In a devastating blow to the cryptocurrency industry, Bybit revealed on Friday that it had suffered a “sophisticated” attack resulting in the theft of over $1.5 billion worth of Ethereum (ETH) from one of its cold wallets. This unprecedented breach surpasses all previous crypto heists in scale, dwarfing even the Ronin Network ($624 million), Poly Network ($611 million), and BNB Bridge ($586 million) hacks.
The Attack: A Deceptive Manipulation
According to Bybit’s CEO Ben Zhou, the incident unfolded during a routine transfer process involving the exchange’s ETH multisig cold wallet. In what appeared to be a legitimate transaction moving funds to a warm wallet, attackers exploited a deceptive technique to alter the underlying smart contract logic while masking the signing interface. This allowed them to gain unauthorized control over the affected cold wallet and siphon off its contents to an unidentified address.
“This transaction was manipulated through a sophisticated attack that masked the signing interface, displaying the correct address while altering the underlying smart contract logic,” Bybit explained in a post on X. As a result, over 400,000 ETH and stETH tokens—worth more than $1.5 billion at the time—were transferred out.
Lazarus Group Tied to the Breach
Within hours of the hack, blockchain analysis firms Elliptic and Arkham Intelligence identified North Korea’s state-sponsored Lazarus Group as the likely perpetrator. Independent researcher ZachXBT further connected the Bybit hack on-chain to the Phemex hack, which occurred just last month, reinforcing suspicions of Lazarus involvement.
Google has previously described North Korea as “arguably the world’s leading cyber criminal enterprise,” with the Lazarus Group orchestrating dozens of high-profile cryptocurrency heists to fund the country’s sanctioned regime. Last year alone, Chainalysis estimated that Lazarus stole $1.34 billion across 47 crypto hacks, accounting for 61% of all illicitly obtained crypto during that period.
Elliptic noted that Lazarus follows a characteristic laundering pattern, exchanging stolen tokens for native blockchain assets like Ether to avoid asset freezes. Following the Bybit theft, hundreds of millions of dollars in stolen stETH and cmETH were swiftly converted into Ether. These funds were then routed through 50 different wallets within two hours before being shifted through exchanges like eXch to convert them into Bitcoin.
A New Phase in Cyberattacks
Check Point Research highlighted the growing sophistication of supply chain and user interface manipulation attacks, pointing out that this breach marks a new phase in attack methods. Instead of merely exploiting protocol mechanics, the attackers employed advanced social engineering techniques to deceive signers into approving malicious transactions.
“The recent incident with Bybit demonstrates how threat actors can manipulate legitimate transactions through the Gnosis Safe Protocol’s execTransaction function,” Check Point stated. “This underscores the critical vulnerability where multisig cold wallets are only as secure as the individuals responsible for signing transactions.”
TRM Labs corroborated these findings, attributing the hack with high confidence to the Lazarus Group based on substantial overlaps between addresses controlled by the Bybit hackers and those linked to prior North Korean thefts.
Market Reactions and Customer Assurance
News of the breach sent shockwaves through the crypto market, causing Ethereum’s price to plummet by over 4% as the stolen funds began being liquidated. Nearly $200 million worth of Lido Staked Ether (stETH) was sold within the first half-hour, exacerbating volatility.
To reassure customers, Zhou emphasized that all other cold wallets remain secure and that withdrawals are operating normally. He also announced that Bybit had secured a bridge loan from undisclosed partners to cover any unrecoverable losses and maintain operations. Despite these assurances, many users have rushed to withdraw their funds amid fears of potential insolvency.
Industry Implications and Lessons Learned
This record-breaking heist serves as a stark reminder of the vulnerabilities inherent in the cryptocurrency ecosystem. While cold wallets are traditionally considered safer due to their offline nature, this breach highlights the risks posed by human error and social engineering tactics.
“Cryptocurrency heists are on the rise due to the lucrative nature of their rewards, the challenges associated with attribution to malicious actors, and the opportunities presented by nascent familiarity with cryptocurrency and Web3 technologies among many organizations,” Mandiant warned last month.
As investigations continue, experts stress the importance of adopting stricter security measures and improving education around phishing threats and smart contract vulnerabilities. The Lazarus Group’s continued success underscores the need for global cooperation between law enforcement agencies, blockchain analytics firms, and exchanges to combat such sophisticated cybercriminal activities.
For now, the crypto community waits anxiously for updates on the investigation, hoping that lessons learned from this historic breach will pave the way for a more secure future. Until then, the Bybit hack stands as a sobering testament to the evolving nature of cybercrime in the digital age.
Sources:
https://www.cnbc.com/2025/02/21/hackers-steal-1point5-billion-from-exchange-bybit-biggest-crypto-heist.html
https://techcrunch.com/2025/02/21/crypto-exchange-bybit-says-it-was-hacked-and-lost-around-1-4-billion/
https://www.investing.com/news/cryptocurrency-news/bybit-suffers-major-hack-with-over-146-billion-in-ethereum-stolen-93CH-3884287
https://thehackernews.com/2025/02/bybit-confirms-record-breaking-146.html