North Korean Hackers Steal $1.5 Billion in Record Bybit Crypto Exchange Heist

A massive cybersecurity breach at Bybit, a Dubai-based cryptocurrency exchange, has resulted in the theft of approximately $1.4–$1.5 billion worth of crypto assets. U.S. authorities and blockchain investigators have attributed the unprecedented hack – the largest crypto theft on record – to North Korea’s state-sponsored Lazarus Group. The heist, carried out on Feb. 21, 2025, dwarfs all previous crypto exchange hacks and has sent shockwaves through the digital asset industry and regulatory circles.

Key Facts:

• Stolen Amount: Roughly 400,000 ETH (including staked Ether tokens) were drained, worth about $1.4–$1.5 billion at the time​. This single haul surpasses the previous record ($620 million from the Ronin Network in 2022) by a wide margin​.
• Attack Method: Hackers exploited a software supply-chain vulnerability. They compromised code in Bybit’s wallet management tool, tricking the system into approving a fraudulent transfer from an offline “cold” wallet to the attackers’ address​.
• Suspected Culprits: Lazarus Group, a notorious North Korean hacking team, is blamed for the attack​. The FBI has warned this group (also dubbed “TraderTraitor”) is rapidly laundering the stolen crypto across many accounts and blockchains​.
• User Impact: Bybit insists no clients will lose funds – the exchange’s assets still exceed user balances, and it has covered the loss from reserves​. However, news of the hack spurred over $5 billion in user withdrawals within days as a precaution​.
• Market Reaction: The hack rattled the crypto market. Ether’s price dropped ~4% after the incident​, and an estimated $75 billion was wiped from the broader crypto market amid a brief panic sell-off​. Regulators in the U.S. and Dubai quickly issued warnings and began monitoring the fallout

How Hackers Breached Bybit’s Wallet

Investigations reveal that the thieves executed a supply-chain attack targeting the software that Bybit uses to manage its cold wallet. According to forensic analyses, the perpetrators were able to alter the JavaScript code of Bybit’s wallet management application (provided by a third-party vendor called Safe or “SafeWallet”) by compromising one of Safe’s developer accounts​. In doing so, the attackers inserted malicious code into a pending wallet update or transaction process. This tampered code disguised a fraudulent transfer as a legitimate transaction, effectively fooling Bybit’s systems and administrators.

In practical terms, the hackers created a deceptive smart contract proposal that tricked Bybit’s wallet custodians (or automated signing system) into approving a transfer of funds to the hacker-controlled address​. The exchange’s Ethereum multi-signature wallet – which normally requires multiple approvals for security – was undermined by the spoofed interface, causing the approvers to unwittingly sign off on a withdrawal that emptied the vault​. Once the malicious transaction was signed as if it were routine, the attackers gained full control of the wallet and promptly moved out all the ETH​.

Crucially, this hack did not exploit a bug in Ethereum itself, nor in the core SafeWallet smart contracts. Safe (the wallet provider) confirmed that one of its developer machines was compromised, allowing the attacker to push a tainted update, and that the cloud server used to host the wallet software was breached as part of the attack vector​. In other words, the weak link was the human and supply-chain element – the hackers targeted a Safe developer (likely via phishing or malware) and infiltrated the software distribution, rather than directly attacking Bybit’s infrastructure. Safe has since patched the issue and “added security measures to eliminate the attack vector,” according to a statement the company released after learning of the incident​. No vulnerabilities were found in the Safe wallet’s underlying code; the breach was achieved through external compromise and trickery.

Impact on Bybit Users

For Bybit’s millions of users, news of the hack was alarming, but the exchange moved quickly to contain the damage. Initial panic led to a surge in withdrawals from the platform as customers rushed to secure their assets elsewhere. Within 48 hours of the hack, more than $5 billion in funds had been withdrawn from Bybit by cautious users – a scenario likened to a digital-age “bank run”​. Despite this stress test, Bybit managed to process over 350,000 withdrawal requests within 10 hours, clearing 99.9% of backlogs by the next day​. The exchange kept withdrawals open throughout (rather than freezing customer assets), a move praised by some in the crypto community for its transparency and user-centric approach​.

Bybit’s leadership has been emphatic that user balances remain safe and fully backed. “Bybit is solvent even if this hack loss is not recovered. All client assets are one-to-one backed; we can cover the loss,” CEO Ben Zhou assured, highlighting that the company’s reserves exceeded its liabilities​. Bybit reportedly held around $20 billion in total assetsprior to the hack​, and the stolen sum (roughly 7–8% of its assets) has been absorbed by the exchange’s insurance funds, treasury, and a bridge loan from partners​. In a public chat, Zhou reiterated to users that their funds were secure and that any affected customers would be fully reimbursed under a new refund program​. In practice, this means Bybit is covering the losses out of pocket to ensure no client loses money – a critical step to maintain trust.

Thanks to these measures, Bybit was able to restore normal operations within 12 hours of the attack​. Trading, deposits, and withdrawals all continued, and the exchange pledged to release a detailed incident report and enhanced security plan in the following days​. The quick recovery and openness likely helped prevent a wider crisis of confidence in the platform. Even though a record sum was stolen, Bybit’s commitment to make users whole – and the visible support it received from the crypto community – prevented the hack from turning into an existential threat for the exchange.