Bybit Launches Cross-Chain Bounty Platform to Hunt $1.5 Billion Hack Proceeds

One week after suffering the largest cryptocurrency heist in history, Bybit took a bold step toward recovery on February 28, 2025. The exchange announced the V1.1 update to its LazarusBounty platform, introducing cross-chain hacker tracking capabilities and an expanded reward structure designed to incentivize the global cybersecurity community. The update came just as the FBI officially attributed the $1.5 billion theft to North Korea’s Lazarus Group, confirming what blockchain analysts had suspected since the February 21 attack on Bybit’s Ethereum cold wallets.

The Threat Landscape

The Bybit hack of February 21, 2025 represented a new level of sophistication in cryptocurrency theft. Attackers believed to be affiliated with North Korea’s state-sponsored Lazarus Group used a combination of spear-phishing, UI manipulation, and zero-day exploits to bypass Bybit’s multi-signature cold wallet security. They manipulated transaction data displayed on the screens of authorized signers, making a massive withdrawal to attacker-controlled addresses appear as a routine transfer to a warm wallet. The total loss exceeded $1.5 billion in Ethereum, dwarfing all previous crypto heists and surpassing North Korea’s total cryptocurrency theft figures for the entirety of 2024.

The attack exposed a sobering reality: even exchanges with substantial security budgets and multi-signature protections remain vulnerable to determined, well-resourced adversaries. The Lazarus Group’s tactics have evolved far beyond simple private key theft, now incorporating supply chain compromises, social engineering at scale, and exploitation of the human elements in security workflows. On February 28, the FBI issued a formal attribution, confirming North Korean involvement and urging exchanges and decentralized platforms to block known Lazarus Group wallet addresses.

Core Principles

Bybit’s bounty program is built on several key principles that distinguish it from previous post-hack responses. First, the program leverages the transparency of public blockchains, enabling anyone with analytical skills to trace stolen funds across chains. Second, it creates direct financial incentives for white-hat hackers and blockchain analysts to contribute to recovery efforts, offering up to 10% of recovered funds as rewards. Third, the updated V1.1 platform introduces cross-chain tracking capabilities, recognizing that sophisticated laundering operations quickly move assets across multiple blockchains.

The bounty platform now supports tracking across Ethereum, Bitcoin, and several layer-2 networks where the stolen Ethereum has been converted and dispersed. Bybit CEO Ben Zhou emphasized that the fight against Lazarus Group is not just about recovering one exchange’s losses — it is about establishing a precedent that state-sponsored crypto theft carries meaningful consequences and that the decentralized security community can mount an effective response.

Tooling and Setup

Security researchers and blockchain analysts participating in the bounty program have access to several advanced tools and datasets. Bybit has partnered with leading blockchain analytics firms including Chainalysis, Elliptic, and TRM Labs to provide participants with real-time intelligence on fund movements. The V1.1 update added a cross-chain address tracker that monitors stolen assets as they move through decentralized exchanges, bridges, and mixing services.

Participants can register on the LazarusBounty platform and submit evidence of fund tracing or recovery. The platform evaluates submissions based on the quality and actionability of intelligence provided. Rewards are structured proportionally — higher payouts for intelligence that directly leads to fund recovery, and smaller bounties for tracking data that contributes to the broader investigation. The program also coordinates with law enforcement agencies across multiple jurisdictions, as the stolen funds have already been dispersed across a complex web of wallets and platforms.

Ongoing Vigilance

The Bybit bounty program represents a shift in how the crypto industry responds to major security incidents. Rather than relying solely on internal security teams and law enforcement, the program crowdsources the investigation to a global community of analysts and researchers. Early results have been promising — within the first week, community participants helped identify and flag several wallet clusters associated with the laundering operation, leading to freezes on multiple centralized exchanges.

However, the challenge remains formidable. North Korea’s Lazarus Group has years of experience in laundering stolen cryptocurrency, typically converting assets through decentralized exchanges, routing them through privacy tools, and eventually cashing out through over-the-counter desks in jurisdictions with limited regulatory cooperation. The bounty program’s long-term success will depend on sustained community engagement and the ability to stay ahead of increasingly sophisticated laundering techniques.

Final Takeaway

The Bybit bounty platform update on February 28, 2025, signals an important evolution in crypto security culture. By combining the transparency of blockchain data with the collective intelligence of the global security community, Bybit is creating a model for post-incident response that could become standard practice across the industry. For individual users, the lesson is clear: diversify storage solutions, use hardware wallets for the majority of holdings, and maintain heightened awareness during periods of elevated threat activity. The $1.5 billion Bybit hack and the subsequent Kelp DAO exploit on the same day underscore that February 2025 was a turning point for crypto security awareness.

Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Always conduct your own research before making any financial decisions.