.png)
Bybit Exchange Hack 2025: North Korea Steals $1.5 Billion in the Largest Crypto Theft in History
Breach Summary
On February 21, 2025, the Lazarus Group — North Korea's premier cybercrime unit — stole approximately $1.5 billion in Ethereum from Bybit, one of the world's largest cryptocurrency exchanges. It was the single largest theft in the history of cryptocurrency, and it was executed not through a vulnerability in Bybit's own systems but through a compromise of Safe{Wallet}, the third-party multi-signature wallet infrastructure Bybit used to manage cold storage transfers. The attack demonstrated that supply chain compromise of wallet infrastructure represents an existential risk for any cryptocurrency exchange, regardless of the security of the exchange's own systems.
What Happened
Lazarus Group compromised the developer infrastructure of Safe{Wallet} — a widely-used open-source multi-signature wallet platform — and injected malicious JavaScript that would activate specifically during a Bybit cold-to-warm wallet transfer. When Bybit executives reviewed what appeared to be a routine transfer for signing, the malicious JavaScript had replaced the legitimate transaction with one routing funds to Lazarus Group-controlled addresses. The executives approved the transaction believing it was legitimate. Approximately $1.5 billion in Ethereum was transferred to attacker-controlled wallets within minutes. Bybit publicly disclosed the theft immediately, launched a recovery effort, and remained solvent — processing withdrawals and maintaining operations despite the loss. Blockchain analytics firms tracked the funds through a rapid laundering campaign using mixers and DEXs. The FBI formally attributed the attack to North Korea's Lazarus Group in March 2025.
Attack Vector Detail
The attack had two distinct phases. Phase one: Lazarus Group compromised Safe{Wallet}'s development infrastructure — specifically an Amazon Web Services S3 bucket used to host JavaScript assets loaded by the Safe{Wallet} interface. They replaced a legitimate JavaScript file with a malicious version that detected Bybit-specific wallet addresses and substituted transaction parameters. Phase two: When Bybit's cold wallet management team initiated what they believed was a routine transfer, the compromised Safe{Wallet} interface displayed the correct transaction details while routing the actual blockchain transaction to Lazarus Group addresses. The multi-signature approval process — intended to prevent unauthorized transactions — was defeated because all signers were viewing the same compromised interface.
Breach Pattern Timeline
February 21, 2025
Bybit — major cryptocurrency exchange — experiences unauthorized withdrawal during routine cold-to-warm wallet transfer. Approximately $1.5 billion in Ethereum and ETH-derivatives stolen — the largest single cryptocurrency theft in history at the time.
February 21-22, 2025
Bybit immediately detects the theft. Suspends some withdrawals, then re-enables operations. CEO Ben Zhou confirms theft via livestream and commits to making depositors whole.
February 24, 2025
Mandiant, North Korea threat researchers, and SafeSign attribute the attack to North Korean Lazarus Group sub-cluster (TraderTraitor). Same actor behind 3CX (March 2023), Atomic Wallet (June 2023), and prior cryptocurrency thefts.
February 24-March 2025
Attack methodology revealed: attackers compromised the front-end web interface of Safe (formerly Gnosis Safe), a multi-signature smart contract wallet provider. The compromised front-end displayed legitimate-looking transactions to Bybit cold wallet signers, who unknowingly authorized the theft.
March 2025
Bybit confirms it has secured emergency funding to backfill the stolen amounts and restore full reserves. Customer assets remain intact. Insurance partners begin claims processing.
April-July 2025
Significant portion of stolen Ethereum is laundered through North Korean money-laundering networks despite global tracking efforts. U.S. Treasury OFAC sanctions additional North Korea-related crypto wallets.
2025-2026
Bybit hack establishes: (1) UI compromise as the primary attack surface for sophisticated crypto theft (vs smart contract bugs), (2) front-end supply chain risk for cryptocurrency infrastructure, (3) renewed scrutiny of multi-sig wallet UX safety, (4) North Korea's continued reliance on cryptocurrency theft for sanctions-evasion and weapons program funding.
Total impact: $1.5 billion in Ethereum stolen (largest single crypto theft in history), front-end supply chain compromise of Safe multi-sig wallet, foundational precedent for UI/UX attack surface in crypto and North Korean Lazarus state-sponsored cryptocurrency theft scale.
Executive Lessons
The Bybit attack produced three lessons critical for any organization using third-party financial infrastructure. First, multi-signature approval processes are only as secure as the interface displaying the transaction details — if the interface is compromised, the approval process is compromised. Second, supply chain attacks against financial infrastructure now target the specific moment of high-value transaction authorization. Third, transparency worked: Bybit's immediate public disclosure demonstrated that surviving a major breach is possible when handled correctly.
Related Reading
Private Equity Implications
For PE sponsors with fintech, cryptocurrency, or digital asset portfolio companies, the Bybit attack establishes that third-party wallet infrastructure must be evaluated as critically as the exchange's own systems. Any digital asset custodian using multi-signature workflows must implement independent transaction verification — specifically, verifying transaction parameters through a separate, airgapped or independently-sourced interface before signing. Supply chain security for financial infrastructure providers is not optional.