[UPDATED: February 27, 2025; 9:40am EST] This blog has been updated to reflect the latest updates on the Bybit hack.
On February 21, 2025, Bybit, a prominent cryptocurrency exchange, experienced a significant security breach resulting in the loss of nearly $1.5 billion worth of ether (ETH). This incident stands as the largest digital heist in the history of cryptocurrency. Fortunately, Bybit is actively collaborating with industry experts, including Chainalysis, to trace the stolen assets. They have also launched a recovery bounty program, offering up to 10% of the recovered amount to individuals who assist in retrieving the stolen crypto.
In this blog, we’ll look at how the exploit occurred; the attackers’ tactics, techniques, and procedures (TTPs) and their consistency with the Democratic People’s Republic of Korea (DPRK); and how Chainalysis is collaborating with Bybit and law enforcement to help recover funds.
The Bybit hack serves as a stark reminder of the evolving tactics employed by state-sponsored cybercriminals, particularly those linked to the DPRK. As we recently revealed in our 2025 Crypto Crime Report, North Korea-affiliated hackers stole approximately $660.5 million across 20 incidents in 2023. In 2024, this number increased to $1.34 billion stolen across 47 incidents — a 102.88% increase in value stolen. The Bybit hack alone led to almost $160 million more stolen than all funds stolen by North Korea throughout 2024.
This attack highlights a common playbook used by the DPRK: orchestrating social engineering attacks and employing intricate laundering methods in an attempt to move stolen funds undetected. Funds from the Bybit exploit have also consolidated in addresses holding funds from other known DPRK-linked attacks, providing further evidence that the nation state actors are behind this latest incident.
Below is a step-by-step analysis of how the Bybit exploit unfolded:
The below Chainalysis Reactor graph showcases the complexity of the laundering efforts thus far: the web of intermediary addresses, token swaps, and cross-chain movements that not only attempt to obscure the stolen funds, but also demonstrate the far-reaching consequences of this exploit across the broader crypto ecosystem.
Despite the severity of Bybit’s attack, the inherent transparency of blockchain technology presents a significant challenge for malicious actors attempting to launder stolen funds. Every transaction is recorded on a public ledger, enabling authorities and cybersecurity firms to trace and monitor illicit activities in real time.
Collaboration across the crypto ecosystem is paramount in combating these threats. The swift response from Bybit, including its assurance to cover customer losses and its engagement with blockchain forensic experts, exemplifies the industry’s commitment to mutual support and resilience. By uniting resources and intelligence, the crypto community can strengthen its defenses against such sophisticated cyber attacks and work toward a more secure digital financial environment.
We are working with our global teams, customers, and partners across both the public and private sectors to support multiple avenues for seizure and recovery in response to this attack. Already, we’ve worked with contacts in the industry to help freeze more than $40 million in funds stolen from Bybit and continue to collaborate with public and private sector organizations to seize as much as possible. We will continue to provide updates on this matter.
This website contains links to third-party sites that are not under the control of Chainalysis, Inc. or its affiliates (collectively “Chainalysis”). Access to such information does not imply association with, endorsement of, approval of, or recommendation by Chainalysis of the site or its operators, and Chainalysis is not responsible for the products, services, or other content hosted therein.
This material is for informational purposes only, and is not intended to provide legal, tax, financial, or investment advice. Recipients should consult their own advisors before making these types of decisions. Chainalysis has no responsibility or liability for any decision made or any other acts or omissions in connection with Recipient’s use of this material.
Chainalysis does not guarantee or warrant the accuracy, completeness, timeliness, suitability or validity of the information in this report and will not be responsible for any claim attributable to errors, omissions, or other inaccuracies of any part of such material.
