A major breach at Bybit became 2025’s and history’s largest crypto theft yet, highlighting security gaps and changing how the industry approaches asset safety and risk.
On February 21, 2025, a historic theft struck cryptocurrency exchange Bybit. Approximately 401,000 ETH, worth $1.5 billion, was stolen. This is now the largest single crypto heist ever recorded.
The FBI attributed the breach to North Korea’s state-sponsored Lazarus Group, which it stated had executed a sophisticated supply chain compromise.
The immediate fallout was severe on Bybit. The exchange witnessed a “bank run” with over $5 billion in panic withdrawals processed within 12 hours.
In response, CEO Ben Zhou and his team secured emergency liquidity, assuring users their funds remained backed 1:1.
The attack: a supply chain nightmare
The first breach occurred on February 4, weeks before the theft.
Attackers compromised a workstation at SAFE, a third-party multi-signature wallet provider used by Bybit, via a malicious Docker project.
From this access, AWS credentials were stolen. Multi-factor authentication was bypassed.
The final stage began on February 19. Malicious JavaScript code was injected into SAFE’s user interface.
Two days later, when Bybit’s team initiated what appeared to be a routine transfer using their 3-of-6 multisig wallet, the trap was sprung.
The compromised interface displayed legitimate transaction data to signers.
Meanwhile, hardware wallets showed the true payload: a “delegatecall” exploit redirecting 401,000 ETH to attacker-controlled addresses.
Three signers approved without detecting the manipulation.
Attack Chain Summary
| Date | Event |
|---|---|
| February 4 | SAFE developer machine compromised via a malicious Docker project |
| February 19 | Malicious JavaScript was injected into SAFE’s interface |
| February 21 | Attack executed: 401,000 ETH stolen from Bybit’s 3-of-6 multisig wallet |
| February 24 | Bybit completes proof-of-reserves audit, secures 447,000 ETH emergency loan |
Why most of the stolen funds were not recovered
The recovery of stolen funds stalled largely due to the speed and coordination of the attackers, whom blockchain analysts linked to the North Korean Lazarus Group.
Investigators noted the group began laundering funds immediately, using techniques that outpaced manual intervention.
They converted 86.29% of the stolen ETH into Bitcoin, initially 12,836 BTC, and distributed it across 9,117 wallets.
Despite the inherent transparency of blockchain, $160 million was laundered within the first 48 hours.
By April, CEO Zhou reported that while 68.57% of the stolen funds remained traceable, 27.59% had effectively “gone dark” after being routed through cryptocurrency mixers and peer-to-peer platforms.
Nonetheless, Bybit was able to recover some of the stolen funds.
Recovery initiatives included:
- A $140 million bounty program offering 10% of recovered funds
- Partnerships with Elliptic, Chainalysis, and TRM Labs for forensic tracking
- Industry-wide collaboration that froze $42.89 million in the first week
2025’s broader crypto crime wave
Bybit wasn’t an isolated incident. It headlined a record year for crypto theft, with $3.4 billion stolen globally.
North Korea accounted for $2.02 billion—a 51% increase from 2024, according to Chainalysis data.
The Bybit hack alone exceeded all North Korean thefts from the previous year, which totaled $1.34 billion across 47 separate incidents.
| Exchange | Loss | Attack Type |
|---|---|---|
| Bybit | $1.5 billion | Supply chain compromise |
| Nobitex | $90 million | Predatory Sparrow group |
| UPCX | $70 million | Protocol exploit |
As 2025 showed, the biggest crypto threats no longer attack the chains themselves; they exploit the centralized institutions and operational processes built around them.
