On Friday, hackers stole around $1.4 billion in Ethereum cryptocurrency from crypto exchange Bybit, in what is the largest crypto heist of all time.

After the hack, several blockchain monitoring firms, as well as the well-known crypto investigator ZachXBT, have all pointed to the North Korean government hacking group known as Lazarus Group as the culprit. 

ZachXBT was the first to point the finger of blame, just a few hours after he himself noticed the first signs of the hack. The researcher said he was able to track the stolen cryptocurrency from Bybit to wallets used in previous hacks against Phemex, BingX, and Poloniex, which have all been linked to North Korea. 

When TechCrunch asked how confident he was of North Korea being behind the Bybit hack ZachXBT said: “100%,” and pointed to those previous hacks. “Law enforcement is also treating it that way,” said ZachXBT.

Blockchain monitoring firm Elliptic also reached the same conclusion. “Beginning minutes after the theft from Bybit, the Elliptic team have been working around the clock with Bybit, our customers and fellow investigators, to trace these funds and prevent the North Korean regime from benefitting from them,” Elliptic wrote in a blog post.

Elliptic said it believes North Korean hackers were responsible, “based on various factors, including our analysis of the laundering of the stolen cryptoassets.” The company added that Lazarus Group follows a “characteristic pattern” to launder the crypto it steals.

North Korea is a prolific crypto stealer. The regime’s hackers have been linked to at least 58 crypto heists, according to a United Nations panel. The United States, Japan, and South Korean governments say Kim Jong-Un’s government stole more than $650 million in multiple crypto hacks and heists during 2024. 

Tom Robinson, Elliptic’s co-Founder and chief scientist, told TechCrunch that the company is basing the attribution on the fact that “funds stolen from Bybit are being commingled with funds from multiple DPRK-attributed thefts,” referring to the North Korean regime.

“Also, the laundering methods being used are very similar to those previously seen with DPRK,” said Robinson. “Plus a couple of other factors that I can’t share.”

Blockchain intelligence firm TRM Labs also concluded “with high confidence” that North Korea was behind the Bybit hack, the company said in a blog post on Friday. 

Bybit’s spokesperson Tony Au declined to comment on the North Korea link, saying “our team is still investigating at this moment.” 

North Korea’s Permanent Mission to the United Nations did not respond to TechCrunch’s request for comment.