Refreshed 3d ago· updates every 6h

Bybit (2025) — Crypto Hack

Partially Recovered
Feb 21, 2025·
Ethereum
Amount Stolen
$1.50B
~500,000 ETH
Recovered
$200.0M
13% of stolen funds

North Korean Lazarus Group compromised Bybit's cold wallet via a sophisticated supply chain attack on Safe{Wallet} multisig infrastructure.

Summary

North Korean Lazarus Group compromised Bybit's cold wallet via a sophisticated supply chain attack on Safe{Wallet} multisig infrastructure.

How It Was Compromised — CEX via Private Key Compromise / Social Engineering

CEXPrivate Key Compromise / Social Engineering

On February 21, 2025, Bybit's ETH cold wallet was drained of approximately $1.5 billion. Attackers compromised the Safe{Wallet} frontend used by Bybit's signers, injecting malicious JavaScript that replaced the legitimate transaction payload with a delegatecall to a malicious contract. The multisig signers approved what appeared to be a routine transfer but inadvertently authorized a complete wallet takeover.

Fund Flow & Laundering Analysis

Funds moved rapidly: ETH split across thousands of wallets within hours. Attackers used THORChain to bridge ETH to BTC, then routed through multiple Bitcoin mixing services. Portions converted to DAI via decentralized exchanges. Blockchain analytics firms (Elliptic, Chainalysis) tracked flows to known Lazarus Group wallets. Approximately $200M frozen or recovered through exchange cooperation.

Related Incidents

For educational and transparency purposes only. Not financial advice. Data compiled from public sources and may contain approximations.