BlockBeats News, February 23rd, pump.fun has now removed from its front end the Meme coin associated with the Bybit event attacker, the North Korean hacker group Lazarus Group.

BlockBeats previously reported that on-chain detective ZachXBT disclosed in his personal channel that he had discovered an entity using pump.fun to issue and trade meme coins to launder money for the Bybit hack.

BlockBeats News, February 23rd, on-chain sleuth ZachXBT revealed in a post on his personal channel that a certain entity was laundering money from the Bybit hack through issuing and trading meme coins on pump.fun.

On February 22nd, the attacker received $1.08 million in funds from the Bybit hack at address "0x363908...d7d1" and then transferred the USDC to the Solana network. Subsequently, all the USDC on the Solana network was cross-chain transferred to two addresses on the BSC network. These two BSC addresses programmatically dispersed the USDC to over 30 addresses before consolidating it. Following this, 106,000 USDC was split among 10 BSC addresses and then cross-chain transferred back to 10 Solana addresses. The money launderer then exchanged the received SOL for meme coins.

15 hours ago, on-chain sleuth ZachXBT publicly disclosed over 920 addresses that received funds from the Bybit hack and found that a money launderer had previously issued meme coins for the North Korean hacker group Lazarus Group through the pump.fun platform. For security reasons, specific wallet addresses are not disclosed at the moment, and multiple analysis tools have been requested to take down related interfaces.

BlockBeats News, February 23, according to Spotonchain's latest data update, Bybit raised 254,830 ETH (6.93 billion USD) within 48 hours after the hack, including:

132,178 ETH (3.67 billion USD), possibly acquired through OTC trades with Galaxy Digital, FalconX, and Wintermute;

122,652 ETH (3.26 billion USD), sourced from loans from exchanges/platforms/institutions such as Bitget, MEXC, Binance, and DWF Labs (which could also be some whales' personal lending behavior).

Meanwhile, the hacker has cross-chain exchanged 40,944 ETH (1.15 billion USD) into BTC and other assets through Chainflip, THORChain, LiFi, DLN, and eXch. Currently, the hacker still holds 458,451 ETH (12.9 billion USD)—approximately 91.7% of the stolen 499,395 ETH (14 billion USD).

BlockBeats News, February 23, Strategy (formerly MicroStrategy) founder Michael Saylor once again released an investment tracking chart, implying that he will continue to accumulate Bitcoin. Today, he stated, "I don't think this can reflect what I did last week."

BlockBeats Note: The MicroStrategy investment portfolio tracking chart uses a blue line to mark the Bitcoin price trend and uses yellow dots on the chart to mark accumulation behavior. Previously, Michael Saylor has released information about the MicroStrategy investment portfolio tracking chart for over ten consecutive weeks. According to the pattern, MicroStrategy always accumulates Bitcoin on the day after the related news is released.

BlockBeats News, February 23rd, according to EmberCN monitoring, the Bybit hacker has used numerous addresses to exploit Chainflip, THORChain, LiFi, DLN, eXch, and other cross-chain exchange platforms to cross-chain swap 37,900 ETH (106 million USD) into other assets (BTC, etc.). From yesterday to today, their money laundering activity has already taken 30 hours.

The Bybit hacker address currently holds 461,491 ETH (1.29 billion USD), with a total of 499,395 ETH (1.4 billion USD) stolen from Bybit.

BlockBeats News, February 23, SlowMist founder Cosmos released a post stating, "Through forensic analysis and correlation tracking, we have confirmed that the attacker is indeed the North Korean hacker group Lazarus Group. This is a nation-state level APT attack targeting cryptocurrency exchanges. We have decided to share the related IOCs (Indicators of Compromise), including some exploited IP addresses of cloud service providers and proxies. It is worth noting that this disclosure does not specify which platform or platforms are involved, and it is not mentioned that it is Bybit. However, if there are similarities, it is not impossible."

"The attacker used pyyaml to perform RCE (Remote Code Execution), enabling the delivery of malicious code to take control of the target's computers and servers. This method bypasses the detection of most antivirus software. After synchronizing intelligence with partners, multiple similar malicious samples were obtained. The main goal of the attacker is to compromise the infrastructure of cryptocurrency exchanges to gain control of wallets and illegally transfer a large amount of cryptocurrency assets from the wallets."

"SlowMist's summary article revealed Lazarus Group's attack methods, analyzed its tactics using social engineering, vulnerability exploitation, privilege escalation, internal network penetration, and fund transfers. Based on actual cases, defense recommendations against APT attacks were summarized, hoping to provide industry references to help more organizations enhance their security defenses and reduce the impact of potential threats."

BlockBeats News, February 23rd, following the attack on the 21st, Bybit saw its ETH reserves plummet to 61,000 coins at one point. As of the time of writing, according to CryptoQuant data, Bybit holds about 308,100 ETH, recovering about 70% from the 439,000 ETH held on February 20th.

Earlier on the 21st, Bybit was hacked and lost over $1.4 billion worth of STETH, mETH, and other Ethereum ecosystem tokens, making it the largest crypto theft in history.

BlockBeats News, February 23rd, according to LookIntoChain monitoring, Bybit purchased another batch of 34,743 ETH ($97.7 million) via OTC about 40 minutes ago.

Bybit may have already purchased a total of 106,498 ETH ($295 million) via OTC in the past 24 hours.

BlockBeats News, February 23rd, according to OnChain data, an address suspected to be associated with Bybit (0x2E4...b77) received another 34,743 ETH from Wintermute 20 minutes ago.

Bybit has likely accumulated a total of 106,498 ETH in just over a day, facilitated through Galaxy Digital, FalconX, and Wintermute.

This address initially received 100 million USDT from Bybit's cold wallet, which was then transferred to FalconX and Galaxy Digital before receiving ETH.

Furthermore, Galaxy Digital, FalconX, and Wintermute all withdrew ETH from various CEXs and transferred it to the 0x2E4...b77 address, indicating that the aforementioned institutions likely purchased ETH on the secondary market.

BlockBeats News, February 23, CZ updated on his social media platform his consideration of the remaining funds in his donation address: "I may combine the funds. See which combination works best."

Many people suggest donating to charitable organizations, which I support. I like to use cryptocurrency for charity. My requirement for charity is that the receiving organization must enable cryptocurrency and must allow tracking to the ultimate beneficiary. Transparency. Suggestions are welcome.

Some "other projects" suggest burning received tokens. I understand the meaning behind this.

Airdrops require the most effort in wallet operations, and choosing who to airdrop to also sparks more "debate."

Some people suggest adding to LP. I did some tests yesterday. I think I may have finally figured out the trick. From this address, the MEV experience is very accurate. A very good learning experience. And an interesting weekend practice. I know it's just a few years late.

Currently, I am inclined to do more to support liquidity. I don't care whether the funds in this address make money or lose money. I think this is also an indirect way of giving back to our community."