In the early hours of February 21, 2025, the cryptocurrency world was thrust into chaos. A staggering $1.5 billion in digital assets vanished from Bybit, a Dubai-based cryptocurrency exchange, in what is now the largest crypto heist in history. The attack, attributed to North Korea’s notorious Lazarus Group, has sent shockwaves through the industry, exposing critical vulnerabilities in what were, until recently, thought to be among the most secure systems and raising urgent questions about the future of crypto.
The stolen funds, primarily in Ethereum and staked Ethereum (stETH), were siphoned from Bybit’s multisignature cold wallet — a system designed to be nearly impenetrable. Or so we thought.
Multisig wallets are often likened to nuclear launch codes. They require multiple authorized signatures to access funds. Yet, in a matter of minutes, the hackers bypassed these safeguards, manipulating the wallet’s interface and smart contract logic to execute the theft.
“The Bybit hack has shattered long-held assumptions about crypto security,” said researchers from cybersecurity firm Check Point. “No matter how strong your smart contract logic or multisig protections are, the human element remains the weakest link.”
Cryptocurrency Wallets
The attack began during a routine transfer of funds from Bybit’s cold wallet to its hot wallet — a standard practice for exchanges to manage day-to-day transactions.
Your typical crypto wallet stores two critical pieces of information: a public key, which acts like an account number, and a private key, a long alphanumeric string that serves as a password. The private key is what allows users to access and transfer their funds. Without it, the money is effectively locked away.
The way these keys are stored and managed determines how secure — or vulnerable — a wallet is. Hot wallets are the most accessible — and the most exposed. These wallets are always connected to the internet, making them ideal for quick transactions. But this constant connectivity also makes them a prime target for hackers. Over the years, hot wallets have been drained of billions of dollars in digital assets, often because attackers managed to steal the private key. Think of a hot wallet as a wallet you carry in your pocket: easy to use but risky if someone picks your pocket.
Cold wallets, by contrast, are like safes. They store private keys offline, disconnected from the internet, which makes them far more secure. Cold wallets can take various forms, from hardware devices resembling USB drives to paper printouts of private keys locked away somewhere secure. Some people even memorize their private keys so that the information can’t be found anywhere else. Because they’re offline, they’re immune to remote hacking attempts.
However, they’re less convenient for everyday use, as transferring funds requires connecting the device to a computer or manually entering the key. For exchanges like Bybit, cold wallets are the gold standard for storing large sums of cryptocurrency. However, Bybit and other exchanges need to, at some point, transfer crypto from cold wallets to hot wallets in order to do their business and transfer assets.
Multisignature (multisig) wallets take security a step further. These wallets require multiple approvals — or digital signatures — before any transaction can be executed. Imagine a nuclear launch system that needs two or more people to turn their keys simultaneously. Similarly, a multisig wallet might require signatures from three out of five authorized individuals to move funds. This setup not only deters theft but also ensures that no single person has unilateral control over the assets. Multisig wallets are often used by exchanges and organizations to safeguard large sums of cryptocurrency, as they combine the security of cold storage with the flexibility of shared access.
So, What Happened?
Bybit had followed industry best practices, keeping the majority of its assets in multisig cold wallets. But the hackers, believed to be part of North Korea’s infamous Lazarus Group, exploited a sophisticated vulnerability. They manipulated the user interface (UI) of the wallet, making it appear as though legitimate transactions were being approved. In reality, the attackers were diverting funds to their own wallets. By the time Bybit detected the breach, over 400,000 ETH and stETH had been stolen.
The hackers also manipulated the smart contract logic governing the wallet. Smart contracts are self-executing contracts with the terms of the agreement directly written into code. By altering this code, the attackers were able to execute a malicious transaction that appeared valid to the system. This manipulation masked their actions, making it difficult for Bybit to detect the breach until it was too late.
North Korean hackers are known for their relentless social engineering tactics. They often spend weeks or even months building online personas to gain the trust of their targets. In this case, it’s likely that the hackers used similar tactics to gather intelligence on Bybit’s internal processes and identify key employees whose signatures were required for the transaction. This persistence allowed them to tailor their attack to the specific vulnerabilities of Bybit’s security setup.
“The transaction was manipulated by a sophisticated attack that altered the smart contract logic and masked the signing interface,” Bybit said in a statement. “This enabled the attacker to gain control of the ETH Cold Wallet.”
The North Korean Connection
The Lazarus Group, a cybercrime syndicate linked to North Korea, has long been a thorn in the side of the crypto industry. Since 2017, the group has stolen over $6 billion in digital assets, funneling the proceeds into the country’s ballistic missile program. The Bybit heist alone accounts for nearly a quarter of that total.
Elliptic, a blockchain analysis firm, traced the stolen funds to wallets controlled by North Korean operatives. Within hours of the theft, the hackers began laundering the funds through decentralized exchanges (DEXs), converting stolen tokens into Ether to avoid detection. By February 25, 22% of the stolen assets — worth $270 million — had already been moved through a complex web of wallets and exchanges, Elliptic Research revealed.
“Lazarus Group is the most sophisticated and well-resourced launderer of cryptoassets in existence,” said Tom Robinson, co-founder of Elliptic. “They continually adapt their techniques to evade identification and seizure of stolen assets.”
The scale of the theft has prompted a coordinated global effort to recover the stolen funds. Bybit, in collaboration with blockchain investigators, has frozen approximately $42.3 million of the stolen assets. The exchange has also launched a public tracking website to monitor over 6,000 wallet addresses associated with the hackers and introduced a 5% bounty program for information leading to the recovery of funds.
Despite these efforts, the challenge of reclaiming the stolen assets remains daunting. The hackers have already converted a significant portion of the ETH into other cryptocurrencies, using decentralized platforms like eXch, which allows anonymous transactions. Unlike centralized exchanges, which can freeze suspicious assets, decentralized platforms operate beyond the reach of regulatory oversight.
“The current strategy from governments and industry clearly isn’t working,” wrote Elliptic Research. “People should be going back to the drawing board right now on how to deter and punish North Korea for these hacks.”
A Turning Point for Crypto Security
When crypto was first dipping its toes into the mainstream, one of the many myths surrounding the industry was that it was more secure than traditional banking, on top of being anonymous. Neither of the two is true. The Bybit hack is a stark reminder of the vulnerabilities that continue to plague the cryptocurrency industry. While blockchain technology is indeed interesting and has its use cases, the human element — whether through social engineering or UI manipulation — remains a critical weak point.
Yet, the incident may also be an opportunity for the industry to better itself. Bybit’s transparent handling of the breach, including its proof-of-reserves audit and rapid replenishment of funds, has set a new standard for crisis management in the crypto space. The exchange secured nearly 447,000 ETH through emergency funding from major crypto firms, ensuring it could continue operating without disruption.
“Incredible response and leadership over the last couple of days — truly a masterclass in crisis management,” said Nathan McCauley, co-founder of Anchorage Digital. “Your example is the new standard for dealing with a tough situation and solidifying trust.”
As the industry grapples with the growing threat of state-sponsored cyberattacks, the Bybit hack may serve as a pivotal moment. It underscores the urgent need for enhanced security protocols, regulatory oversight, and collaborative defense mechanisms. For now, the race is on to recover the stolen funds and prevent North Korea from cashing in on its biggest heist yet. But the lessons learned from this breach will shape the future of cryptocurrency security for years to come.
