.png)
.png)
.png)
Not Safe: Why North Korea’s Bybit Hack Made Crypto History
Mar. 18, 2025. 6 mins. read.
9 Interactions
Bybit lost $1.46 billion in a record-breaking hack. Can the industry recover, or is this just the beginning of bigger threats?
Introduction
At the end of February the cryptocurrency world heard news that would cement itself in crypto infamy and send prices into. Notable cryptocurrency exchange Bybit suffered a catastrophic security breach, losing a staggering $1.46 billion in Ethereum and related tokens.Â
This was more than just another hack among the hundreds since 2014, including the Mt. Gox and Binance hacks. This was in fact the LARGEST exchange hack in cryptocurrency history, which takes some doing. And to make it worse, it was most likely done by a North Korean hacking group, according to FBI investigations, which is terrible news for the entire sector due to the far-reaching repercussions it brings from regulations about money-laundering and sanctions.Â
Here’s what happened, and how.
The Anatomy of a Billion-Dollar Heist
On February 21, 2025, security analyst ZackXBT raised the alarm he spotted unusual transactions flowing from Bybit’s multisignature wallet. The hackers moved through Bybit’s security systems like water flowing through a cracked dam, with precision that suggested months of planning.
Ben Zhou, Bybit’s co-founder and CEO, confirmed the breach shortly after detection. According to Zhou, it first appeared to be a routine transfer from the exchange’s Ethereum cold wallet to a hot wallet—a standard procedure to keep the hot and cold wallet balances within certain thresholds—but turned out to be a sophisticated attack. The transaction looked legitimate on the surface, but contained malicious code that altered the smart contract logic.
Bybit Hack Timeline
“We know the cause is definitely around the Safe cold wallet,” Zhou stated. “Whether it’s a problem with our laptops or on Safe’s side, we don’t know.” Safe, a decentralized custody protocol offering smart contract wallets for managing digital assets, temporarily suspended its smart wallet functionalities following the incident.
North Korean Fingerprints (Again)
Blockchain analysis firm Chainalysis provided a detailed breakdown of the attack, tracing it to North Korea’s notorious Lazarus Group—a state-sponsored hacking collective active since at least 2009 and reportedly connected to the DPRK’s military intelligence.
The attack followed what Chainalysis described as a “common playbook” used by North Korean hackers. First, a phishing campaign targeting Bybit’s cold wallet signers gave attackers access to the exchange’s user interface.
This access allowed them to replace a multi-signature wallet implementation contract with a malicious version, enabling unauthorized fund transfers.
After gaining control, the hackers intercepted a routine transfer, redirecting approximately 401,000 ETH ($1.46 billion) to their addresses. The stolen funds were then split across multiple intermediary wallets to obscure the transaction trail—a standard tactic in the digital heist playbook.
Market Meltdown
The effects of the breach were felt immediately across cryptocurrency markets. Bitcoin plunged to $87k—a 7% drop—in 24 hours and its lowest level since November 2024, and in the aftermath it fell below $80,000. Other major cryptocurrencies followed suit, with Ethereum suffering particularly heavy losses given its direct involvement in the hack.
Bybit customers rushed to withdraw funds, creating unprecedented pressure on the exchange. Within 48 hours, Bybit processed $6.1 billion in withdrawal requests—nearly 100 times normal volume. The total value of customer assets held by the exchange dropped precipitously, from $16.9 billion to $10.8 billion.
Bybit’s Response
In what is now an industry standard procedure in line with the Binance ‘Funds are SAFU’ playbook created after its hack a few years back, Bybit weathered the storm quite well. Within three days, Zhou announced that the exchange had “fully closed the ETH gap” and restored a 1:1 reserve on client assets—an extraordinary feat given the scale of the theft.
According to blockchain analytics firm Lookonchain, Bybit received 446,870 Ether worth approximately $1.23 billion (88% of the stolen amount) through loans, whale deposits, and purchases.Â
The exchange bought 157,660 Ether ($437.8 million) from crypto investment firms Galaxy Digital, FalconX, and Wintermute through OTC transactions, and another $304 million of Ether from centralized and decentralized exchanges.
The Lazarus Bounty
Perhaps most notably, Bybit launched LazarusBounty.com—allocating $140 million to reward those who successfully track and freeze the stolen funds. The platform integrates security data from leading blockchain analytics firms like Chainalysis and Arkham, employs expert investigators, and offers a merit-based reward system for people who help track and freeze stolen assets.
“Join us on war against Lazarus,” Zhou declared on Twitter, announcing the “industry’s first bounty site that shows aggregated full transparency on the sanctioned Lazarus money laundering activities.”
The collaborative security efforts have already yielded results, with Chainalysis reporting that approximately $40 million of the stolen funds have been frozen. However, most of the loot remains dormant across multiple addresses—a strategy used by North Korean hackers to wait out the heightened scrutiny that follows such high-profile breaches.
Broader Implications for Crypto Security
The Bybit breach again exposes the fact that despite the industry’s rhetoric about decentralization, many exchanges are still centralized points of failure with substantial honeypots for attackers, no matter how sophisticated their security is.
It remains to be seen whether this hack leads to meaningful changes in how exchanges secure customer funds. Two things are certain: in the world of cryptocurrency, security can never be taken for granted, and the largest players make the most attractive targets.
Safe’s temporary shutdown of smart wallet functionalities after the hack demonstrates the interconnected nature of crypto infrastructure—when one major component gets compromised, the effects cascade throughout the ecosystem.
This interdependence raises serious questions about how exchanges secure user assets, and what precautions they take against sophisticated state-sponsored attacks. And how censorship-resistant are we in crypto really when digital assets can just be frozen?
Also, it strengthens the case for investors to either self-custody their assets or (more centralization!) use a crypto ETF like Blackrock’s which is federally insured to a point.Â
As Chainalysis noted, “Exchanges will need to articulate to their regulators and users how they ensure that user funds are protected.”
Lastly, after years in the wilderness, crypto is finally popular with regulators and mainstream investors alike. Anyone that’s been in crypto for over two years will know the hard gains and sacrifices that have been made to get here, from Mt. Gox to Bitfinex to FTX’s meltdowns.
While Bitcoin in its early days were wrongly accused of solely being a tool for criminals to move their money around, hacks are undeniably bad for everyone. It’s clear-cut crime, and when it gets to state-sponsored crime from a blacklisted nation, the entire space is skating on thin ice in the long term, no matter what Donald Trump and Larry Fink say about it during a bull run.Â
For average crypto users, the lesson is clear: the security of centralized exchanges, no matter how robust, is never infallible. Those with significant holdings would be wise to remember the crypto mantra: Not your keys, not your coins.
Let us know your thoughts! Sign up for a Mindplex account now, join our Telegram, or follow us on Twitter.Â
1 Comments
One thought on “Not Safe: Why North Korea’s Bybit Hack Made Crypto History”
They should focus there attention to there people more. There living condition is not that good.
🟨 😴 😡 ❌ 🤮 💩