North Korea’s Lazarus Group, the primary suspect behind the $1.4 billion Bybit hack on Feb. 21, has been linked to a series of meme coin scams on Solana’s Pump.fun platform.
North Korea’s Lazarus Group, the primary suspect behind the $1.4 billion Bybit hack on Feb. 21, has been linked to a series of meme coin scams on Solana’s Pump.fun platform, according to blockchain investigator ZachXBT. The group, known for targeting cryptocurrency platforms, appears to be laundering stolen funds through these fraudulent token launches.
On Feb. 22, $1.08 million from the Bybit hack was sent to the Ethereum wallet “0x363908df2b0890e7e5c1e403935133094287d7d1,” which then bridged the funds to Solana as USDC. These funds were split across multiple wallets, some of which had previous ties to rug pulls on Pump.fun. ZachXBT, who tracked over 920 addresses connected to the Bybit hack, noted that a known Lazarus Group associate had launched multiple meme coins using the same platform.
The Bybit exploit, one of the largest in crypto history, saw attackers steal vast amounts of liquid-staked Ether (stETH), Mantle Staked ETH (mETH), and other digital assets. Blockchain security firms, including Arkham Intelligence, have identified the Lazarus Group as the likely perpetrator. On-chain findings also suggest that the same group was behind the $29 million Phemex hack in January.
Solana has been experiencing a surge in meme coin scams and rug pulls, which have damaged investor confidence. One of the most significant incidents involved the Libra (LIBRA) token, promoted by Argentine President Javier Milei. Insiders allegedly withdrew $107 million in liquidity, causing a 94% price collapse within hours and wiping out $4 billion in investor capital.
The impact of these scams is reflected in Solana’s market activity. The monthly capital inflow into Solana and its MEME index dropped by 5.9%, according to data from Glassnode. The number of active Solana addresses also fell to a weekly average of 9.5 million in February, down 40% from 15.6 million in November 2024. CryptoVizArt, a senior analyst at Glassnode, noted that while activity on Solana has slowed, it remains above pre-bull market levels.
The Lazarus Group has been exploiting decentralized exchanges and cross-chain bridges to move stolen funds undetected. According to ZachXBT’s analysis, the stolen Bybit funds were bridged to Binance Smart Chain (BSC), divided across more than 30 wallets, and then moved back to Solana through intermediaries. This method helped obscure the source of the assets before they were distributed among scam operators.
Despite the negative short-term impact, some analysts believe these incidents could lead to stronger security measures for Solana in the long run. Blockchain researcher Aylo suggested that addressing vulnerabilities in DeFi platforms and cross-chain bridges could ultimately benefit the ecosystem. However, with the Lazarus Group continuing to target the crypto industry, security remains a growing concern.
This article contains links to third-party websites or other content for information purposes only (“Third-Party Sites”). The Third-Party Sites are not under the control of CoinMarketCap, and CoinMarketCap is not responsible for the content of any Third-Party Site, including without limitation any link contained in a Third-Party Site, or any changes or updates to a Third-Party Site. CoinMarketCap is providing these links to you only as a convenience, and the inclusion of any link does not imply endorsement, approval or recommendation by CoinMarketCap of the site or any association with its operators.
This article is intended to be used and must be used for informational purposes only. It is important to do your own research and analysis before making any material decisions related to any of the products or services described. This article is not intended as, and shall not be construed as, financial advice.
The views and opinions expressed in this article are the author’s [company’s] own and do not necessarily reflect those of CoinMarketCap.
