Hackers stole 401,347 ETH from Bybit in the largest cryptocurrency theft on record
Hackers drained 401,347 Ethereum tokens valued at approximately 1.4 billion dollars from Bybit's cold storage wallet on February 21, 2025, marking the largest cryptocurrency theft in recorded history. The attack exploited compromised credentials from a SafeWallet developer through social engineering targeting blockchain infrastructure providers.
The initial compromise began with social engineering targeting SafeWallet development staff. Attackers obtained credentials through phishing and deceptive communications impersonating legitimate service providers. The compromised credentials granted access to development environments and tooling used by SafeWallet to maintain multisig smart contracts.
Once inside the development infrastructure, attackers injected malicious JavaScript code into the multisig approval interface. This code modification redirected transaction authorization to attacker-controlled addresses while maintaining the appearance of legitimate approval processes. Bybit's signing personnel unknowingly approved transactions transferring Ethereum to the attackers' wallets.
The attack leveraged AWS session tokens obtained during the initial compromise. These tokens bypassed multi-factor authentication by providing authenticated access to cloud infrastructure. The attackers maintained persistent access through the stolen tokens, enabling systematic exfiltration rather than a one-time data grab.
The FBI and Cybersecurity and Infrastructure Security Agency (CISA) released a joint advisory on February 26, 2025, confirming that the Lazarus Group, the North Korean-linked threat actor responsible for the 2022 Ronin Bridge hack and other major cryptocurrency thefts, orchestrated the Bybit attack. The attribution was made through analysis of code signatures, infrastructure patterns, and operational tradecraft.
Within the first 48 hours after the theft, attackers successfully laundered approximately 160 million dollars worth of the stolen Ethereum. This rapid laundering demonstrated sophisticated knowledge of cryptocurrency mixing services, bridge protocols, and decentralized exchange liquidity. The remaining holdings entered longer-term laundering operations through multiple channels.
Bybit CEO Ben Zhou announced a 140-million-dollar bounty for recovery assistance on February 22, the day after the theft announcement. The bounty structure provided 5 percent of recovered funds to parties tracking stolen assets and 10 percent to those facilitating freezing or recovery. The bounty represented an attempt to incentivize law enforcement, blockchain analysis firms, and exchange operators to intercept laundering.
The exchange maintained customer funds throughout the incident despite the massive theft. Bybit possessed sufficient reserves to cover customer withdrawals and continued operating normally. The drained amount affected the exchange's operational reserves rather than customer deposits, preventing cascading effects on customer funds similar to other exchange hacks.
The attack's scale exceeded the 2022 Ronin Bridge theft of approximately 625 million dollars. The Bybit hack also surpassed the Poly Network hack of 611 million dollars in 2021, making it the single largest confirmed cryptocurrency theft. The scale reflected the increasing value of Ethereum and Bybit's prominent position among global cryptocurrency exchanges.
The SafeWallet vulnerability created cascading risks for other organizations using the same multisig infrastructure. Multiple exchanges and protocols potentially faced exposure if they used similar development tooling and deployment patterns. SafeWallet issued emergency security advisories and patched the vulnerability after Bybit disclosed the incident.
Bybit's response prioritized transparency and customer assurance. The exchange published detailed technical postmortems explaining the attack vector, the specific code vulnerabilities, and the remediation steps undertaken. This communication contrasted with some exchange hacks where platforms minimized disclosure.
The incident highlighted risks of centralized development infrastructure for decentralized protocols. Despite smart contracts' immutability, the development, deployment, and operation of these contracts depended on humans and digital systems vulnerable to social engineering. The distinction between protocol security and operational security proved critical.
The Lazarus Group's ongoing activities demonstrated sophisticated understanding of cryptocurrency market infrastructure. The organization had previously targeted exchanges, bridges, and other on-chain liquidity mechanisms. The Bybit attack showed continued technical sophistication and operational capacity despite increased international law enforcement focus on the group.
Recovery prospects for stolen funds remained limited despite the bounty. Previous Lazarus Group thefts had proven difficult to recover due to the organization's access to both cryptocurrency mixing techniques and complicit cryptocurrency exchanges in North Korea-aligned jurisdictions. However, Bybit's bounty offered financial incentives for recovery assistance beyond traditional law enforcement channels.
The incident prompted regulatory discussions regarding exchange custody standards and operational security requirements. Regulators in multiple jurisdictions began examining whether exchanges should face mandatory security standards beyond self-imposed practices. The theft demonstrated that even well-capitalized, reputable exchanges faced sophisticated attack capability.
