Cryptocurrency exchange Bybit on Friday revealed that a “sophisticated” attack led to the theft of over $1.5 billion worth of cryptocurrency from one of its Ethereum cold (offline) wallets, making it the largest ever single crypto heist in history.
“The incident occurred when our ETH multisig cold wallet executed a transfer to our warm wallet. Unfortunately, this transaction was manipulated through a sophisticated attack that masked the signing interface, displaying the correct address while altering the underlying smart contract logic,” Bybit said in a post on X.
“As a result, the attacker was able to gain control of the affected ETH cold wallet and transfer its holdings to an unidentified address.”
In a separate statement posted on the social media platform, Bybit’s CEO Ben Zhou emphasized that all other cold wallets are secure. The company further said it has reported the case to the appropriate authorities.
While there is no official confirmation from Bybit yet, Elliptic and Arkham Intelligence confirmed that the digital theft is the work of the infamous Lazarus Group. The incident makes it the biggest-ever cryptocurrency heist reported to date, dwarfing that of Ronin Network ($624 million), Poly Network ($611 million), and BNB Bridge ($586 million).
Independent researcher ZachXBT said they “connected the Bybit hack on-chain to the Phemex hack,” the latter of which took place late last month.
The North Korea-based threat actor is one of the most prolific hacking groups, orchestrating dozens of cryptocurrency heists to generate illicit revenue for the sanctions-hit nation. Last year, Google described North Korea as “arguably the world’s leading cyber criminal enterprise.”
In 2024, it’s estimated to have stolen $1.34 billion across 47 cryptocurrency hacks, accounting for 61% of all ill-gotten crypto during the time period, according to blockchain intelligence firm Chainalysis.
“Cryptocurrency heists are on the rise due to the lucrative nature of their rewards, the challenges associated with attribution to malicious actors, and the opportunities presented by nascent familiarity with cryptocurrency and Web3 technologies among many organizations,” Google-owned Mandiant said last month.
Update
In a standalone update, Bybit said it detected unauthorized activity within one of our Ethereum (ETH) Cold Wallets during a planned routine transfer process on February 21, 2025, at around 12:30 p.m. UTC.
“The transfer was part of a scheduled move of ETH from our ETH Multisig Cold Wallet to our Hot Wallet,” it said in a statement.
“Unfortunately, the transaction was manipulated by a sophisticated attack that altered the smart contract logic and masked the signing interface, enabling the attacker to gain control of the ETH Cold Wallet. As a result, over 400,000 ETH and stETH worth more than $1.5 billion were transferred to an unidentified address.”
TRM Labs has also attributed the hack with high confidence to the Lazarus Group, based on “substantial overlaps observed between addresses controlled by the Bybit hackers and those linked to prior North Korean thefts” such as Phemex, BingX, and Poloniex.
“The recent incident with Bybit marks a new phase in attack methods, featuring advanced techniques for manipulating user interfaces,” Check Point Research noted. “Instead of just exploiting protocol mechanics, the attackers employed advanced social engineering through manipulated interfaces, allowing them to compromise a significant institutional multisig setup.”
The cybersecurity company also pointed out that the attack highlights a scenario where threat actors are manipulating legitimate transactions through the Gnosis Safe Protocol’s execTransaction function, stating “multisig cold wallets are not secure if signers can be deceived or compromised, emphasizing the growing sophistication of supply chain and user interface manipulation attacks.”
In a detailed analysis published over the weekend, Elliptic noted that the Lazarus Group’s laundering process follows a characteristic pattern, which involves exchanging stolen tokens for a native blockchain asset like Ether to avoid attempts to freeze the digital assets.
“This is exactly what happened in the minutes following the Bybit theft, with hundreds of millions of dollars in stolen tokens such as stETH and cmETH exchanged for Ether,” the company stated, adding the funds were layered to cover up the transaction trail by routing them to 50 different wallets within two hours of the theft, and then shifting them through crypto exchanges like eXch to convert them into bitcoin.
“North Korea’s Lazarus Group is the most sophisticated and well-resourced launderer of cryptoassets in existence, continually adapting its techniques to evade identification and seizure of stolen assets,” Elliptic said.
Elliptic further called out cryptocurrency exchange eXch for allowing North Korean threat actors to launder the ill-gotten proceeds by allowing its users to swap crypto assets anonymously. It’s assessed that stolen cryptocurrency from Bybit worth over $75 million have been exchanged using eXch, converting the digital funds into bitcoin.
However, eXch has denied laundering funds stolen from Bybit, stating it is “NOT laundering money for Lazarus/DPRK” and that “insignificant part of funds that was processed by us from the ByBit hack in an isolated case will be donated to various open-source initiatives dedicated to privacy and security both inside and outside crypto space.”
“They certainly are laundering the funds stolen by DPRK from Bybit – it’s visible on the blockchain,” Dr. Tom Robinson, co-founder and chief scientist at Elliptic, told The Hacker News.
“Over $75 million of the stolen funds have been laundered through eXch so far. They are trying to conceal it and the total figure may be more than this. And this isn’t the first time – cryptoassets from multiple previous DPRK-attributed hacks have been sent through eXch.”
(The story was updated after publication to include additional information and revise the total amount of cryptocurrency stolen in the incident.)
About The Author
Original post here
