ChainCatcher news, Safe responded on platform X to Bybit's hacking forensic report, stating that the forensic review of the targeted attack by the Lazarus Group on Bybit concluded that the attack on Bybit Safe was executed through compromised Safe{Wallet} developer machines, leading to disguised malicious transactions.Lazarus is a government-backed North Korean hacking organization known for its complex social engineering attacks on developer credentials, sometimes combined with zero-day vulnerabilities. The forensic review by external security researchers did not indicate any vulnerabilities in the Safe smart contracts or the source code of the front end and services.Following the recent incident, the Safe{Wallet} team conducted a thorough investigation and has now phased the restoration of Safe{Wallet} on the Ethereum mainnet. The Safe{Wallet} team has completely rebuilt and reconfigured all infrastructure and rotated all credentials to ensure the complete elimination of the attack vector.After the final results of the investigation are released, the Safe{Wallet} team will publish a complete post-mortem analysis. The Safe{Wallet} front end is still operational and has implemented additional security measures. However, users need to be extra cautious and vigilant when signing transactions.

ChainCatcher message, Bybit CEO Ben Zhou posted on social media, "The Lazarus hacker group's bounty website is now live, showcasing transparent data about Lazarus's money laundering activities."The total bounty is 10% of the recovered funds, and if all funds are recovered, the total bounty could reach up to $140 million. The specific distribution is as follows: 5% to the entities that successfully freeze the funds, and 5% to the contributors who help track the funds.

ChainCatcher message, eXch stated in a post on the Bitcointalk forum, "The platform will not launder for Lazarus; contrary opinions are just the views of some people who wish for the interchangeability and on-chain privacy of decentralized currency to disappear. These individuals have long hated decentralized cryptocurrencies."eXch acknowledged that a small portion of the funds from the ByBit hack ultimately entered its platform address, but claimed that this transfer was "an isolated case." The eXch team promised to donate the proceeds to "various open-source projects dedicated to privacy and security both within and outside the crypto space."Previously, according to Slow Mist's Yu Xin, given that a considerable amount of ETH has already been laundered through eXch and exchanged for BTC, XMR, etc., all platforms should raise their risk control levels for funds originating from eXch.

ChainCatcher news, Slow Mist founder Yu Xian posted on social media, "Through forensic analysis and correlation tracking, we confirm that the attackers of the CEX theft incident are the North Korean hacker group Lazarus Group. This is a nation-state APT attack targeting cryptocurrency trading platforms. We have decided to share the relevant IOCs (Indicators of Compromise), which include some IPs of cloud service providers, proxies, etc. It is important to note that this disclosure does not specify which platform or platforms were involved, nor does it mention Bybit; if there are similarities, it is indeed not impossible."The attackers utilized pyyaml for RCE (Remote Code Execution), enabling the delivery of malicious code to control target computers and servers. This method bypassed most antivirus software. After synchronizing intelligence with partners, multiple similar malicious samples were obtained. The main goal of the attackers is to gain control over wallets by infiltrating the infrastructure of cryptocurrency trading platforms, thereby illegally transferring a large amount of cryptocurrency assets from the wallets.Slow Mist published a summary article revealing the attack methods of the Lazarus Group, and also analyzed their use of social engineering, vulnerability exploitation, privilege escalation, internal network penetration, and fund transfer tactics. At the same time, based on actual cases, they summarized defense recommendations against APT attacks, hoping to provide references for the industry and help more institutions enhance their security capabilities and reduce the impact of potential threats.

ChainCatcher message, on-chain detective ZachXBT disclosed in a personal channel that the eXch (centralized mixer) team mistakenly sent 34 ETH (worth $96,000) to another exchange's hot wallet address after helping the Bybit security incident hacker group Lazarus Group launder $35 million.

ChainCatcher message, Binance founder Zhao Changpeng expressed detailed views on the recent hacking incident, "We have observed a pattern where hackers are able to steal large amounts of cryptocurrency from multi-signature 'cold storage' solutions. Exchanges like Bybit, Phemex, and WazirX have all encountered similar situations. In the recent Bybit case, hackers were able to make the front-end user interface display legitimate transactions, while the actual signatures pointed to another transaction. For other cases, based on limited information, it seems that similar methods were employed.What is even more concerning is that the affected exchanges used different multi-signature solution providers. The hacker organization Lazarus Group has demonstrated extremely advanced and widespread infiltration capabilities. It is still unclear whether the hackers successfully infiltrated multiple signing devices, the server side, or both were compromised.Some have questioned my previous suggestion to pause withdrawals as a standard security precaution (a tweet I posted while on the shuttle bus to the airport). My intention was to share a practical approach based on experience and observation, but there is no absolute right or wrong in this practice. My guiding principle has always been to lean towards the safer side. After any security incident, all operations should be paused to ensure we fully understand what happened, how the hackers infiltrated the system, which devices were compromised, and only after triple-checking for safety should we resume operations.Of course, pausing withdrawals may trigger more panic. In 2019, after a significant hacking incident of $40 million, we paused withdrawals for a week. When we resumed withdrawals (and deposits), the deposit volume actually exceeded the withdrawal volume. This does not mean that this method is better; each situation is different and requires judgment. I tweeted to share potentially effective practices, intending to express support in a timely manner. I believe Ben made the best decision based on the information available.Ben maintained transparent communication and a calm demeanor while handling this challenging situation. This stands in stark contrast to other CEOs lacking transparency, such as those from WazirX, FTX, etc.The cases mentioned here are all different. FTX is a case of fraud, and as for WazirX, I will refrain from commenting due to ongoing litigation.Most importantly, we should never take security for granted. It is essential to understand security knowledge so that you can choose the right tools for your needs. To this end, I will share an article I wrote a few years ago. Although some parts may be outdated, the basic concepts still apply. Stay safe (SAFU)!"

ChainCatcher news, Galaxy CEO Mike Novogratz posted on the X platform calling for global leaders to take action against the hacker group Lazarus Group, while praising Bybit for completing world-class resolution work after being attacked.

ChainCatcher message, on-chain detective ZachXBT posted on social media that the Lazarus Group has just aggregated part of the funds from the Bybit hack with the funds from the Phemex hack directly on-chain, mixing the funds from the initial theft addresses of both incidents.

ChainCatcher news, according to an analysis by Eric Wall, co-founder of Taproot Wizards, the Bybit theft incident has been largely confirmed to be the work of the North Korean hacker group Lazarus Group. According to Chainalysis's 2022 report, this organization typically follows a fixed pattern in handling stolen funds, a process that may take years. Data from 2022 shows that the organization still holds $55 million from the 2016 attack, indicating that they are not in a hurry to cash out quickly.The process for handling stolen funds is as follows:Step one: Convert all ERC20 tokens (including liquidity derivatives like stETH) into ETH;Step two: Exchange all obtained ETH for BTC;Step three: Gradually exchange BTC for RMB through Asian exchanges;Final use: It is claimed that these funds will be used to support North Korea's nuclear weapons and ballistic missile programs;Analysis indicates that Bybit is currently supplementing a gap of about $1.5 billion in ETH through borrowing, a strategy that may be based on the hope of recovering the stolen funds. However, given the confirmation that it is the work of the Lazarus Group, the likelihood of recovery is extremely low, and Bybit will have to purchase ETH to repay the loans. In the long term, Bybit's purchase of ETH may offset the actions of the Lazarus Group selling ETH for BTC, and the BTC acquired by the Lazarus Group will gradually convert into selling pressure over the next few years.

ChainCatcher news, according to Arkham monitoring, on-chain detective ZachXBT submitted conclusive evidence at 3:09 AM Beijing time, confirming that the attack on Bybit was carried out by the North Korean hacker group Lazarus Group.ZachXBT's analysis report includes detailed information such as test transactions before the attack, associated wallet analysis, multiple forensic charts, and timeline analysis. The report has been submitted to the Bybit team to assist in their investigation.

ChainCatcher news, according to CoinDesk Japan, regarding the theft of 4,502.9 BTC from the cryptocurrency exchange DMM Bitcoin that occurred in May, the National Police Agency of Japan reported on December 24 that the incident was carried out by the Trader Traitor group, which is part of the North Korean hacker organization Lazarus Group.The National Police Agency of Japan stated that it will continue to work with the FBI, other U.S. government agencies, and international partners to investigate the illegal activities of North Korean hackers, including cybercrime and cryptocurrency theft incidents.Meanwhile, the National Police Agency of Japan, the Cabinet Cybersecurity Center, and the Financial Services Agency have released documents regarding the tactics and countermeasures of the attacking groups, urging cryptocurrency-related businesses to exercise caution. In response to this attack, DMM Bitcoin has decided to close its exchange. Assets and customer accounts will be transferred to SBIVC Trade, with the transition expected to be completed by March 2025.

ChainCatcher news, according to on-chain detective ZachXBT, Chinese OTC trader Yicong Wang has helped the Lazarus Group convert tens of millions of stolen cryptocurrencies into cash via bank transfers since 2022.A few months ago, a follower contacted ZachXBT after their trading account was frozen following a P2P transaction with OTC trader Yicong Wang (using aliases such as Seawang, Greatdtrader, and BestRhea977). He then shared one of Yicong Wang's Tron wallet addresses from a WeChat conversation screenshot.When reviewing blockchain data related to Yicong Wang, a high risk of illicit funds was noted from Alex Labs, co-founder of Irys. Alex Labs was hacked by the Lazarus Group in May 2024, resulting in a loss of approximately $4.5 million. An Ethereum address, 948K, which was blacklisted by Tether in August 2024, is also directly related to Yicong. It is evident from on-chain data that he has continued to actively assist the Lazarus Group in recent weeks.

ChainCatcher news, according to the analysis by SlowMist's MistTrack, there is a suspected connection between the Indodax hacker and the BingX hacker, as they used the same address (0x0c74c11443e60e011f884f547729127380ca1992) for money laundering.The Indodax hacker operates on Polygon, while the BingX hacker operates on BSC.SlowMist founder Yu Xian stated: "We have found evidence of connections between the hacking incidents of BingX, Indodax, CoinEx, Alphapo, Stake, etc., all pointing to the North Korean hacker Lazarus Group."Previously, on September 11, the wallet of the Indonesian crypto exchange Indodax conducted over 150 suspicious transactions across different networks, with a total loss of approximately $18.2 million. The suspicious address is exchanging various tokens for Ethereum.Subsequently, on September 20, BingX was attacked, with the estimated total stolen assets exceeding $43 million.

According to ChainCatcher, as reported by Cointelegraph, the U.S. government filed two legal lawsuits on October 4, beginning the process of seizing over $2.67 million in digital assets stolen by the North Korean hacker group Lazarus Group.According to legal documents, the U.S. government is seeking to recover approximately $1.7 million in USDT that the group stole during the Deribit hack in 2022, where $28 million was taken from the options exchange. After successfully hacking Deribit's hot wallet, the hackers mixed the funds through the Tornado Cash mixer and multiple Ethereum addresses.U.S. law enforcement officials are also seeking to recover approximately $970,000 in Avalanche-bridged Bitcoin (BTC.b), which was stolen by the Lazarus Group during a hack of the Stake.com gambling platform in 2023. This malicious attack resulted in losses of over $41 million for Stake.