Bybit Hacked: $1.5 Billion in Ethereum Stolen by Lazarus Group

On February 21, 2025, the cryptocurrency community experienced its largest attack to date. The Bybit exchange was targeted in a massive heist, resulting in the theft of approximately $1.5 billion in Ethereum tokens within a matter of hours. This incident surpassed previous breaches, including the $540 million Ronin Network hack in 2022, the $600 million Poly Network exploit in 2021, and the infamous Mt. Gox collapse in 2014. The Bybit hack not only marks a turning point in crypto security but also offers important lessons for exchanges, developers, and users across the ecosystem.

The attack was meticulously planned and executed by a North Korean cybercriminal organization known as the Lazarus Group. Within days of the attack, ZachXBT submitted proof linking the attack to this group, including test transactions, connected wallets, forensic graphs, and timing details. The Lazarus Group is known for its sophisticated cyber warfare tactics, and this attack was no exception. Bybit relied on a third-party service to facilitate the transfer of tokens from a coldCOLD-- wallet to a warm wallet using a multi-signature approval process. However, attackers compromised a machine linked to the third-party provider and injected malicious JavaScript into the transaction signing workflow, manipulating the process undetected.

Using advanced phishing and social engineering techniques, the attackers obtained internal credentials, enabling unauthorized access. The similarity to the January 2025 Phemex hack further supports attribution to the Lazarus Group. Once inside, they manipulated the system to meet transaction criteria that would authorize transfers, ultimately draining 401,000 ETH, worth roughly $1.5 billion, into wallets under their control. Only a single Bybit cold wallet was compromised, resulting in the loss of $1.46 billion. The attack’s speed was particularly alarming. Within 48 hours, over $160 million had been laundered through complex networks of intermediary wallets, decentralized exchanges, and cross-chain bridges. By February 26, just five days after the initial breach, over $400 million had been moved, demonstrating a high level of operational efficiency. However, more than $700 million in ETH remains in the exploiters’ wallets.

The response from Bybit and the broader crypto community was swift and well-coordinated. It took around 90 minutes from illicit transfers to ByBit public announcement. Bybit Exchange immediately launched a bounty program offering a 10% bounty program for any successfully frozen or recovered assets. This move was not just about recovering funds; it was a signal to the entire crypto ecosystem that collaborative defense had become crucial. Various crypto companies worked in close coordination with law enforcement, national security organizations, and regulators to trace the stolen funds.

This incident underscores a hard truth: once-trusted safeguards—like cold storage and multisignature wallets—are no longer enough in the face of evolving threats. Security must be viewed not as a checkbox, but as a continuous, collaborative effort. Exchanges, security providers, and regulators must form stronger alliances, share intelligence in real-time, and adapt to a constantly shifting threat landscape. The Lazarus Group, the threat actor linked to this breach, has a well-documented history of employing stealthy, persistent mechanisms to maintain long-term access in compromised environments. This “aggressive persistence” allows them to stay embedded over extended periods, silently preparing for follow-up attacks even after initial compromises are discovered. If any portion of their access remains, it is reasonable to expect a repeat of the exploit, potentially targeting additional wallets or systems. Therefore, finding technological solutions to address this continuous persistence should be urgently addressed.

The breach of Safe{Wallet}’s AWS infrastructure underscores the critical need for rigorous security practices and continuous monitoring within cloud environments. A detailed forensic investigation will not only shed light on the specifics of this incident but also provide actionable insights to bolster defenses against future attacks. It is imperative for organizations to proactively assess and fortify their cloud security postures to safeguard against increasingly sophisticated cyber threats. For many years, cold wallets - offline storage solutions - have been considered the gold standardGOLD-- of digital asset security. Isolated from the Internet, we thought that they very impervious to remote attacks. However, this breach showed that cold storage is not a silver bullet. In this case, the attackers did not need to directly access the cold wallet itself. Instead, they exploited the human and infrastructural layers that interface with it. By compromising a third-party service responsible for initiating transfers from cold storage to warm wallets, and by deceiving signing officers through phishing and manipulated transaction flows, the attackers effectively bypassed the security promises of cold storage. This indirect path to compromise is far more dangerous—and harder to detect—than traditional wallet attacks.

One month after the breach, many questions remain unanswered. Yet, the Bybit hack has laid bare some uncomfortable truths—even the most well-established exchanges are not immune to sophisticated threats. Still, if there is a silver lining to be found, it’s the swift and coordinated response across the industry. The rapid collaboration between exchanges, security firms, and investigators stands out as one of the most encouraging takeaways from this incident. In the realm of digital assets, security is not a fixed state but an ongoing, collaborative effort. Exchanges, cybersecurity teams, infrastructure providers, and regulators must build tighter alliances, share intelligence proactively, and continually adapt to a rapidly shifting threat landscape.