Bybit Post-Mortem: Anatomy of the $1.5 Billion Crypto Heist
North Korea's Lazarus Group drained about $1.5 billion from a Bybit cold wallet in February 2025. Here is how a compromised developer laptop became the largest crypto heist on record.
On February 21, 2025, the crypto exchange Bybit lost roughly $1.5 billion in a matter of minutes, the largest theft in the history of digital assets and, by dollar value, one of the biggest heists of any kind ever recorded. The money drained out of a single Ethereum cold wallet during what was meant to be a routine internal transfer.
What Happened on February 21, 2025
The attackers walked away with 401,347 ETH plus three staked-ETH derivatives: 90,376 stETH, 15,000 cmETH, and 8,000 mETH. With Ethereum trading around $2,800 at the time, per CoinGecko, the combined haul was worth about $1.46 billion. Within hours, blockchain analytics firm Chainalysis and others had flagged the movement as the work of North Korea’s Lazarus Group.
| Asset stolen | Amount | Approx. USD value |
|---|---|---|
| Ether (ETH) | 401,347 | $1.12 billion |
| Lido staked ETH (stETH) | 90,376 | $253 million |
| Mantle restaked ETH (cmETH) | 15,000 | $42 million |
| Mantle staked ETH (mETH) | 8,000 | $22 million |
| Total | about 514,723 ETH-equivalent | about $1.46 billion |
What makes this incident worth a full post-mortem is not the size alone. Nothing in Bybit’s own smart contracts or signing hardware was technically broken. The exchange used multi-signature controls, hardware signing devices, and a widely trusted wallet interface. The attackers defeated all of it by changing what the humans saw on screen.
The Attack Chain: From a Laptop to a Cold Wallet
Bybit managed its Ethereum cold wallet through Safe{Wallet} (formerly Gnosis Safe), a multi-signature standard used across the industry. A transfer out of the wallet required at least three authorized Bybit executives to approve it, each reviewing the transaction in the Safe interface and confirming it on a hardware signing device.
The weak link sat far from Bybit. According to the forensic investigation led by Sygnia and corroborated by reporting from The Block, the attackers compromised the macOS workstation of a Safe{Wallet} developer. Initial access came through social engineering: the developer was lured into running a crypto-themed Python project that carried a remote code execution payload. From that single laptop, the attackers reached the Amazon Web Services infrastructure that served the Safe{Wallet} front end.
There they planted malicious JavaScript in the web application delivered from Safe’s cloud storage. The code was surgical. It checked the address starting each transaction and activated only for Bybit’s cold wallet and one attacker-controlled test address, leaving every other Safe user untouched. That selectivity is why the tampering went unnoticed until the money was already gone.
The delegatecall Trick That Fooled the Signers
The core of the attack lived in one Ethereum primitive: delegatecall. A delegatecall lets one contract run another contract’s code inside its own storage context. Used legitimately, it powers upgradeable contracts. Used maliciously, it lets an attacker rewrite the variables that decide who controls a wallet, as the technical breakdown by NCC Group details.
When Bybit’s three signers approved what the interface presented as an ordinary transfer, the payload actually sent to their hardware devices did something else. It executed a delegatecall to a contract the attackers controlled, and that contract overwrote the Safe’s implementation pointer, the storage value (held in slot zero of the proxy) that tells the wallet which logic contract to trust. In one approved transaction, Bybit’s cold wallet stopped obeying Safe’s audited code and started obeying the attacker’s, which handed the thieves the right to move funds without any further sign-off.
The signers had no realistic way to catch it. The Safe interface rendered a normal transfer, and the hardware wallets displayed data that, to a human reading a hash, looked unremarkable. Once the implementation pointer was swapped, the attackers issued follow-up transactions and swept the ETH and staked-ETH tokens to addresses under their control. Roughly two minutes after the drain, clean versions of the JavaScript were re-uploaded to Safe’s storage bucket, an attempt to erase the evidence.
| Time (UTC), Feb 21, 2025 | Event |
|---|---|
| ~14:13 | Bybit signers approve a routine cold-to-warm wallet transfer in Safe{Wallet} |
| ~14:15 | Malicious delegatecall overwrites the Safe implementation pointer |
| 14:16 onward | Attacker sweeps 401,347 ETH plus staked-ETH tokens |
| ~14:17 | Clean JavaScript re-uploaded to Safe’s storage to hide the tampering |
| Feb 24 | Bybit publishes a proof-of-reserves attestation |
| Feb 26 | FBI attributes the theft to North Korea’s TraderTraitor |
Follow the Money: Laundering Through THORChain
Stolen crypto is only useful if it can be cashed out, and Lazarus moved with practiced speed. The first task was to convert assets that could be frozen into ones that could not. The staked-ETH tokens were swapped for plain ETH inside the first hour, before the issuers could intervene.
From there the operation pivoted to Bitcoin. According to DL News and on-chain trackers, the bulk of the stolen ETH was bridged into Bitcoin largely through THORChain, a decentralized cross-chain swap protocol. THORChain was attractive because its swaps are non-custodial and hard to pause, leaving little chance for a central operator to freeze the flow in transit. In roughly ten days, more than $1.2 billion moved through the protocol, which collected several million dollars in fees from the activity. Funds were then split across thousands of addresses, run through mixers, and funneled toward over-the-counter desks.
The scale overwhelmed conventional tracing. Both Bybit and the FBI published address lists, and analytics firm Elliptic identified more than 11,000 intermediary addresses. By late in the cleanup, Bybit chief executive Ben Zhou acknowledged that about 20 percent of the funds, close to $280 million, had become effectively untraceable, as Cointelegraph reported. Investigators described tranches clearing the protocol faster than compliance teams could blacklist the addresses.
Attribution: Why the FBI Named TraderTraitor
Attribution in crypto theft is usually probabilistic, built from wallet clustering and behavioral patterns. This case was unusually clear. On February 26, 2025, the FBI issued a public service announcement attributing the theft to North Korea and assigning it the activity name TraderTraitor. The bureau urged exchanges, bridges, node operators, and analytics firms to block transactions tied to the listed addresses.
The fingerprints matched years of DPRK tradecraft: the social-engineering lure aimed at a developer, the poisoned software dependency, the rapid conversion to Bitcoin, and the heavy use of cross-chain bridges and mixers. Multiple analytics firms reached the same conclusion independently. North Korean operators have stolen billions from crypto platforms over the past several years, and 2025 set fresh records for the category. Proceeds from these operations are widely assessed to fund the country’s weapons programs, which is why the response reached well beyond the crypto industry.
Bybit’s Response: Bridge Loans, Reserves, and a Bounty
Bybit’s handling of the aftermath became a case study in damage control. Within hours, Zhou went live to confirm the breach and insisted the exchange remained solvent: even if the funds were never recovered, customer balances would be covered. The speed of that public reassurance mattered, because confidence, not code, is what keeps an exchange alive in the first hours after a breach.
To back the claim, Bybit secured emergency funding. The exchange sourced nearly 447,000 ETH through loans and purchases from partners including Galaxy Digital, FalconX, and Wintermute, enough to close the gap. By February 24, three days after the breach, the firm published a proof-of-reserves attestation verified by Hacken that showed major assets above 100 percent collateralization, as CNBC reported. Bybit also says it cleared a surge of more than 350,000 withdrawal requests without freezing redemptions.
The exchange then launched the Lazarus Bounty, offering 10 percent of any recovered funds, a pool worth up to $140 million, to anyone who helped freeze or claw back the assets. The program paid out millions to analysts and protocols that froze tranches in transit, though the share actually recovered stayed small against the total stolen.
What Safe{Wallet} Said, and What It Changed
Safe faced an awkward position: its product sat at the center of the largest hack in crypto history, yet its code held up. In its public statement, the Safe team said external forensic review found no vulnerability in the Safe smart contracts or in the source code of the front end and services. The compromise came through a developer machine that was used to push a malicious front-end build.
Safe responded by rebuilding and reconfiguring its infrastructure from scratch and rotating all credentials. It also pushed work on safer signing, including better transaction-decoding tools so signers can verify what a payload will actually do rather than trusting a rendered screen. The episode moved the wider industry toward clear signing, where hardware devices show human-readable transaction details instead of opaque hashes. Several hardware-wallet makers and signing services accelerated similar features in the months that followed.
The Regulatory Aftershock and the SEC Angle
Bybit operates offshore and restricts United States users, so it sits outside direct US oversight, a gap that is itself part of the policy debate. The federal response came from law enforcement rather than markets regulators: the FBI led attribution, and the Treasury’s sanctions machinery has repeatedly targeted DPRK laundering networks.
Even so, the incident sharpened questions the Securities and Exchange Commission has been weighing about custody and operational resilience. US registered firms that hold client crypto face SEC expectations on safeguarding assets, and analysts at the Center for Strategic and International Studies argued the heist should shape how Washington balances lighter-touch crypto rules against hard security requirements. Industry groups, meanwhile, pushed for shared threat intelligence and faster freezing pipelines so the next stolen tranche can be stopped before it reaches a bridge. The lesson was not about a flawed blockchain; it was about third-party software supply chains, signing workflows, and the human approval layer, areas where audits and disclosure rules are still catching up.
Lessons for Every Exchange and Self-Custodian
The Bybit post-mortem is uncomfortable precisely because the victim did most things right. Multi-signature controls and hardware wallets are necessary, but they are not sufficient when the interface feeding them can be quietly rewritten. A few takeaways stand out:
- Verify, do not trust, the interface: signers should independently decode transaction calldata, ideally on a separate device, before approving anything.
- Treat the front-end supply chain as critical infrastructure: code served from cloud storage needs integrity checks and strict change controls.
- Assume social engineering will succeed: developer endpoints are now a primary target, so privileged build systems should be isolated from individual workstations.
- Rehearse the worst day: Bybit’s fast bridge financing and same-week proof of reserves limited a bank run, a reminder that incident response matters as much as prevention.
For all the sophistication of the attack, its root cause was mundane: a trusted screen told a lie. Until signing tools make that lie hard to render, the most dangerous part of any cold wallet will remain the moment a human clicks approve.
By the HOGE Wire security desk.