On 21 February 2025, cryptocurrency exchange Bybit suffered a significant security breach, resulting in the theft of approximately 401,347 Ethereum (ETH), valued at over $1.46 billion. The incident is among the largest cryptocurrency exchange thefts to date, raising concerns over the security of digital asset platforms.

Advertisment

How the Attack Occurred

The breach took place during a routine transfer between Bybit’s Ethereum multi-signature cold wallet and its warm wallet. Attackers manipulated the signing interface, displaying the correct address while altering the underlying smart contract logic to gain unauthorised access.

Forensic investigations revealed that the hackers used advanced phishing techniques and social engineering to obtain internal credentials. These were then exploited to bypass security protocols, allowing fraudulent approvals in Bybit’s multi-signature authentication process. The method enabled the attackers to transfer assets without triggering immediate security alerts.

Advertisment

Initial assessments suggest that the Lazarus Group, a state-sponsored hacking entity from North Korea, may be responsible. Blockchain investigator ZachXBT, alongside security researchers, identified patterns similar to previous Lazarus Group operations, including the January 2025 Phemex exchange hack.

Also read: South Korean actor Yoo Ah released after drugs sentence suspended

Lazarus Group: North Korea-Linked Cybercrime Organisation

Advertisment

The Lazarus Group, also known as Guardians of Peace or Whois Team, is a cybercriminal organisation suspected of operating under the North Korean government. While the exact number of individuals involved remains unknown, the group has been linked to multiple cyberattacks since 2010.

Initially regarded as a criminal group, Lazarus has since been classified as an Advanced Persistent Threat (APT) due to the scale, sophistication, and persistence of its operations. Various cybersecurity entities have assigned different names to the group, including Hidden Cobra (a designation by the US Department of Homeland Security for North Korean cyber activities) and ZINC or Diamond Sleet (used by Microsoft). According to North Korean defector Kim Kuk-song, the group is internally known as the 414 Liaison Office in North Korea.

The US Department of Justice has described the Lazarus Group as a tool of the North Korean government used to disrupt global cybersecurity and generate illicit revenue, often in violation of international sanctions. North Korea leverages cyber operations as a cost-effective means of exerting influence, particularly against South Korea.

The Lazarus Group’s earliest known operation, Operation Troy (2009–2012), involved a cyber-espionage campaign using Distributed Denial-of-Service (DDoS) attacks targeting the South Korean government. The group was also responsible for cyberattacks in 2011 and 2013, with possible links to a 2007 attack on South Korea.

Also read: What is HKU5-CoV-2? Understanding the new coronavirus discovered in China

One of its most high-profile attacks was the 2014 breach of Sony Pictures, which demonstrated the group’s increasing technical sophistication.

The group has also been linked to financial cybercrimes, including the theft of $12 million from Banco del Austro in Ecuador and $1 million from Vietnam’s Tien Phong Bank in 2015, cyberattacks on banks in Poland and Mexico, the 2016 Bangladesh Bank heist, which resulted in the theft of $81 million, the 2017 attack on Taiwan’s Far Eastern International Bank, where reports indicated the group stole up to $60 million, though most of the funds were recovered.

Bybit’s Crisis Response

Bybit’s response to the breach was immediate, with CEO Ben Zhou addressing the situation within 30 minutes. The company provided regular updates, including a live stream to answer user concerns. Bybit maintained control over communications, delivering structured updates with concrete figures and timelines.

The exchange took responsibility for the security lapse, collaborated with industry experts, and reassured users of its financial stability. This approach helped mitigate panic and stabilise market confidence in the platform.

Future Implications for Bybit and the Crypto Industry

The Bybit hack highlights the ongoing challenges cryptocurrency exchanges face in securing assets and maintaining regulatory compliance. As the industry evolves, exchanges will need to implement stronger security measures, enhance fraud detection capabilities, and work closely with regulators to maintain user trust and operational resilience.