Bybit (2025) — Crypto Hack
Partially RecoveredNorth Korean Lazarus Group compromised Bybit's cold wallet via a sophisticated supply chain attack on Safe{Wallet} multisig infrastructure.
Summary
North Korean Lazarus Group compromised Bybit's cold wallet via a sophisticated supply chain attack on Safe{Wallet} multisig infrastructure.
How It Was Compromised — CEX via Private Key Compromise / Social Engineering
On February 21, 2025, Bybit's ETH cold wallet was drained of approximately $1.5 billion. Attackers compromised the Safe{Wallet} frontend used by Bybit's signers, injecting malicious JavaScript that replaced the legitimate transaction payload with a delegatecall to a malicious contract. The multisig signers approved what appeared to be a routine transfer but inadvertently authorized a complete wallet takeover.
Fund Flow & Laundering Analysis
Funds moved rapidly: ETH split across thousands of wallets within hours. Attackers used THORChain to bridge ETH to BTC, then routed through multiple Bitcoin mixing services. Portions converted to DAI via decentralized exchanges. Blockchain analytics firms (Elliptic, Chainalysis) tracked flows to known Lazarus Group wallets. Approximately $200M frozen or recovered through exchange cooperation.