Introduction
On February 21, 2025 [2] [4] [5] [7] [9], Bybit [1] [2] [3] [4] [5] [6] [7] [8] [9] [10], a prominent cryptocurrency exchange based in Dubai [1], suffered a major security breach attributed to North Korea’s Lazarus Group. This incident resulted in the theft of a substantial amount of cryptocurrency, marking it as one of the largest heists in the history of digital assets. The breach highlights significant security challenges faced by centralized exchanges and underscores the need for enhanced protective measures in the cryptocurrency industry.
Description
Bybit [1] [2] [3] [4] [5] [6] [7] [8] [9] [10], a leading cryptocurrency exchange based in Dubai and the second-largest in the industry, experienced a significant security breach on February 21, 2025, attributed to North Korea’s Lazarus Group [2] [4] [6] [8] [10]. This incident resulted in the theft of approximately 401,347 ETH and 90,376 stETH, valued at around $1.44 billion [5] [7], marking it as one of the largest crypto heists in history [6], surpassing previous hacks at Ronin Network and Poly Network [3]. The Lazarus Group [1] [2] [3] [4] [5] [6] [7] [8] [10], a state-sponsored hacking organization notorious for executing large-scale cyberattacks to finance the North Korean regime, has been implicated in over $3 billion in cryptocurrency thefts since 2018 [4]. Cybersecurity analyst ZachXBT [1], along with blockchain investigators from firms like Elliptic, provided definitive proof linking the hack to the Lazarus Group, including detailed analyses of test transactions and associated wallets used prior to the exploit [8].
The breach occurred during a routine transfer from Bybit’s ETH multisig cold wallet [7] [9] [10], an offline storage system designed for security [6], to a warm wallet [2] [7] [9] [10]. Attackers employed sophisticated methods to manipulate the transaction process [7], masking the signing interface and redirecting funds to a hacker-controlled wallet [10]. Consequently, over 400,000 ETH and stETH were transferred to an unidentified address. Following the theft [1] [2] [3] [6] [7] [9] [10], the attackers engaged in advanced money laundering techniques to obscure the trail of the stolen assets [3]. Initially, stolen tokens were exchanged for Ether to avoid detection [2], as tokens can be frozen by their issuers [2]. Within minutes of the theft [2], significant amounts of stolen tokens were converted to Ether [2]. The second stage involved distributing the stolen funds to 50 different wallets [2], each containing approximately 10,000 ETH [2] [3], complicating tracing efforts [2] [7]. As of February 23, 10% of the stolen assets [2], valued at $150 million [1] [2] [9] [10], had been moved from these wallets [2].
To aid recovery efforts [2], Bybit has pledged up to $140 million as a bounty for cybersecurity experts involved in retrieving the stolen cryptocurrencies [2]. The exchange has collaborated with industry groups to trace and block some of the stolen funds [2], with the mETH Protocol team recovering 15,000 cmETH tokens worth around $44 million [2]. Bybit’s CEO [8] [9] [10], Ben Zhou [8] [9] [10], confirmed the exchange’s solvency and assured users that all client funds are backed 1:1 [9], stating that the exchange can cover the losses [9]. He also noted that Bybit has managed to recover nearly 80% of the stolen funds through bridge loans and is addressing withdrawal requests from affected users [10]. Additionally, Bybit has released a new API to update a list of suspicious wallet addresses and is developing a HackBounty platform to enhance industry-wide efforts in tracking down hackers [2]. The exchange has reassured users that its platform and services remain operational [5], having processed 70% of withdrawal requests following the incident [5].
ZachXBT has publicly shared over 920 wallet addresses associated with the theft to assist exchanges in blocking illicit transactions [4]. A global effort among crypto security teams led to the freezing of $42.89 million in stolen assets within a day [4]. The attack methods employed by the Lazarus Group include social engineering and exploiting vulnerabilities in crypto platforms, utilizing sophisticated laundering techniques to obscure transaction trails [4]. The group has a history of large-scale money laundering linked to North Korea [3], having transferred over $200 million in stolen cryptocurrency through mixers and peer-to-peer marketplaces from 2020 to 2023 [3]. Analysts note a shift in preference among cybercriminals towards cross-chain bridge methods for concealing illicit funds [3]. This hack adds to the Lazarus Group’s history of major cryptocurrency thefts [8], which includes the $625 million Ronin Network heist [8], the $100 million Atomic Wallet breach [8] [10], the $54 million CoinEx hack [8], and the $60 million Alphapo exploit [8]. If confirmed [7], this incident could position North Korea as one of the largest holders of ETH, potentially surpassing holdings by Ethereum co-founder Vitalik Buterin and the Ethereum Foundation [7]. The Bybit incident underscores ongoing security challenges in centralized exchanges and the urgent need for improved protective measures against sophisticated cyberattacks in the cryptocurrency industry. In response to the breach [3] [9], Bybit has assured users that their funds have been fully restored [3], including the $1.4 billion in stolen Ether [3], and plans to release a proof-of-reserve report to bolster client confidence [3]. Law enforcement continues to track the stolen funds [3], and multiple investigations are underway to assess the effectiveness of the Lazarus Group’s money transfer schemes [3].
Conclusion
The Bybit security breach serves as a stark reminder of the vulnerabilities inherent in centralized cryptocurrency exchanges. Despite the significant financial impact, Bybit’s proactive measures, including collaboration with industry groups and law enforcement, have facilitated the recovery of a substantial portion of the stolen assets. The incident underscores the necessity for ongoing advancements in cybersecurity protocols and the development of robust systems to safeguard digital assets. As the cryptocurrency landscape continues to evolve, exchanges must prioritize security to protect against increasingly sophisticated cyber threats.
References
[1] https://www.forbes.com/sites/stephenpastis/2025/02/21/dubai-crypto-exchange-bybit-is-hacked-for-144-billion-eth-but-ceo-says-losses-will-be-covered/
[2] https://www.infosecurity-magazine.com/news/bybit-140m-bounty-recover-mega/
[3] https://www.the-blockchain.com/2025/02/24/bybit-suffers-largest-crypto-heist-1-4b-stolen-laundering-underway/
[4] https://hackread.com/investigators-link-bybit-hack-north-korea-lazarus-group/
[5] https://www.csoonline.com/article/3831315/bybits-1-5b-hack-linked-to-north-koreas-lazarus-group.html
[6] https://www.nbcnews.com/tech/crypto/hackers-steal-15-billion-exchange-bybit-biggest-ever-crypto-heist-rcna193273
[7] https://www.forbes.com/sites/digital-assets/2025/02/21/latest-on-the-bybit-record-breaking-14-billion-dollar-crypto-hack/
[8] https://www.fxstreet.com/cryptocurrencies/news/bybits-14-billion-hack-traced-to-lazarus-group-zachxbt-202502220215
[9] https://coincentral.com/the-lazarus-group-heist-north-korean-hackers-steal-1-4b-from-bybit-exchange/
[10] https://www.biztechafrica.com/article/bybit-crypto-heist-north-koreas-lazarus-group-strikes-again/85160/
