Moving Forward: The Bybit Heist

What Happened

On February 21st, 2025, the North Korean cybercrime unit ran by what is known as the Lazarus Group, and more specifically referred to by the Federal Bureau of Investigation as TraderTraitor intercepted a routine cold to hot wallet transfer from Bybit, stealing $1.46 billion worth of digital assets, or 401,000 ETH.

This exorbitant amount was held between thousands of addresses across multiple blockchains awaiting further laundering. Ten days following the hack, all 401,000 stolen ETH had been laundered into bitcoins, but recovery operations are to continue.

Authorities expect the crypto assets to be converted from different cryptocurrencies into fiat currency and the money to be used to fund the country’s nuclear and ballistic missile program. Efforts to recover these crypto assets are ongoing, with the cybersecurity industry’s “brightest minds” joining efforts to the task, and incentives and rewards attracting bounty hunters across the world.

The scale of this attack places it among the largest cryptocurrency heists in history, surpassing even previous Lazarus Group exploits such as the 2022 Ronin Bridge hack, which resulted in a $625 million loss. This escalation highlights the increasing sophistication of state-sponsored cybercrime operations and raises concerns about the evolving security challenges facing digital asset platforms.

While early reports regarding the Bybit hack indicate that the Lazarus Group exploited smart contract vulnerabilities within the Safe Wallet custody protocol, forensic reports reveal the infrastructure itself did not contain vulnerabilities.

Instead, it appears a Safe developer was targeted by social engineering tactics. The Lazarus Group gained access to their credentials, using them to implement self-effacing malware disguising transaction details, thus permitting fraudulent actors to take control of the transaction to divert its funds. These sophisticated hackers exploited transaction visibility gaps within multi-signature systems to trick wallet guardians into signing a transaction which appeared routine, but which in fact was a malicious version of it.

Security analysts have pointed out that this breach underscores the increasing danger of supply chain attacks within the cryptocurrency ecosystem. Rather than targeting smart contracts or exchange infrastructure directly, attackers are now focusing on compromising the human element—developers and security teams—through tailored phishing campaigns, malware-laced job offers, and sophisticated impersonation techniques.

Lessons Learned

The Bybit hack reminded the crypto community to take, on one hand, greater measures to protect ourselves against social engineering attacks, whether we are a crypto company employee, a regular trader or a casual user. On the other hand, the heist increased awareness of vulnerabilities in multi-signature wallet systems, particularly regarding blind approval of transactions that appear routine but are in fact malicious.

In the wake of this crisis of wingspan, Bybit has responded quickly and transparently, collaborating with relevant authorities and communicating with clients. Several competitor exchanges in turn demonstrated solidarity by blacklisting the hackers’ wallets to prevent the funds from moving and from being converted away from a trail in an impressive display of the strength of the industry.

Industry-wide discussions have intensified about the need for standardized security frameworks for crypto exchanges and custodial services. Regulators and compliance bodies are now pushing for more robust security audits, mandatory penetration testing, and real-time anomaly detection systems that can flag suspicious transactions before they are approved.

The incident has also reignited debates over whether centralized entities should have greater authority to intervene in on-chain transactions under extraordinary circumstances. While some advocate for the ability to freeze stolen funds and revert malicious transactions, critics argue that such measures would compromise the decentralized nature of cryptocurrencies, potentially setting a dangerous precedent for future interventions.

From now on, security, vigilance and community will be reinforced within the crypto industry, but to prevent such an event from occurring again, security training and phishing awareness must be improved. Multi-signature systems must be revised so as to not rely on the blind approval of transactions without additional information.