In one of the largest heists in the history of digital assets North Korean hackers exploited the Bybit cryptocurrency exchange and made off with $1.5 billion in cybercash. The incident occurred when a routine cold wallet to warm wallet transaction was manipulated through a sophisticated attack that masked the signing interface. Cybersecurity researchers are on the trail through a web of online crypto wallets used by the operatives to launder the funds.

1. Introduction

On February 21, 2025, cryptocurrency exchange Bybit sustained one of the largest security breaches in history. Hackers exploited one of Bybit’s Ethereum (ETH) cold wallets and stole approximately 401,347 ETH valued at $1.5 billion. The early forensic analysis concluded that the breach occurred during a routine transfer from ByBit’s ETH multi-signature cold wallet to its warm wallet. Forbes contributor, Sandy Carter, reported that the attackers manipulated the transaction by masking the signing interface. “This deception displayed the correct address while altering the underlying smart contract logic, enabling unauthorized access to the wallet,” she said. (here) The attackers then used “advanced phishing techniques and social engineering” to gain access to internal credentials which were used to bypass security protocols. When the system was accessed, the attackers then exploited vulnerabilities in the authentication process creating fraudulent approvals that allowed the transfer of assets. The early reports attributed the breach to the notorious North Korea-based Lazarus Group, widely regarded as one of the world’s leading cybercrime enterprises. (here and here)

2. What is Bybit?

Bybit is based in Dubai, U.A.E. and registered in the British Virgin Islands as Bybit Fintech Limited. Founded in 2018 by Ben Zhou, a former executive at forex broker XM, it is the world’s second largest cryptocurrency exchange surpassing 20 million users globally in 2023. Bybit offers a suite of trading options including spot trading, derivatives trading and options trading. The platform allows users to trade with leverage up to 100x on various cryptocurrency pairs and offers perpetual contracts. (here) To register for a Bybit account, go to the Bybit website and register with your email address or phone number. Or you can register using the Bybit app. Then complete the identification verification on your Bybit account that only takes a few minutes. The process includes verifying your basic account information, providing identification documents and uploading a selfie.

Bybit does not offer services or products to users in countries designated as “service restricted countries” including the United States, Canada and Britain. (here) On May 31, 2023, the platform exited the Canadian market and stopped accepting new user applications by any identified Canadian resident and existing nationals following increased regulatory oversight by Canadian Securities Administrators (CSA). On December 12, 2022, CSA had announced that crypto trading platforms would be required to “hold Canadian clients’ assets with an appropriate custodian and segregate these assets from the platform’s proprietary business, as well as a prohibition on offering margin or leverage for any Canadian client.” (here) The rules were implemented during the fallout from the FTX collapse. The core of the fraud conviction of FTX founder and CEO, Sam Bankman-Fried, was that he devised a scheme to use deposits made by FTX customers to pay the expenses and debts of Alameda Research, his proprietary crypto hedge fund, which I discussed in a previous post to On The Wire. (here)

3. The Lazarus Group

The Lazarus Group is a persistent North Korean advanced threat actor that has operated in the digital shadows for over ten years. Unlike other state actors, the group is financially motivated and engages in sabotage, espionage and theft of sensitive information. Since 2009, it has breached bank security systems and hacked into cryptocurrency exchanges. The group is believed to be responsible for the WannaCry ransomware attack in 2017 that affected approximately 200,000 computers worldwide. With the support of the North Korean government, Lazarus operatives face no risk of prosecution in their home country and are likely to remain active for the foreseeable future. (here) On February 25, 2025, the European Union implemented new sanctions targeting individuals linked to cyberwarfare and information operations against Ukraine. Among those sanctioned is Lee Chang Ho, head of North Korea’s reconnaissance agency, who is “accused of aiding Russia’s military operations and overseeing cyberattack units.” (here)

4. Following the Money

The crypto market plummeted into free fall undermining confidence in the industry at a time when the U.S. government is being lobbied for regulatory reform that would make investment in digital currencies easier. As the crisis continued to unfold, Bitcoin plunged twenty percent, the most significant drop since the collapse of FTX in 2022. Deploying a technique used by the North Korean hackers after other heists, the stolen funds were laundered across a network of online crypto wallets. On February 24, 2025, tech journalist Sean Lyngaas reported for CNN that security experts helped recover $43 million of the stolen funds. According to a report published by Elliptic, a British blockchain analytics firm, Lazarus Group’s laundering process follows a characteristic pattern involving the exchange of stolen tokens for a native blockchain asset like Ether to avoid attempts to freeze the digital assets. (here) Bybit said it would give 10% of any recovered funds to security experts who played a role in retrieving the stolen money. (here)

5. Conclusion

What, then, are the initial takeaways from the Bybit hack? In a report titled The Bybit Incident: When Research Meets Reality published by Check Point Security Technologies, researchers Dikla Barda, Roman Ziakin and Oded Vanunu described the breach as “a new phase in attack methods”. (here) I will leave you with three conclusions from the executive summary. First, rather than just targeting protocol flaws, the attackers used sophisticated infrastructure compromise to manipulate the user interface that signers interacted with. Second, the hack highlights that multisig cold wallets are not secure if signers can be deceived, emphasizing the growing sophistication of supply chain and user interface manipulation attacks. Third, the Bybit hack challenges previous beliefs about crypto security, showing that despite strong smart contracts and multisig protections, the human-interface layer remains vulnerable.