Researchers Uncover $1.4B in Sensitive Data Tied to ByBit Hack by Lazarus Group

In a significant breakthrough, cybersecurity firm Silent Push has uncovered sensitive infrastructure tied to the Lazarus Group, a North Korean state-sponsored Advanced Persistent Threat (APT).

This discovery sheds light on the group’s involvement in the historic $1.4 billion cryptocurrency heist targeting ByBit, one of the largest thefts in crypto history.

The investigation revealed that the Lazarus Group registered the domain “bybit-assessment[.]com” mere hours before the attack on February 20, 2025.

Analysis of WHOIS records linked this domain to an email address, “trevorgreer9312@gmail[.]com,” previously associated with Lazarus operations.

The group also utilized Astrill VPN services extensively, with 27 unique IP addresses identified in their testing logs.

Silent Push analysts confirmed that these findings align with Lazarus’s established tactics, techniques, and procedures (TTPs).

A Coordinated Attack with Historical Parallels

The Lazarus Group, active since at least 2009 and linked to the Reconnaissance General Bureau of North Korea, has been implicated in numerous cyberattacks targeting financial institutions and cryptocurrency platforms.

The ByBit attack was flagged initially by blockchain investigator ZachXBT on February 21, 2025.

His analysis of on-chain transactions and wallet movements provided early indicators of Lazarus’s involvement, which were later corroborated by Arkham crypto intelligence.

Silent Push’s follow-up investigation uncovered additional infrastructure linked to Lazarus, including domains used for phishing campaigns and fake job interviews.

These domains, such as “blockchainjobhub[.]com” and “nvidia-release[.]org,” were part of elaborate schemes to lure victims via LinkedIn into downloading malware under the guise of employment opportunities.

Technical Insights into Lazarus Operations

Silent Push analysts infiltrated Lazarus’s infrastructure, uncovering logs that detailed their meticulous testing processes.

The group frequently tested phishing configurations and credential-stealing mechanisms before deploying them in live attacks.

Notably, test entries included references to “Lazaro,” a name closely resembling “Lazarus,” further confirming attribution.

The investigation also highlighted Lazarus’s use of fake job interviews as an entry point for malware deployment.

Victims were often tricked into executing malicious scripts disguised as camera driver updates during these interviews.

One such malware strain, analyzed by cybersecurity researcher Tayvano, was a Golang-based backdoor used for data exfiltration.

While Silent Push has not yet identified direct ByBit victims in the exposed logs, their findings have provided critical intelligence for mitigating future threats.

The firm has shared Indicators of Future Attacks (IOFAs) with enterprise clients to enable proactive defense measures.

Additionally, Silent Push continues to collaborate with law enforcement agencies to disrupt Lazarus’s operations.

This investigation underscores the evolving sophistication of state-sponsored cybercrime and the importance of collective efforts in combating such threats.

Silent Push plans to release a detailed report on its findings later this week, offering further insights into the methodologies employed by the Lazarus Group.

Collect Threat Intelligence on the Latest Malware and Phishing Attacks with ANY.RUN TI Lookup -> Try for free