A major breach at Bybit became 2025’s and history’s largest crypto theft yet, highlighting security gaps and changing how the industry approaches asset safety and risk. On February 21, 2025, a historic theft struck cryptocurrency exchange Bybit. Approximately 401,000 ETH, worth $1.5 billion, was stolen. This is now the largest single crypto heist ever recorded. The FBI attributed the breach to North Korea’s state-sponsored Lazarus Group, which it stated had executed a sophisticated supply chain compromise. The immediate fallout was severe on Bybit. The exchange witnessed a “bank run” with over $5 billion in panic withdrawals processed within 12 hours. Latest Update: Bybit has already fully closed the ETH gap, new audited POR report will be published very soon to show that Bybit is again Back to 100% 1:1 on client assets through merkle tree, Stay tuned. https://t.co/QLa1vOujM6— Ben Zhou (@benbybit) February 24, 2025 In response, CEO Ben Zhou and his team secured emergency liquidity, assuring users their funds remained backed 1:1. The attack: a supply chain nightmare The first breach occurred on February 4, weeks before the theft. Attackers compromised a workstation at SAFE, a third-party multi-signature wallet provider used by Bybit, via a malicious Docker project. From this access, AWS credentials were stolen. Multi-factor authentication was bypassed. Breaking Update on the ByBit Hack 🚨🚨🚨🚨It has been confirmed that the Lazarus Group compromised Safe{Wallet}’s AWS S3 bucket and injected malicious javascript code that resulted in a $1,400,000,000 loss. If you report this to Safe, you might get a $500 bounty. pic.twitter.com/ckdUvD2cPi— H4x0r.DZ 🇰🇵 (@h4x0r_dz) February 26, 2025 The final stage began on February 19. Malicious JavaScript code was injected into SAFE’s user interface. Two days later, when Bybit’s team initiated what appeared to be a routine transfer using their 3-of-6 multisig wallet, the trap was sprung. The compromised interface displayed legitimate transaction data to signers. Meanwhile, hardware wallets showed the true payload: a “delegatecall” exploit redirecting 401,000 ETH to attacker-controlled addresses. Three signers approved without detecting the manipulation. Attack Chain Summary DateEventFebruary 4SAFE developer machine compromised via a malicious Docker projectFebruary 19Malicious JavaScript was injected into SAFE’s interfaceFebruary 21Attack executed: 401,000 ETH stolen from Bybit’s 3-of-6 multisig walletFebruary 24Bybit completes proof-of-reserves audit, secures 447,000 ETH emergency loan Why most of the stolen funds were not recovered The recovery of stolen funds stalled largely due to the speed and coordination of the attackers, whom blockchain analysts linked to the North Korean Lazarus Group. Investigators noted the group began laundering funds immediately, using techniques that outpaced manual intervention. They converted 86.29% of the stolen ETH into Bitcoin, initially 12,836 BTC, and distributed it across 9,117 wallets. LAZARUS HAS NOW FULLY LAUNDERED THE PROCEEDS OF THE BYBIT HACKThey have transferred 500,000 ETH mainly to native BTC.Thorchain has processed over $5.5B in volume since Bybit was hacked on the 21st February. pic.twitter.com/JmoW4AkXD2— Arkham (@arkham) March 4, 2025 Despite the inherent transparency of blockchain, $160 million was laundered within the first 48 hours. By April, CEO Zhou reported that while 68.57% of the stolen funds remained traceable, 27.59% had effectively “gone dark” after being routed through cryptocurrency mixers and peer-to-peer platforms. Nonetheless, Bybit was able to recover some of the stolen funds. Recovery initiatives included: A $140 million bounty program offering 10% of recovered funds Partnerships with Elliptic, Chainalysis, and TRM Labs for forensic tracking Industry-wide collaboration that froze $42.89 million in the first week 2025’s broader crypto crime wave Bybit wasn’t an isolated incident. It headlined a record year for crypto theft, with $3.4 billion stolen globally. North Korea accounted for $2.02 billion—a 51% increase from 2024, according to Chainalysis data. The Bybit hack alone exceeded all North Korean thefts from the previous year, which totaled $1.34 billion across 47 separate incidents. ExchangeLossAttack TypeBybit$1.5 billionSupply chain compromiseNobitex$90 millionPredatory Sparrow groupUPCX$70 millionProtocol exploit As 2025 showed, the biggest crypto threats no longer attack the chains themselves; they exploit the centralized institutions and operational processes built around them.
2025 Rewind: Bybit Gets Rocked By Biggest Crypto Hack in History
Date:
