Bybit Cyberattack Results in $1.5 Billion Ethereum Theft, the Largest Exchange Exploit

March 6, 2025 by · 3 mins read

Bybit lost $1.5B in a cyberattack linked to North Korean hackers. The breach stemmed from a compromised Safe{Wallet} developer machine.

On February 21, 2025, Bybit, one of the world’s largest cryptocurrency exchanges, was hit by a massive cyberattack, leading to the theft of around USD 1.5 billion in Ethereum ETH $1 621 24h volatility: 9.4% Market cap: $195.33 B Vol. 24h: $15.06 B  tokens. This breach has set a new record as the largest exploit in crypto exchange history, surpassing previous breaches and drawing attention to the growing sophistication of cybercriminals.

For context, North Korea has been responsible for a significant portion of cryptocurrency thefts, with estimates indicating that the country stole around USD 800 million in digital assets in 2024 alone. These attacks, which were far larger than those of other hackers, underscore North Korea’s focus on high-profile, large-scale operations aimed at maximizing impact.

FBI Confirms North Korean Hackers Behind Bybit Theft

The FBI has confirmed that North Korean hackers were behind the theft from the cryptocurrency exchange Bybit on February 21st, marking the largest recorded crypto heist to date.

In response, the FBI has advised RPC node operators, exchanges, DeFi platforms, and blockchain analytics firms to block transactions from addresses associated with the North Korean hackers to prevent further laundering of the stolen assets.

The hacking group, known as TraderTraitor, Lazarus Group, and APT38, intercepted a scheduled transfer from Bybit’s cold wallet to a hot wallet, rerouting the cryptocurrency to a blockchain address they controlled.

In a Public Service Announcement, the FBI mentioned that the attackers, identified as TraderTraitor, have rapidly converted some of the stolen funds into Bitcoin and other virtual assets, spreading them across thousands of addresses on multiple blockchains. They warned that these assets would likely be further laundered before being converted to fiat currency.

Following the incident, crypto fraud investigator ZachXBT traced several connections to the notorious Lazarus Group, a North Korean hacking group, after finding that some of the stolen Bybit funds were transferred to an Ethereum address previously linked to hacks on exchanges such as Phemex, BingX, and Poloniex.

Bybit’s Post-Mortem and Safe{Wallet} Breach

On Wednesday, Bybit CEO Ben Zhou released initial post-mortem reports from Sygnia and Verichains, two cybersecurity and finance security firms, which indicated that the attack stemmed from infrastructure operated by Safe{Wallet}, a multisig wallet platform.

The Safe Ecosystem Foundation confirmed the findings, revealing that the hackers initially breached a Safe{Wallet} developer’s machine, granting North Korean hackers access to a Bybit-operated account.

According to the investigation, the Lazarus Group exploited the compromised developer machine to create and propose a disguised malicious transaction that led to the breach. Plus, U.S. federal law enforcement provided a list of 51 Ethereum addresses involved in the laundering of the stolen Bybit funds, all traced back to the Lazarus hackers.

Share:

Related Articles

Bybit Boosts Security with Zodia Custody Partnership Post-Hack

By April 3rd, 2025

Bybit has taken a significant step to enhance security by partnering with Zodia Custody.

Bybit Hack Spurs $4.6B Surge in THORChain Trading Activity

By March 4th, 2025

THORChain reportedly generated $5.5M in transaction fees from the surge in activity linked to the laundering of Bybit’s stolen funds.

Bybit Hacker Finishes Laundering All Stolen Ethereum

By March 4th, 2025

North Korea’s Lazarus group, reportedly behind the Bybit hack, has laundered all 499,000 stolen ETH leveraging crypto mixers and DEXs.

Exit mobile version