Inside The Bybit Hacking Incident: Lessons From The Breach
On February 21, 2025, the cryptocurrency community witnessed the largest attack so far, with the Bybit exchange becoming the victim of the largest cryptocurrency heist in history. Approximately $1.5 billion in Ethereum tokens were stolen in a matter of hours, surpassing all previous breaches.
This incident not only marks a turning point in crypto security but also offers important lessons for exchanges, developers, and users across the ecosystem. Within days of the attack, ZachXBT submitted proof linking the attack to a North Korean cybercriminal organization - the Lazarus Group.
ZachXBT's analysis included test transactions, connected wallets, forensic graphs, and timing details. According to ZachXBT, the cluster of addresses is also linked to the Phemex and BingX hack. This was not just another cybercrime or a simple ability to exploit a faulty code. It was a meticulously planned operation that showed the evolving sophistication of state-sponsored cyber warfare.
Bybit relied on a third-party service to facilitate the transfer of tokens from a cold wallet—used for offline storage —to a warm (online) wallet, using a multi-signature approval process. However, attackers compromised a machine linked to the third-party provider and injected malicious JavaScript into the transaction signing workflow and manipulating the process undetected.
Florida Special Elections: Republicans Win Gaetz And Waltz’s Seats Where Is Rex Heuermann Now? The Latest On The Long Island Serial Killer’s Trial Wisconsin Supreme Court Election: Susan Crawford Beats Elon Musk-Backed Brad Schimel Using advanced phishing and social engineering techniques, the attackers obtained internal credentials, enabling unauthorized access.
The similarity to the January 2025 Phemex hack further supports attribution to Lazarus Group. Once inside, they manipulated the system to meet transaction criteria that would authorize transfers—ultimately draining 401,000 ETH, worth roughly $1.5 billion, into wallets under their control.
Only a single Bybit cold wallet was compromised, resulting in the loss of $1.46 billion as follows: The attack’s speed was particularly alarming. Within 48 hours, over $160 million had been laundered through complex networks of intermediary wallets, decentralized exchanges, and cross-chain bridges.
By February 26, just five days after the initial breach, over $400 million had been moved, demonstrating a high level of operational efficiency. However, according to Kaiko Research, more than $700M in ETH remains in the exploiters’ wallets.
Nick Carlsen, a North Korea expert and former FBI subject matter expert at TRM, described the strategy as a "flood the zone" technique—overwhelming blockchain analysts and law enforcement with rapid, high-frequency transactions across multiple platforms.
Collaborative Defence Across The Industry
The response from Bybit and the broader crypto community was swift and well-coordinated. Many questions remain unanswered one month after the breach, yet, there is a silver lining to be found – the rapid collaboration between exchanges, security firms, and investigators.
Security is not a fixed state but an ongoing, collaborative effort. Exchanges, cybersecurity teams, infrastructure providers, and regulators must build tighter alliances, share intelligence proactively, and continually adapt to a rapidly shifting threat landscape.
Cold Wallets Are Not Secure Anymore
For many years, cold wallets - offline storage solutions - have been considered the gold standard of digital asset security. Isolated from the Internet, we thought that they very impervious to remote attacks. However, this breach showed that cold storage is not a silver bullet.
In this case, the attackers did not need to directly access the cold wallet itself. Instead, they exploited the human and infrastructural layers that interface with it. By compromising a third-party service responsible for initiating transfers from cold storage to warm wallets, and by deceiving signing officers through phishing and manipulated transaction flows, the attackers effectively bypassed the security promises of cold storage.
This incident underscores a hard truth: once-trusted safeguards—like cold storage and multisignature wallets—are no longer enough in the face of evolving threats. Security must be viewed not as a checkbox, but as a continuous, collaborative effort.
The Future Of Crypto Security
Exchanges, security providers, and regulators must form stronger alliances, share intelligence in real-time, and adapt to a constantly shifting threat landscape. In the realm of digital assets, security is not a fixed state but an ongoing, collaborative effort.
By working together, we can build a more secure future for cryptocurrency users. It's time to move beyond the traditional thinking of security as a checkbox and embrace a continuous, proactive approach that prioritizes collaboration and intelligence-sharing.