Key takeaways
- On Feb. 21, 2025, attackers exploited vulnerabilities in Bybit’s cold wallet infrastructure, siphoning off $1.5 billion in Ethereum in the largest exchange hack to date.
- Investigations linked the breach to North Korea’s Lazarus Group, which used advanced techniques to manipulate transactions and launder stolen funds.
- Bybit responded swiftly, securing emergency liquidity, strengthening security measures and maintaining full solvency to prevent a mass user exodus.
- The hack triggered a 24% drop in Ethereum’s price, pushed Bitcoin below $90,000 and intensified regulatory scrutiny on crypto exchange security.
It started like any other day in the control room at Bybit — until it wasn’t.
A routine transfer from the exchange’s Ethereum cold wallet suddenly triggered an alert. Within minutes, millions of dollars in crypto had vanished. By the time the dust settled, over $1.5 billion worth of Ether (ETH) had been siphoned off in what would become one of the largest cryptocurrency heists in history.
The February 2025 Bybit hack was a meticulously planned operation that exposed critical vulnerabilities in even the most secure trading platforms. The breach exploited weaknesses in the transaction approval processes, smart contract logic and offchain infrastructure.
The aftermath was equally dramatic. Bitcoin (BTC) and ETH prices plummeted, investors panicked, and regulators sharpened their focus on security standards. As investigations unfolded, authorities traced the attack back to North Korea’s infamous Lazarus Group, a state-backed cybercrime syndicate with a long history of targeting financial institutions.
This article unpacks the full story: how the attack happened, the tactics used by the hackers, the immediate fallout and what it means for the future of crypto security.
Prelude to the 2025 Bybit hack
In the years leading up to the February 2025 Bybit hack, the cryptocurrency industry experienced a significant escalation in cyber threats. The first half of 2024 alone saw a doubling in funds stolen through crypto hacks and exploits compared to the same period in 2023.
Centralized platforms, in particular, remained prime targets. This is usually because vast amounts of cryptocurrency are stored in a single location, increasing the potential payoff for cybercriminals.
As such, Bybit had implemented several security measures to protect its assets and user funds, including:
- Cold storage: A significant portion of user funds were stored in cold wallets, which are offline and considered less susceptible to hacking attempts.
- Multisignature wallets: Bybit utilized multisignature (multisig) wallets, requiring multiple private keys to authorize transactions, thereby adding an extra layer of security against unauthorized access.
- Regular security audits: The exchange conducted periodic security assessments to identify and address potential system vulnerabilities.
Despite these precautions, the race against cybercriminals was ongoing. State-sponsored hacking groups, notably North Korea’s Lazarus Group, had intensified their focus on cryptocurrency exchanges, employing sophisticated tactics to infiltrate even well-secured platforms.
Next, cyber adversaries were gradually turning toward exploiting vulnerabilities in third-party software and services integrated with exchanges, leading to indirect security compromises.
Also, attackers increasingly began to target exchange personnel through phishing and other deceptive practices to gain unauthorized access to critical systems.
These factors and more set the stage for the unprecedented breach that Bybit would experience
Timeline of the Bybit hack: Feb. 21, 2025
So, how did they do it?
The attackers executed a highly sophisticated and meticulously planned exploit that targeted Bybit’s cold wallet infrastructure. The attack involved four key steps.
1.Compromising the Safe UI
The hackers first accessed the Safe UI, likely through a supply chain attack or social engineering. They injected a malicious JavaScript payload that could detect and modify outgoing transactions in real-time.
2. Altering the smart contract logic
Once inside the UI, the attackers modified the transaction details before they were displayed to the signers. A ‘delegatecall’ instruction was secretly embedded in the transaction, which allowed them to upgrade the smart contract logic without triggering security alarms. Instead of transferring funds to Bybit’s hot wallet as intended, the transaction redirected the assets to a wallet controlled by the attackers.
3. Masking the signing interface
The UI displayed a legitimate-looking transaction to Bybit’s security team, making it appear as a routine fund transfer. However, in the background, the attackers had rewritten key parameters, ensuring the actual transaction remained undetected. Once the authorized personnel signed the transaction, it was executed onchain, unknowingly handing control of the cold wallet over to the attackers.
4. Executing the unauthorized transfer
After gaining control, the attackers initiated multiple withdrawals in rapid succession to various unidentified addresses. Indeed, even with stringent onchain security measures, offchain vulnerabilities can still be exploited by determined adversaries.
Did you know? In the aftermath of the Bybit hack, the stolen funds were rapidly converted into Bitcoin and other cryptocurrencies, then dispersed across numerous blockchain addresses — a tactic known as “chain hopping” — to obscure their origins and hinder recovery efforts.
Bybit’s recovery efforts
After the $1.5 billion hack, Bybit acted swiftly to secure its platform, restore user confidence and replenish lost assets.
Security measures and containment
Bybit isolated the compromised cold wallet and halted unauthorized transactions within minutes of detecting the breach. The security team launched an immediate forensic investigation, working with blockchain analytics firms and law enforcement.
To prevent further exploits, Bybit partnered with Safe (its wallet provider) to overhaul multisig security and implemented stricter manual verification measures for high-value transactions.
Financial recovery and solvency assurance
Despite the massive loss, Bybit assured users that all customer assets were 1:1 backed and withdrawals remained open.
Within 72 hours, the exchange secured emergency liquidity, raising 447,000 ETH through loans and partner contributions from firms like Binance, Bitget and Galaxy Digital. Bybit chose not to buy ETH on the open market to avoid price manipulation, instead using strategic fund injections to fully restore reserves.
Communication and transparency
CEO Ben Zhou publicly addressed users within 30 minutes of the breach, hosting a live-streamed Q&A and providing daily updates on fund recovery and security upgrades. A full proof-of-reserves (PoR) audit was completed on Feb. 24, confirming Bybit’s solvency.
Fund recovery efforts
Bybit collaborated with exchanges, stablecoin issuers and forensic teams to freeze stolen funds and track laundering attempts. A bounty program offering 10% of recovered assets ($140M) was launched to incentivize tip-offs.
Bybit’s rapid response, financial stability and transparency helped prevent mass withdrawals and restore trust, positioning the exchange for long-term recovery.
Attribution of the Bybit hack to the Lazarus Group
In the aftermath of the February 2025 Bybit hack, investigations swiftly pointed toward North Korea’s state-sponsored hacking collective, the Lazarus Group.
The US Federal Bureau of Investigation (FBI) publicly attributed the cyberattack to this group, highlighting their involvement in the largest cryptocurrency heist to date.
The FBI’s analysis revealed that the stolen assets were converted into Bitcoin and other cryptocurrencies and dispersed across numerous blockchain addresses.
This tactic aligns with the Lazarus Group’s known methods of obfuscating the origins of illicit funds to facilitate laundering and eventual conversion to fiat currency.
Lazarus Group’s involvement in previous cryptocurrency thefts
The Lazarus Group, also referred to as TraderTraitor, has a notorious history of cybercrimes, particularly targeting financial institutions and cryptocurrency platforms. Their operations are believed to significantly fund North Korea’s nuclear and missile programs.
Notable incidents attributed to the Lazarus Group include:
- 2022 Ronin Network hack: The group orchestrated a breach of the Ronin Network, a blockchain platform underpinning the popular NFT-based game Axie Infinity, resulting in the theft of about $620 million in cryptocurrency.
- 2022 Horizon Bridge attack: They were implicated in the $100 million theft from the Horizon blockchain bridge, further showcasing their focus on exploiting vulnerabilities in crosschain platforms.
- 2023 Atomic Wallet breach: The group was linked to the theft of over $100 million from users of the Atomic Wallet service, employing sophisticated techniques to compromise user assets.
Did you know? The Bybit hack triggered a 24% drop in Ethereum’s price and pushed Bitcoin below $90,000, marking its lowest value since November 2024.
Ripple effects on investor confidence and market stability
The February 2025 Bybit hack had far-reaching consequences for investor confidence, market stability and regulatory oversight.
The sheer scale of the breach eroded trust in cryptocurrency exchanges, leading to a decline in trading volumes and a shift toward more secure or regulated platforms.
Forbes noted that the hack could “dent consumer confidence in crypto and raise further questions by policymakers keen to put the brakes on digital assets.”
The incident also triggered heightened market volatility, with Bitcoin dropping over 5% to a three-and-a-half-month low, trading below $80,000 for the first time since November.
Reuters attributed this decline partly to the fallout from the Bybit breach, which fueled investor uncertainty. In response, regulators intensified their scrutiny of cryptocurrency exchanges, calling for stricter security measures.
The National Law Review reported that the hack led to renewed discussions about tightening oversight and enforcing stronger industry-wide protections.
The hack highlighted an uncomfortable truth — cryptocurrency platforms remain vulnerable to sophisticated, well-funded attackers. The industry must prioritize security innovation, proactive threat detection and stronger global cooperation to prevent another breach of this magnitude.
In an ecosystem built on trust and transparency, the stakes have never been higher.