Bybit Hack Explained: Analyzing The Biggest Attack In Crypto History

On 21 February 2025, Bybit – one of the world’s largest crypto exchanges – fell victim to the largest cryptocurrency heist on record. Around 401,000 ETH (worth roughly $1.5billion at the time) was illicitly transferred from Bybit’s Ethereum cold wallet to attacker-controlled addresses.

Investigations revealed that North Korea’s notorious Lazarus Group was behind the hack. More surprisingly, the attack was almost identical to other earlier centralized exchange hacks, such as WazirX, Phemex, and Radiant Capital.

So, how were Lazarus hackers able to use the same method over and over again and ultimately carry out the biggest hack in crypto history? Here’s a detailed analysis of the Bybit hack.

How was Bybit hacked?

Investigations revealed a supply chain attack targeting Bybit’s use of the Safe (formerly Gnosis) multisig wallet platform. Hackers compromised a Safe developer’s machine, allowing them to inject malicious JavaScript into Safe’s web app code. This code masked a malicious transaction as a benign transfer in the Safe UI.

Essentially, when Bybit’s team authorized what appeared to be a routine cold-to-hot wallet transfer, they unknowingly approved a hidden transaction that changed the multisig’s logic and ownership, handing control to the attacker

In simple terms, Safe Wallet is the third-party wallet provider that stores Bybit’s Ethereum. A developer’s computer from ‘Safe Wallet’ was infected.

The attacker changed code that people trust. This altered code hid a dangerous transaction. When Bybit approved a normal transaction, they unwittingly approved a harmful one.

Here is an easy way to understand the attack:

• Step 1: The hackers break into a developer’s account of a wallet service.
• Step 2: They change a file that is used by the wallet app.
• Step 3: This change makes a safe transaction look harmless.
• Step 4: When Bybit signs a transfer, the code secretly gives control of the wallet to the hacker.
• Step 5: The hacker drains the funds from the wallet.

The method relied on tricking the system. The hackers hid their actions behind normal operations. This trick worked because the harmful code looked like the real code. The attack did not require a direct breach of Bybit’s security systems.

Detailed timeline of key events:

• 19 February: Attackers insert malicious code into Safe’s app (supply chain compromise).
• 21 February (~14:13 UTC): Bybit initiates a routine cold-to-hot wallet transfer; the malicious code disguises a transfer that hands control of the cold wallet to attackers. Approximately 401k ETH (and related tokens) are drained to the attacker’s fresh wallet.
• 21 February (within minutes): Attackers begin swapping staked ETH tokens (stETH, mETH, cmETH) for regular ETH via DEXs to prevent token freeze measures. Hundreds of millions in tokens are converted to ETH soon after the theft.
• 21 February (within hours): Bybit CEO publicly confirms the hack on X (Twitter) and assures users of funds safety and ongoing withdrawals. Bybit processes a surge of ~350k withdrawal requests in 12 hours, maintaining normal operations.
• 22 February: Hackers continue laundering. Roughly $200m of stolen ETH/stETH is now swapped or moved. Industry players react — Tether freezes $181k USDT linked to the hacker, and exchanges together freeze ~$42.5M of suspect funds. Meanwhile, Bybit announces a 10% recovery bounty of up to $140m.
• 23–24 February: Blockchain analytics firms (Elliptic, Chainalysis, TRM Labs) attribute the hack to North Korea’s Lazarus Group, noting overlaps with past Lazarus-linked wallets. Bybit, working with these firms and law enforcement, helps freeze more funds (total frozen climbs above $40m by 24 February). Bybit also launches a public API ‘blacklist’ of hacker wallets to crowdsource tracking.
• 26 February: The FBI issues an official PSA naming North Korean TraderTraitor actors (a.k.a. Lazarus) as responsible for the ~$1.5bn theft. The FBI warns that stolen ETH was rapidly converted to BTC and other assets across “thousands of addresses on multiple blockchains”. By this date, about $400m+ of the haul had been laundered (per TRM).
• 27 February: Global news outlets (Reuters, AP) report the FBI’s attribution of the historic hack to North Korea. Bybit, Chainalysis, and others continue tracing and collaborating to recover funds, with ~$40m seized or frozen in various jurisdictions.

A common pattern from North Korea’s Lazarus

Virtually all investigations point to the Lazarus Group, a notorious North Korean state-backed hacking unit, as the culprit behind the Bybit hack. Blockchain analysis by Elliptic “attributed the Bybit theft to North Korea” within days.

TRM Labs also confirmed North Korea’s involvement, noting clear overlaps between wallets used in Bybit’s exploit and those from previous DPRK heists. On 26 February 2025, the US FBI officially linked the hack to North Korean actors via a public service announcement. The FBI uses the codename ‘TraderTraitor’ for this cluster of DPRK hackers.

Notably, TraderTraitor was previously implicated in a $308m hack of Japan’s DMM Bitcoin exchange (May 2024), highlighting a pattern of high-value exchange breaches.

Past crypto hacks from Lazarus Group

Lazarus Group (North Korea) has an infamous history of crypto heists, and the Bybit hack fits a years-long campaign of such operations:

• Ronin Bridge (Axie Infinity) – March 2022: Over $600m stolen by compromising a blockchain bridge’s validators. Lazarus laundered those funds through Tornado Cash mixer.
• Atomic Wallet – June 2023: ~$100m stolen from individual wallet users (likely via a malicious update or phishing). Funds were bridged across chains and swapped similarly to Bybit’s case.
• Stake.com – Sept 2023: $41m stolen from a crypto casino’s hot wallets on multiple chains (confirmed Lazarus).
• CoinEx, Binance, Poloniex – 2023/24: A series of exchange and DeFi hacks attributed to DPRK, netting $1.34bn in 2024 alone for North Korea.
• WazirX Exchange – 2024: $235m stolen via a malicious transaction trick (remarkably similar method to Bybit).
• DMM Bitcoin (Japan) – May 2024: $308m hack by TraderTraitor (per authorities).

North Korea’s total crypto theft since 2017 exceeds $6bn, funding its sanctioned regime. The Bybit hack alone stole more than DPRK-affiliated hackers stole in all of 2024 combined, underscoring an escalation in scale.

Tracking the Bybit funds

After the hack, the attackers moved funds quickly through many channels. They split the stolen money into smaller amounts. This splitting makes it hard for investigators to follow the money trail.

The attackers sent large amounts of ETH to several new wallets. They broke the funds into many smaller transfers. This step confuses trackers who try to follow a single large movement. Soon after, the attackers swapped staked tokens for regular ETH. This conversion protects the funds from possible freezes on staked tokens.

Use of decentralized exchanges

The hackers used decentralized exchanges to convert and hide the funds. They moved funds on platforms such as Uniswap and 1inch. These exchanges do not require user identification. This lack of checks makes transactions fast and hard to trace.

The transfers moved funds from ETH to other assets. In some cases, the hackers converted some ETH to Bitcoin. Converting to Bitcoin helps hide the origin of funds further.

Cross-chain transfers

The attackers did not stay on a single blockchain. They moved funds from Ethereum to Binance Smart Chain and Solana.

They used cross-chain bridges to perform these transfers. Each chain has its own ledger. The move across chains creates multiple records. Investigators must follow several separate trails to track the funds.

Role of mixers

Mixers like Tornado Cash play an important part in this process. Mixers blend funds from many users into a single pool. This blending breaks the link between the sender and receiver. The hackers likely used mixers to further hide their moves. Some services have high liquidity limits, which help mix large amounts of money. Other services, such as Sinbad or Wasabi Wallet, may also have been used.

These mixers make it hard to trace individual coins. Despite these tactics, blockchain analysis firms trace suspicious patterns over time.

Responses from DEXs and mixers

Decentralized exchanges like Uniswap and 1inch process trades automatically. These platforms have not blocked the hacker addresses. Their systems work on open code and do not check for suspicious behavior. Some platforms have built-in alerts. These alerts flag large or abnormal trades, but they do not stop them.

Mixers such as Tornado Cash face a challenge. They allow users to mix funds quickly. Some mixers have been pressured to block known hacker addresses. However, many mixers have no identity checks or control measures.

This design makes it hard for them to stop illicit transactions. Law enforcement agencies work with blockchain firms to monitor these services. They share information with exchanges that use blockchain data to freeze funds.

In response, some services have taken steps. A few mixers now offer options to flag or limit large, suspicious transactions. Some decentralized exchanges have added tools to monitor suspicious flows. These steps help law enforcement get timely alerts.

The measures aim to disrupt the continuous movement of stolen funds. Many services are under pressure from regulators and industry partners to help slow down the laundering process.

Final thoughts

In conclusion, the Bybit hack of February 2025, though devastating in scale, became a pivotal case study in crypto cybersecurity. It highlighted both the cunning of state-backed hackers and the power of a unified, transparent response.

The event is driving advancements in how exchanges secure assets, how analytics trace illicit flows, and how regulators and industry cooperate against a common adversary. As Chainalysis noted, “uniting resources and intelligence” is the way to strengthen defenses – a lesson well learned from this unprecedented incident.

1. 01.

   Is Bybit to be used after the hack?

   

   Yes. Bybit acted swiftly after the breach and maintained secure operations. They enhanced their security measures and continue to serve their users.

2. 02.

   How much did hackers steal from Bybit?

   

   Hackers stole nearly 401,000 ETH, which was valued at about $1.5billion at the time of the incident.

3. 03.

   Was Bybit able to recover funds from hackers?

   

   Bybit has recovered around $40million in frozen funds. The company works with law enforcement and blockchain analysts to recover additional assets.