Bybit's Record-Breaking $1.4 Billion Hack Linked to North Korea’s Lazarus Group

In a stunning blow to the cryptocurrency industry, Bybit, one of the world’s leading crypto exchanges, has confirmed a massive security breach that resulted in the theft of approximately 401,347 ETH, valued at over $1.4 billion USD.

The incident, which unfolded on February 21, 2025, is now being hailed as the largest cryptocurrency hack in history, surpassing previous records and exposing persistent vulnerabilities in the digital asset ecosystem.

On-chain investigators and Bybit’s leadership have since linked the attack to the notorious North Korean cybercriminal organization, Lazarus Group, raising alarms about the growing sophistication of state-sponsored threats in the crypto space.

The Breach: How It Happened

The hack targeted Bybit’s Ethereum (ETH) multi-signature cold wallet during a routine transfer to its warm wallet. According to Bybit CEO Ben Zhou, the attackers employed a highly deceptive tactic, utilizing a “masked UI” to trick the wallet’s signing team.

Zhou explained in a statement posted on X at 10:44 PM WAT on February 21, “It appears that this specific transaction was masked; all the signers saw a fake UI that displayed the correct address, and the URL appeared to be from Safe.”

Unbeknownst to the team, the transaction granted the hacker control over the cold wallet, enabling them to drain its entire ETH holdings to an unknown address in a matter of minutes.

On-chain analytics have since traced the stolen funds, revealing that the hacker began swapping assets like mETH and stETH for ETH on decentralized exchanges (DEXs). This rapid movement underscores the attacker’s intent to liquidate and obscure the funds as quickly as possible.

Lazarus Group Connection Confirmed

Prominent crypto sleuth ZachXBT, in collaboration with Chainalysis Forensics, uncovered compelling on-chain evidence tying the Bybit exploit to the Lazarus Group, a North Korean hacking collective infamous for targeting cryptocurrency firms.

Arkham Intelligence corroborated these findings, awarding ZachXBT a $50,000 bounty for his definitive proof linking the attack to the group.

The evidence also connects the Bybit hack to a recent exploit of the Phemex exchange, suggesting a coordinated campaign by Lazarus.

If confirmed, this would position North Korea as one of the largest holders of ETH globally, surpassing even Ethereum co-founder Vitalik Buterin and the Ethereum Foundation.

The Lazarus Group’s involvement highlights the escalating threat of state-backed cyberattacks in the crypto sector, with Chainalysis noting that 2024 has already seen $2.2 billion in stolen funds—a 21.1% increase from the previous year.

Bybit’s Response: Transparency and Damage Control

Bybit’s leadership has been swift and transparent in addressing the crisis, setting a new standard for exchange responses to security breaches. Within 30 minutes of the hack’s detection, CEO Ben Zhou took to X to confirm the incident and reassure users of the exchange’s financial stability.

“We have fortunately worked quickly and extensively with on-chain analytics providers to identify and demix the implicated addresses,” Zhou stated in a follow-up post at 11:07 PM WAT on February 21.

In a livestream held on February 22, Zhou provided further updates: Approximately 80% of the hacked ETH has been secured through rapid response efforts.

Bybit will not purchase ETH on the spot market to replenish losses but will instead rely on bridge loans from partners to stabilize operations.

Zhou emphasized there is “no issue of a bank run,” urging calm among users.

Additionally, Bybit detected the hacker attempting to transfer Bitcoin (BTC) via Chainflip, a cross-chain bridge. In response, the exchange is preparing to launch a bounty program to incentivize the identification and blacklisting of recipient wallets across exchanges, aiming to hinder the attacker’s ability to spend the stolen funds.

Industry Implications

The Bybit hack has reignited debates over the security of centralized exchanges (CEXs), which Chainalysis reports have seen a resurgence in attacks in 2024 after years of hackers focusing on decentralized finance (DeFi) protocols.

The breach’s scale—representing nearly 19% of the total value stolen in crypto hacks this year—underscores the need for enhanced security measures, particularly around multi-signature wallets and UI verification processes.

Posts on X reflect a mix of shock and concern within the crypto community. One user noted, “This just proves that on-chain security isn’t locked at the most,” while another praised Bybit’s handling of the situation, stating, “The way Ben Zhou is giving all the updates to the community is exemplary.”

Meanwhile, speculation about broader market impacts is rife, with some suggesting the influx of stolen ETH could influence crypto-traditional finance correlations in the coming weeks.

Looking Ahead

Bybit has committed to further updates as the situation evolves, with Zhou promising detailed recovery actions and preventive measures in future communications.

The exchange’s collaboration with on-chain analytics firms and its call for industry-wide wallet blacklisting signal a proactive approach to mitigating the damage.

However, the incident serves as a stark reminder of the crypto sector’s ongoing battle against sophisticated cyber threats, particularly from groups like Lazarus.

As the investigation continues, On-Chain will monitor developments closely, providing updates on fund recovery efforts, the bounty program, and any additional insights into the Lazarus Group’s operations.

For now, the Bybit hack stands as a sobering milestone in crypto history—one that may reshape security protocols and trust in centralized platforms for years to come.