ByAlexandra Andhov,
Contributor.
CANADA – 2025/02/13: In this photo illustration, the Bybit logo is seen displayed on a smartphone … More
On February 21, 2025, the cryptocurrency community witnessed the largest attack so far. The Bybit exchange became the victim of the largest cryptocurrency heist in history, with approximately $1.5 billion in Ethereum tokens stolen in a matter of hours.
This incident surpassed all previous breaches, including the $540 million Ronin Network hack in 2022, the $600 million Poly Network exploit in 2021, and even the infamous Mt. Gox collapse in 2014. As the dust settles, the Bybit hack not only marks a turning point in crypto security but also offers important lessons for exchanges, developers, and users across the ecosystem.
Within days of the attack, ZachXBT submitted proof linking the attack to a North Korean cybercriminal organization – the Lazarus Group. His analysis included test transactions, connected wallets, forensic graphs, and timing details. According to ZachXBT, the cluster of addresses is also linked to the Phemex and BingX hack.
This was not just another cybercrime or a simple ability to exploit a faulty code. It was a meticulously planned operation that showed the evolving sophistication of state-sponsored cyber warfare.
Bybit relied on a third-party service to facilitate the transfer of tokens from a cold wallet—used for offline storage —to a warm (online) wallet, using a multi-signature approval process. However, attackers compromised a machine linked to the third-party provider and injected malicious JavaScript into the transaction signing workflow and manipulating the process undetected.
Using advanced phishing and social engineering techniques, the attackers obtained internal credentials, enabling unauthorized access. The similarity to the January 2025 Phemex hack further supports attribution to Lazarus Group.
Once inside, they manipulated the system to meet transaction criteria that would authorize transfers—ultimately draining 401,000 ETH, worth roughly $1.5 billion, into wallets under their control.
Only a single Bybit cold wallet was compromised, resulting in the loss of $1.46 billion as follows:
The attack’s speed was particularly alarming. Within 48 hours, over $160 million had been laundered through complex networks of intermediary wallets, decentralized exchanges, and cross-chain bridges. By February 26, just five days after the initial breach, over $400 million had been moved, demonstrating a high level of operational efficiency. However, according to Kaiko Research, more than $700M in ETH remains in the exploiters’ wallets.
Nick Carlsen, a North Korea expert and former FBI subject matter expert at TRM, described the strategy as a "flood the zone" technique—overwhelming blockchain analysts and law enforcement with rapid, high-frequency transactions across multiple platforms.
The response from Bybit and the broader crypto community was swift and well-coordinated. According to Kaiko Research data, it took around 90 minutes from illicit transfers to ByBit public announcement.
Bybit Exchange immediately launched a bounty program offering a 10% bounty program for any successfully frozen or recovered assets. This move was not just about recovering funds; it was a signal to the entire crypto ecosystem that collaborative defence had become crucial.
Various crypto companies, such as TRM Labs, Chainalysis, Crystal Intelligence, Elliptic, and others, worked in close coordination with law enforcement, national security organizations, and regulators to trace the stolen funds.
The Lazarus Group, the threat actor linked to this breach, has a well-documented history of employing stealthy, persistent mechanisms to maintain long-term access in compromised environments. This “aggressive persistence” allows them to stay embedded over extended periods, silently preparing for follow-up attacks even after initial compromises are discovered. If any portion of their access remains, it is reasonable to expect a repeat of the exploit, potentially targeting additional wallets or systems. Therefore, finding technological solutions to address this continuous persistence should be urgently addressed.
The breach of Safe{Wallet}'s AWS infrastructure underscores the critical need for rigorous security practices and continuous monitoring within cloud environments. A detailed forensic investigation will not only shed light on the specifics of this incident but also provide actionable insights to bolster defenses against future attacks. It is imperative for organizations to proactively assess and fortify their cloud security postures to safeguard against increasingly sophisticated cyber threats.
For many years, cold wallets – offline storage solutions – have been considered the gold standard of digital asset security. Isolated from the Internet, we thought that they very impervious to remote attacks. However, this breach showed that cold storage is not a silver bullet.
In this case, the attackers did not need to directly access the cold wallet itself. Instead, they exploited the human and infrastructural layers that interface with it. By compromising a third-party service responsible for initiating transfers from cold storage to warm wallets, and by deceiving signing officers through phishing and manipulated transaction flows, the attackers effectively bypassed the security promises of cold storage. This indirect path to compromise is far more dangerous—and harder to detect—than traditional wallet attacks.
This incident underscores a hard truth: once-trusted safeguards—like cold storage and multisignature wallets—are no longer enough in the face of evolving threats. Security must be viewed not as a checkbox, but as a continuous, collaborative effort. Exchanges, security providers, and regulators must form stronger alliances, share intelligence in real-time, and adapt to a constantly shifting threat landscape.
One month after the breach, many questions remain unanswered. Yet, the Bybit hack has laid bare some uncomfortable truths—even the most well-established exchanges are not immune to sophisticated threats. Still, if there is a silver lining to be found, it’s the swift and coordinated response across the industry. The rapid collaboration between exchanges, security firms, and investigators stands out as one of the most encouraging takeaways from this incident.
In the realm of digital assets, security is not a fixed state but an ongoing, collaborative effort. Exchanges, cybersecurity teams, infrastructure providers, and regulators must build tighter alliances, share intelligence proactively, and continually adapt to a rapidly shifting threat landscape.
