not stop until Lazarus or bad actors in the industry are eliminated," Zhou said. "In the future we will open it up to other victims of Lazarus as well."

Here's how the program works: If someone spots and reports a blockchain transaction or transfer involving currency that can be traced back to the theft from Bybit's wallet, they'll get five percent of the crypto-cash upon its recovery, and the exchange or mixer that facilitated the retrieval will get a five percent cut, too. That means about $140 million is up for grabs total (Ethereum has dropped more than 10 percent in US dollar value in the past few days.)

Zhou also said his biz is setting up a "HackBounty platform," for the whole industry to get involved with and hunt down criminals profiting from such thefts.

“I am energized by the incredible camaraderie on-chain and in real life. This can be a transformative moment for our industry if we get it right. Together, we can build a stronger defense system against cyber threats,” said Zhou.

Dubai-based Bybit insists it is still liquid, its customer accounts are unaffected, and that it has enough funds on hand to cover transactions despite the theft.

The exchange's problems began on February 21 at approximately 1230 UTC when funds that were supposed to be transferred from an offline Ethereum (ETH) cold wallet to an online hot one were diverted, its postmortem explains.

"The transaction was manipulated by a sophisticated attack that altered the smart contract logic and masked the signing interface, enabling the attacker to gain control of the ETH cold wallet. As a result, over 400,000 ETH and stETH worth more than $1.5 billion were transferred to an unidentified address."

• Crypto klepto North Korea stole $659M over just 5 heists last year
• Arizona laptop farmer pleads guilty for funneling $17M to Kim Jong Un
• North Korea targets crypto developers via NPM supply chain attack

According to an analysis of the incident by forensic security outfit Sygnia Labs and financial investigators Verichains, the heist was pulled off by miscreants who were able to alter the JavaScript code of SafeWallet, which is used by Bybit to manage its funds, so that the Ethereum in transit ultimately ended up in North Koreans' pockets. Allegedly.

It's believed the code was changed by compromising an AWS S3 or CloudFront account used by SafeWallet to host its software. This analysis has since been confirmed by the wallet maker itself, which said one of its developer machines was compromised – likely leading to the cloud storage tampering.

"The forensic review into the targeted attack by the Lazarus Group on Bybit concluded that this attack targeted to the Bybit Safe was achieved through a compromised machine of a SafeWallet developer resulting in the proposal of a disguised malicious transaction," SafeWallet said.

"Lazarus is a state-sponsored North Korean hacker group that is well known for sophisticated social engineering attacks on developer credentials, sometimes combined with zero-day exploits. Important! The forensic review of external security researchers did NOT indicate any vulnerabilities in the Safe smart contracts or source code of the frontend and services."

Nevertheless the wallet site urged caution and said it was taking steps to hopefully avoid further attacks such as these. ®