$1.5B in cryptocurrency stolen from Bybit in attack linked to North Korean hackers

Dubai-based cryptocurrency exchange Bybit Technology Ltd. has been hacked, with some $1.5 billion in cryptocurrency stolen in what is believed to be the largest single theft in cryptocurrency history.

Bybit is a well-known cryptocurrency exchange with more than 60 million users. It’s regularly ranked among the top five cryptocurrency exchanges online by volume.

The hack was disclosed on Feb. 21. The company said an attacker gained control of an Ethereum wallet and transferred the holdings in the wallet to an unknown address. More specifically, the attack occurred during a routine transfer from Bybit’s offline “cold” wallet to a “warm” wallet designated for daily trading activities. Attackers exploited vulnerabilities in the process to gain unauthorized access to the cold wallet before transferring about 401,000 ETH.

“Unfortunately, this transaction was manipulated through a sophisticated attack that masked the signing interface, displaying the correct address while altering the underlying smart contract logic,” Bybit explained on X. “As a result, the attacker was able to gain control of the affected ETH cold wallet and transfer its holdings to an unidentified address.”

In response to the attack, Bybit’s co-founder and Chief Executive Officer Ben Zhou assured users of the platform’s solvency, emphasizing that all client assets are backed one-to-one and that the company has reserves exceeding $20 billion to cover the losses.

Along with assuring clients that losses would be covered, the company is also offering 10% of any recovered funds to reward ethical cyber and network security experts who play an active role in retrieving the stolen cryptocurrencies.

Despite assurances from Bybit, the disclosure of the attack immediately resulted in a run on some accounts at the exchange, since investors are well aware that past exploits of this type have resulted in cryptocurrency exchanges going out of business. According to CoinDesk, exchange users pulled $4 billion from Bybit, which, combined with the stolen cryptocurrency, has seen some $5.5 billion in outflows from the exchange.

Enter North Korea

Following the attack, various investigators and other interested parties set out to find who had stolen the Ethereum and it didn’t take long to track its origin to North Korea and specifically the Lazarus Group.

The Lazarus Group has been around for years and has been behind high-profile cyberattacks, including the 2014 Sony Pictures breach and the 2017 WannaCry ransomware outbreak. The group has also targeted cryptocurrency exchanges in the past, including being linked to the theft of 4,500 bitcoins from Japanese cryptocurrency exchange DMM Bitcoin in 2024.

The first to find the link was Arkham Intelligence, which posted to X saying that researcher ZachXBT had definitive proof.

BREAKING: BYBIT $1 BILLION HACK BOUNTY SOLVED BY ZACHXBT

At 19:09 UTC today, @zachxbt submitted definitive proof that this attack on Bybit was performed by the LAZARUS GROUP.

His submission included a detailed analysis of test transactions and connected wallets used ahead of… https://t.co/O43qD2CM2U pic.twitter.com/jtQPtXl0C5

— Arkham (@arkham) February 21, 2025

In a subsequent tweet, ZachXBT linked the Bybit hack to another hack involving another cryptocurrency exchange, Phemex, which had at least $69 million in cryptocurrency stolen from it in January.

Lazarus Group just connected the Bybit hack to the Phemex hack directly on-chain commingling funds from the intial theft address for both incidents.

Overlap address:
0x33d057af74779925c4b2e720a820387cb89f8f65

Bybit hack txns on Feb 22, 2025:… pic.twitter.com/dh2oHUBCvW

— ZachXBT (@zachxbt) February 22, 2025

Though recovering stolen funds from a North Korean-backed hacking group is no easy task, even state-sponsored hacking groups have to try to hide their stolen gains and that’s not always easy.

In some good news, nearly $43 million of the stolen funds have been frozen in wallets through a coordinated effort and an affiliated token has been blocked and removed.

Also being considered but not guaranteed to happen is a push by Zhou and some others, notably BitMEX co-founder Arthur Hayes, to “roll back” the Ethereum blockchain to recover the stolen Ethereum. As noted by Coindesk, it’s not entirely clear how possible this is. Doing so would also require consensus from the community, something that may not be forthcoming and could even result in a hard fork of the cryptocurrency.

Image: SiliconANGLE/Grok 3