About the Author
This article was written by Ahmar Imam with over a decade of combined experience in threat intelligence, identity protection, and incident response. Ahmar is a founder of D3C Consulting, where his team monitors emerging attack campaigns daily and works directly with enterprise security teams and individual consumers to mitigate data breach risks.
Reviewed by: Senior cybersecurity Analyst | Certified Information Security Professional (CISSP) | Identity Management expert
Editorial Standards & Accuracy Commitment
All threat information, FBI advisories, and cybersecurity guidance in this article is sourced from official FBI publications, the IC3 Annual Crime Report, and peer-reviewed cybersecurity research. This content is reviewed and updated whenever new FBI advisories or significant threat intelligence changes are issued. We do not publish unverified threat claims.
đź“… February 2025 incident
First Published: April 2026
🎯 Updated April 2026
⏱ 20 min read
North Korea’s Lazarus Group executed the largest cryptocurrency theft in history on February 21, 2025, not by breaking Bybit’s own defences, but by compromising a third-party wallet platform its signing team trusted completely. The $1.5 billion Bybit hack is not just a crypto story. It is a masterclass in supply chain exploitation, and a warning every exchange, custodian, and digital asset firm must take seriously.
Quick Summary
On February 21, 2025, North Korea’s Lazarus Group stole approximately $1.5 billion (401,347 ETH) from Bybit, the largest cryptocurrency theft in history. The attack did not breach Bybit’s own infrastructure directly. Instead, attackers compromised Safe{Wallet}, the third-party multi-signature wallet platform Bybit used for transaction approvals, injecting malicious JavaScript that manipulated what Bybit’s signing team saw. The FBI officially attributed the attack to North Korea on February 26, 2025.
On the morning of February 21, 2025, Bybit’s signing team initiated what appeared to be a routine internal transfer, moving ETH from a cold wallet to a warm wallet, a process the exchange performed regularly. Multiple authorised signers reviewed the transaction on their Safe{Wallet} interface. Everything looked normal. The destination address appeared correct. The Safe URL checked out. They signed and approved.
On the morning of February 21, 2025, Bybit’s signing team initiated what appeared to be a routine internal transfer, moving ETH from a cold wallet to a warm wallet, a process the exchange performed regularly. Multiple authorised signers reviewed the transaction on their Safe{Wallet} interface. Everything looked normal. The destination address appeared correct. The Safe URL checked out. They signed and approved.
What they were actually approving was the transfer of ownership of the cold wallet’s smart contract to wallets controlled by North Korean operatives. Within minutes, 401,347 ETH, valued at approximately $1.5 billion, was drained to attacker-controlled addresses. The theft surpassed the previous record holder, the 2022 Ronin Network hack ($625 million), and exceeded the combined total of the two previous largest crypto heists.
The root cause was not a flaw in Bybit’s internal security posture. Bybit’s own systems were not compromised. The attack was a textbook supply chain exploitation, targeting the weakest link in Bybit’s custody workflow: the third-party platform its team used to approve transactions. According to forensic investigations by Sygnia and NCC Group, malicious activity in Safe{Wallet}’s infrastructure began as early as February 4, 2025, seventeen days before the theft.
“The Bybit case sets a new benchmark for the technical depth and level of transparency in the disclosure of investigation findings. While the Bybit incident was traced back to a supply chain compromise, the next major attack could emerge from an entirely different and unforeseen vector.”— Sygnia forensic investigation report, March 2025
Day by Day Anatomy of the Attack
Understanding exactly how the Bybit hack unfolded is critical for exchanges and custodians building prevention programmes. The attack followed a precise multi-stage sequence that began nearly three weeks before any funds were moved.
Day 1 (February 4): Social Engineering of a Safe{Wallet} DeveloperÂ
Lazarus Group operatives targeted a Safe{Wallet} developer through social engineering. The developer’s Mac OS workstation was compromised, likely through a targeted phishing lure or malicious file delivered via professional platforms such as LinkedIn or GitHub, consistent with Lazarus’s established TraderTraitor campaign methodology.
↳ Prevention: aVendor employee phishing-resistance training + endpoint monitoring
Day 2 (February 5): AWS Session Token Theft and Cloud Infrastructure AccessÂ
Using the compromised developer’s workstation, attackers stole active AWS session tokens and temporary authentication credentials, bypassing MFA controls entirely. They accessed Safe{Wallet}’s AWS account and began operating within its cloud infrastructure, where they remained undetected for over two weeks.
↳ Prevention: AWS session token anomaly detection + short-lived credential rotation
Day 3 (Feb 5–17): Targeted JavaScript Injection into the Safe{Wallet} UIÂ
Attackers modified the JavaScript served by Safe{Wallet}’s frontend specifically for Bybit. The malicious code was engineered to function normally for all other users while activating only when Bybit’s authorised signers initiated transactions from their cold wallet. The injected code was designed to intercept and replace the transaction destination data while showing a legitimate UI to the signers.
↳ Prevention: Subresource Integrity (SRI) checks + JavaScript hash verification before execution
Day 4 (February 21): Transaction Approval and Fund Theft
When Bybit’s signing team initiated a routine cold-to-warm wallet transfer, the tampered Safe{Wallet} UI displayed a legitimate-looking transaction. Signers approved and digitally signed. The malicious code replaced the transaction data with an operation that transferred ownership of the cold wallet smart contract to attacker wallets. Once three signatures were collected, Bybit required three approvals; 401,347 ETH was transferred to addresses under the control of the Lazarus Group.
↳ Prevention: Hardware wallet clear signing, verify actual tx data on tamper-resistant device screen, independent of software layer
Day 5 (February 21 onwards): Laundering and Fund Dispersion
Within 48 hours, $160 million had been moved through illicit channels, a laundering speed analysts at TRM Labs described as previously unimaginable. The group converted stETH and cmETH to ETH via decentralised exchanges to avoid asset freezes, then moved funds through hundreds of intermediary wallets, cross-chain bridges, and no-KYC swap services. By March 20, 86.29% of the stolen ETH had been converted to Bitcoin.
↳ Prevention: Blockchain analytics monitoring + coordination with Chainalysis/Elliptic for rapid tracing
The attack’s defining characteristic, and the reason it succeeded against a technically sophisticated exchange, was that every step exploited trust rather than vulnerability. The developer’s workstation was trusted. The AWS credentials were trusted. The Safe{Wallet} UI was trusted. The signed transaction was trusted. Bybit’s own security controls were never bypassed because they were never engaged.
North Korea’s Role, The Lazarus Group DeFi Playbook
The Bybit hack cannot be understood in isolation. It is the largest single operation in an industrialised state-sponsored cryptocurrency theft programme that has been running for over a decade and has now stolen more than $6.75 billion in cumulative cryptocurrency assets since 2017.
The Lazarus Group, North Korea’s elite hacking unit, operates under the Reconnaissance General Bureau (RGB), Pyongyang’s primary foreign intelligence service. What distinguishes Lazarus from conventional criminal groups is its purpose: cryptocurrency theft is not a side operation. It is North Korea’s primary sanctions evasion mechanism, with proceeds funding the country’s nuclear and ballistic missile programmes. The UN estimates that crypto theft now accounts for approximately 13% of North Korea’s GDP.
In 2025 alone, North Korea-affiliated groups stole $2.02 billion in digital assets, a 51% year-over-year increase from the $1.34 billion stolen in 2024, with the Bybit hack accounting for approximately 74% of that total.2 The group’s operational tempo is accelerating: while the number of individual incidents fell 74% compared to 2024, the value stolen per attack increased dramatically, indicating deliberate shift toward fewer, higher-value targets.
The TraderTraitor Playbook: How Lazarus Targets Exchanges
The subunit responsible for the Bybit hack, TraderTraitor (also known as Jade Sleet and Slow Pisces), operates a sophisticated multi-stage attack methodology that has remained consistent across multiple major incidents:
Stage 1
Target identification and reconnaissance. Lazarus operatives identify high-value individuals: developers at crypto infrastructure providers, signing team members at exchanges, and security researchers. They build intelligence on their professional networks, communication platforms, and operational workflows.
Stage 2
Social engineering through professional platforms. Operatives contact targets via LinkedIn, GitHub, or WhatsApp, posing as recruiters, colleagues, or researchers. They build trust over days or weeks through technically credible conversations, shared code, or “job opportunity” discussions.
Stage 3
Malware delivery through trusted channels. Once trust is established, operatives deliver a malicious payload, a “critical security update” for a wallet tool, a trojanised development library, or a document with embedded code. The malware (frequently MANUSCRYPT or similar remote access trojans) harvests credentials, session tokens, and key material.
Stage 4
Infrastructure access and patient positioning. Using stolen credentials, operatives establish access to the target’s infrastructure and operate silently for weeks, mapping systems and identifying the optimal moment and mechanism for fund extraction.
Stage 5
Precision strike and rapid laundering. The theft is executed in a precisely timed window. Laundering begins within hours, using DEXs, cross-chain bridges, mixing services, and coordinated wallet networks to obscure the trail before blockchain analytics firms can effectively track the funds.
The Bybit hack follows this playbook precisely. The Ronin Network hack (March 2022, $625M), the WazirX breach (July 2024, $235M), and the Radiant Capital hack (October 2024) all follow the same architecture. Sygnia’s investigation noted that the Bybit attack vector bore direct similarities to both the WazirX and Radiant Capital incidents, suggesting that the identical attack method was not fully disclosed in those earlier forensic investigations, allowing Lazarus to reuse it.
A Pattern of Failures, Notable Crypto Hacks
The Bybit hack is the apex of a consistent pattern of exchange and DeFi exploitation. Each major incident reveals either the same structural vulnerabilities exploited in a new way or a new vector that becomes the template for the next attack.
Incident | Date | Amount | Attack Vector | Attribution |
Bybit Exchange | Feb 2025 | $1.5B | Supply chain, Safe{Wallet} JS injection | Lazarus Group (DPRK) |
WazirX Exchange | Jul 2024 | $235M | Multisig UI manipulation (similar vector) | Lazarus Group (DPRK) |
Radiant Capital | Oct 2024 | $50M | Malware on signing team devices | Lazarus Group (DPRK) |
Ronin Network | Mar 2022 | $625M | Social engineering → validator key theft | Lazarus Group (DPRK) |
Poly Network | Aug 2021 | $611M | Smart contract logic flaw | Unknown (funds returned) |
Atomic Wallet | Jun 2023 | $100M | Supply chain / phishing compromise | Lazarus Group (DPRK) |
FTX Collapse | Nov 2022 | $8B | Insider fraud / governance failure | Internal (criminal charges) |
Kaseya VSA | Jul 2021 | $70M ransom | Supply chain → ransomware (1,500 SMEs) | REvil ransomware group |
Each entry in this table represents not just a financial loss, but also a security control failure, and each failure has a specific, preventable technical root cause. The Ronin Network hack began with a fake LinkedIn job offer delivered to a senior engineer. The Bybit hack began with a compromised developer laptop at a third-party provider. The consistency of the social engineering entry point across Lazarus operations is the most actionable intelligence available for building preventative controls.
Chainalysis noted in its analysis that funds from the Bybit exploit were consolidated in addresses already holding funds from other known DPRK-linked attacks, providing forensic confirmation that the same operational infrastructure is being reused across incidents, and that each successful attack funds the next.
The Most Significant Data Breaches in Crypto & Cybersecurity
The Bybit hack sits within a broader context of systemic breach failures across both the crypto sector and enterprise cybersecurity. Understanding the pattern across both domains reveals the common thread: the most damaging breaches consistently exploit trusted third-party relationships, not direct perimeter attacks.
In the crypto sector, Elliptic has tracked over $6.75 billion in theft by North Korean actors alone since 2017, not counting financially motivated criminal groups, insider fraud cases like FTX, and protocol-level exploits across DeFi. The 2025 Chainalysis Crypto Crime Report confirmed that North Korean attacks represented 76% of all service compromises in 2025, a staggering concentration of threat in a single state-sponsored actor.
In the broader cybersecurity landscape, the Verizon 2025 Data Breach Investigations Report documented that third-party involvement in breaches doubled to 30% of all confirmed incidents, the same supply chain exploitation pattern that enabled the Bybit hack, now visible at scale across every industry sector.
IBM’s 2025 Cost of a Data Breach Report ranked supply chain compromise as the second-most expensive initial attack vector, with an average cost per breach of $ 4.91 million and the longest mean detection time of any vector at 267 days. In the Bybit case, the gap between initial compromise (February 4) and execution (February 21) was 17 days, significantly shorter, demonstrating that when the target is sufficiently high-value, threat actors compress their operational timeline dramatically.
The common thread across all of these incidents, from SolarWinds to 3CX to Bybit, is that the breach did not originate in the victim’s environment. It originated in a trusted supplier’s environment and used that trust as its attack vector. Until security programmes are built around this reality, the pattern will continue to repeat.
How Exchanges Can Prevent the Next Breach: A 5-Step Framework
The Bybit hack was preventable, not through any single control, but through a combination of technical hardening and operational discipline that together would have broken the attack chain at multiple points. The following framework is derived directly from the attack anatomy and aligned with CISA’s supply chain risk management guidance and NIST C-SCRM SP 800-161r1.
Quick answer: How to prevent crypto exchange supply chain attacks
Preventing supply chain attacks on crypto exchanges requires five simultaneous controls: vendor security assessment for all custody infrastructure providers, hardware wallet clear signing to verify transaction data independently of any software layer, subresource integrity monitoring for all third-party JavaScript, anomaly detection on signing workstations, and a supply chain-specific incident response plan. Each control limits the attacker’s reach independently; together, they break the attack chain at multiple points.
Step 1: Conduct a Rigorous Vendor Security Assessment for All Custody Infrastructure
Every third-party platform involved in transaction signing, key management, or wallet operations is a potential attack vector. Before deployment and continuously thereafter, each vendor’s security posture must be independently assessed, covering their cloud security practices, employee security training, access controls, incident response capabilities, and the security of their own software supply chain. The Bybit hack exploited a vendor with direct access to the exchange’s signing workflow. That vendor’s security posture was not independently validated against the risk it represented.
D3C Consulting delivers vendor security assessments for crypto custody infrastructure, including multi-sig wallet providers, HSM vendors, and signing workflow platforms.
Step 2: Implement Hardware Wallet Clear Signing for All Significant Transactions
The Bybit attack succeeded because signers verified transaction data through the Safe{Wallet} software interface, which had been compromised. Clear signing (WYSIWYS, What You See Is What You Sign) moves transaction verification to a hardware device with a tamper-resistant screen, independent of any connected software. What signers see on the device is the actual transaction data that will be signed, regardless of what any software layer displays. Had Bybit’s signers been using hardware wallets with clear signing, they would have seen the actual smart contract ownership transfer and been able to reject it. NCC Group’s post-incident analysis confirmed this as the primary technical control that would have broken the attack.
D3C Consulting designs and implements hardware-backed signing workflows for institutional crypto operations.
Step 3: Deploy Subresource Integrity (SRI) Verification for All Third-Party JavaScript
The Bybit attack vector, malicious JavaScript injected into a third-party UI, is detectable before execution through Subresource Integrity (SRI) hash verification. SRI allows browsers to verify that externally served scripts have not been tampered with by comparing a cryptographic hash of the loaded file to a known-good value. Any modification to the JavaScript, including the injection in the Bybit attack, causes an SRI mismatch and prevents the script from executing. This is a technical control that can be implemented in the exchange’s frontend and does not require vendor cooperation to be effective.
D3C Consulting implements frontend integrity monitoring and SRI frameworks for crypto exchange interfaces.
Step 4: Monitor Signing Workstations for Anomalous Behaviour
The Lazarus Group’s compromise of the Safe{Wallet} developer’s workstation served as the entry point for the entire attack chain. Workstations used by vendor employees with privileged access to signing workflows represent a high-value target that exchanges cannot directly control but can monitor indirectly through network behavioural analytics that flag unusual outbound connections, unexpected process activity, or anomalous access patterns from vendor-connected systems. For the exchange’s own signing team, endpoint monitoring of signing devices is non-negotiable and must extend to detection of credential harvesting and clipboard manipulation, both common Lazarus techniques.
D3C Consulting deploys behavioural endpoint monitoring tailored to the specific threat patterns used by Lazarus Group and other state-sponsored actors.
Step 5: Build a Crypto-Specific Supply Chain Incident Response Plan
When a supply chain breach occurs, the response must be faster than the attacker’s laundering operation. The Bybit team had $160 million laundered within 48 hours of the theft. Exchanges need a pre-built, rehearsed IR plan that covers: immediate identification and isolation of compromised vendor platforms; rapid engagement with blockchain analytics firms (Chainalysis, Elliptic, TRM Labs) for asset tracing; coordinated notification to exchanges and DEXs to freeze stolen assets; regulatory notification timelines; and public communication protocols. Bybit’s post-incident coordination with industry partners, including Chainalysis, directly led to the seizure of some stolen funds.1
D3C Consulting provides crypto-specific IR playbook development, tabletop exercises, and incident response retainer services for exchanges and custodians.
What Breach-Ready Exchanges Do Differently
Control Area | ❌ Standard Practice | ✅ Breach-Prevention Practice |
Vendor assessment | Contract-based trust, no independent security evaluation | Continuous vendor posture monitoring + independent security assessment |
Transaction signing | Software UI verification only | Hardware wallet clear signing with tamper-resistant device display |
Third-party JavaScript | Loaded without integrity verification | SRI hash verification on all externally-served scripts |
Signing workstations | Standard endpoint protection | Behavioural EDR tuned for credential harvesting + clipboard monitoring |
Incident response | Generic IR plan not crypto-specific | Pre-built crypto IR playbook with blockchain analytics firm relationships |
Why Most Exchanges Still Get This Wrong
The Bybit hack occurred despite Bybit being one of the world’s largest and most technically sophisticated exchanges. It used multi-signature wallets, considered industry best practice for cold storage security. It used a reputable, widely-deployed third-party signing platform. Its signing team followed established procedures.
And yet the $1.5 billion was gone in minutes.
The failure was not in Bybit’s own security programme. The failure was in the implicit, unverified trust extended to a third-party vendor with direct access to the most sensitive part of the exchange’s operation, the transaction signing workflow. That vendor’s security posture was not independently assessed. The JavaScript it served was not integrity-verified. The signing process lacked an independent verification layer operating outside the software stack.
These gaps exist across the majority of exchanges, custodians, and institutional crypto operations. The same supply chain attack vector that hit WazirX in July 2024 was reused against Bybit in February 2025 because the industry did not fully disclose the technical details of the WazirX attack, and exchanges did not implement the architectural changes that would have closed the vulnerability.
The next exchange targeted will follow the same playbook. The question is whether they will have built the controls to break the attack chain before $1.5 billion disappears in seventeen days
1. What happened in the Bybit hack?
On February 21, 2025, Bybit suffered the largest cryptocurrency theft in history when North Korea's Lazarus Group stole approximately $1.5 billion in Ethereum (401,347 ETH). Attackers did not breach Bybit's own systems. Instead, they compromised Safe{Wallet} — the third-party multi-signature wallet platform Bybit used for transaction approvals — injecting malicious JavaScript into its interface. When Bybit's authorised signers approved what appeared to be a routine internal transfer, the hidden code redirected ownership of the cold wallet smart contract to attacker-controlled addresses. The FBI officially attributed the attack to North Korea on February 26, 2025.
2. How did the Bybit hack happen?
The Bybit hack was a supply chain attack executed in five stages. First, on February 4, 2025, a Safe{Wallet} developer's workstation was compromised via social engineering. Second, attackers stole active AWS session tokens and bypassed MFA to access Safe{Wallet}'s cloud infrastructure. Third, they injected malicious JavaScript into the UI served specifically to Bybit's signing team. Fourth, on February 21, when Bybit signers approved what looked like a routine cold-to-warm wallet transfer, the tampered code transferred smart contract ownership to attacker wallets. Fifth, 401,347 ETH — approximately $1.5 billion — was immediately transferred to addresses controlled by North Korean operatives, with $160 million laundered within the first 48 hours.
3. Who was behind the Bybit hack?
The Bybit hack was attributed to North Korea's Lazarus Group, specifically a subunit known as TraderTraitor (also called Jade Sleet or Slow Pisces). The FBI officially confirmed North Korean attribution on February 26, 2025. Lazarus Group operates under North Korea's Reconnaissance General Bureau — the country's primary foreign intelligence service. The group has stolen over $6.75 billion in cryptocurrency since 2017, with proceeds reportedly funding North Korea's nuclear and ballistic missile programmes. Cryptocurrency theft is estimated to constitute approximately 13% of North Korea's GDP.
4. How much was stolen in the Bybit hack?
Approximately $1.5 billion — specifically 401,347 ETH — was stolen in the Bybit hack on February 21, 2025, making it the largest cryptocurrency theft in history. This single incident exceeded the total amount North Korea-affiliated hackers had stolen across all 47 incidents in 2024 ($1.34 billion). North Korea-linked groups stole a total of $2.02 billion in cryptocurrency in 2025 — a 51% year-over-year increase — with the Bybit hack accounting for approximately 74% of that total.
5. What is the Lazarus Group and how do they steal cryptocurrency?
The Lazarus Group is a North Korean state-sponsored hacking organisation operating under the Reconnaissance General Bureau (RGB). They steal cryptocurrency through five primary methods: social engineering attacks using fake job offers on LinkedIn and WhatsApp; supply chain compromises targeting third-party vendors with access to exchange infrastructure; UI manipulation attacks that replace legitimate transaction interfaces with spoofed versions that redirect funds; IT worker infiltration, where North Korean operatives are planted inside crypto and technology firms under false identities; and credential harvesting malware delivered through trojanised development tools and wallet applications. Since 2017, Lazarus has stolen over $6.75 billion in cryptocurrency across hundreds of incidents.
