- Lazarus Group laundered $1.08M from Bybit hack via Solana, linked to memecoin scams.
- ZachXBT traces $1.4B Bybit hack funds to Solana, connecting Lazarus Group to scams.
- Lazarus Group’s involvement in Bybit hack also extends to $29M Phemex breach and scams.
Lazarus Group Linked to Bybit Hack and Solana Memecoin Scams, Investigation Reveals. On February 23, 2025, on-chain investigator ZachXBT published findings connecting North Korea’s Lazarus Group to the massive $1.4 billion Bybit hack on February 21, 2025. The report also ties the group to recent memecoin scams on Solana’s Pump.fun platform. ZachXBT’s analysis highlights a complex laundering operation involving stolen funds from the Bybit exploit.
The investigation shows that on February 22, 2025, the attacker received $1.08 million from the Bybit hack. This amount moved to a wallet address, 0x363908df2b0890e7e5c1e403935133094287d7d1, which bridged the funds as USDC to Solana.
After splitting between numerous wallets, several of the addresses had previously been associated with memecoin scams. Through its analysis, ZachXBT identified more than 920 cryptocurrency addresses involved in the hack, with Lazarus Group identifying involvement with Pump.fun memecoin launches.
Bybit Hack Funds Laundered Through Solana Memecoin Platforms
The analysis from ZachXBT shows Lazarus Group used the stolen Bybit funds through multiple laundering transactions. The $1.08 million USDC bridged from Solana to Binance Smart Chain (BSC) divided across more than 30 addresses through a programmed mechanism. The address 0x0beb8b5f899a15ed5e6be5c597f88b2c7d5b3a collected funds before it returned the assets to Solana. The funds were distributed by a few wallets that sent $106,000 USDC to ten Solana addresses which belonged to coin scammers.
The investigator noted that Lazarus Group launched meme coins through Pump.fun only 15 hours before public disclosure. The observed activities show that the cybercriminals utilized the platform to cover up the source of their stolen money. The exchanged funds were moved to different exchanges, which complicated tracking and detection efforts. ZachXBT retained undisclosed to prevent interference, however, ZachXBT validated the release of wallets from analytics tools.
Lazarus Group’s Broader Crypto Attack Patterns
ZachXBT’s findings extend beyond the Bybit hack. The same Lazarus Group wallets linked to this exploit also connect to the $29 million Phemex hack in January 2025. This pattern indicates a consistent strategy of targeting cryptocurrency platforms and laundering funds across blockchains like Solana and BSC.
The report underscores the group’s role in Solana’s recent memecoin scams, including rug pulls on Pump.fun. These scams have damaged investor trust in Solana, with high-profile cases like the Libra token rug pull, where insiders allegedly drained over $107 million. Such incidents have contributed to a decline in Solana’s user activity, with active addresses dropping to 9.5 million in February 2025, down from 15.6 million in November 2024.
The investigation highlights the challenges blockchain networks face in combating sophisticated cyber threats. Lazarus Group’s actions reveal a growing trend of exploiting decentralized platforms for money laundering, impacting the broader crypto industry’s security and stability.