On February 21, 2025, Bybit, a major cryptocurrency exchange, experienced a significant security breach, resulting in the theft of over $1.5 billion worth of Ethereum (ETH) from one of its cold wallets. This incident has been described as one of the largest crypto heists in history, surpassing previous notable thefts like the $611 million Poly Network hack in 2021.
The breach occurred during a routine transfer from Bybit’s ETH multi-signature cold wallet to a warm wallet, where attackers used a sophisticated method to manipulate the transaction. By masking the signing interface, they deceived the wallet signers into approving a malicious transaction, altering the underlying smart contract logic to gain unauthorized access and drain the funds.
Blockchain investigator ZachXBT, along with analytics firm Arkham Intelligence, has linked this attack to the North Korea-backed Lazarus Group, a notorious hacking collective known for high-profile crypto thefts. ZachXBT provided detailed evidence, including test transaction analysis, wallet tracking, forensic charts, and temporal analysis, which Arkham confirmed as “definitive proof” of the Lazarus Group’s involvement. This evidence was submitted on February 21, 2025, at 19:09 UTC, earning ZachXBT a bounty of 50,000 ARKM tokens (approximately $31,500-$32,000).
Register for Tekedia Mini-MBA edition 16 (Feb 10 – May 3, 2025) today for early bird discounts.
Tekedia AI in Business Masterclass opens registrations.
Join Tekedia Capital Syndicate and co-invest in great global startups.
Register to become a better CEO or Director with Tekedia CEO & Director Program.
The Lazarus Group has a history of similar attacks, including the $625 million Ronin Network hack in 2022 and the $300 million DMM Bitcoin theft in 2024, often using advanced phishing and social engineering tactics to exploit vulnerabilities. Bybit’s CEO, Ben Zhou, confirmed the hack but reassured users that the exchange remains solvent, with client assets backed 1:1, meaning they can cover the losses even if the stolen funds are not recovered.
Zhou noted that only one ETH cold wallet was compromised, and other cold wallets remain secure. The exchange secured a bridge loan covering about 80% of the lost funds and continues to process withdrawals, though some delays have occurred due to high demand. Approximately 70% of withdrawal requests have been fulfilled as of the latest updates.
The stolen 401,346 ETH (valued at around $1.5 billion at the time) was initially transferred to a primary wallet and then dispersed across multiple wallets—over 40, according to some reports—to obscure tracking efforts.
At least $200 million in staked Ether (stETH) has reportedly been sold on decentralized exchanges. The attack’s scale caused a temporary market reaction, with Ethereum’s price dropping over 4% before partially rebounding, reflecting broader market volatility. This incident underscores ongoing security challenges in the crypto industry, particularly around human factors in transaction approval systems like multi-signature wallets.
Bybit kept its trading platform operational, avoiding a full shutdown that could have eroded trust further. Zhou’s assurances about solvency and the bridge loan were aimed at calming users and the broader market, which saw a temporary drop in ETH prices before stabilizing. The exchange’s ability to continue functioning without imposing drastic measures (e.g., freezing all withdrawals) helped mitigate long-term reputational damage.
The Lazarus Group’s involvement, if fully confirmed, would further highlight their role as a major threat, potentially amassing significant ETH holdings for North Korea. Bybit is collaborating with blockchain forensic experts and law enforcement to investigate and recover the assets, though historical precedents suggest recovery may be difficult. The event has sparked renewed calls for enhanced security measures across the cryptocurrency sector.
Overall, Bybit managed the crisis by leveraging its financial reserves, securing external funding, and maintaining open communication while prioritizing user access to funds. However, the situation remains fluid as of February 22, 2025, with withdrawal delays and the ongoing investigation potentially affecting user sentiment. The exchange’s long-term recovery will depend on its ability to restore full liquidity, strengthen security, and rebuild trust in a highly competitive and security-conscious industry.
