Bybit has been hit hard by the largest cryptocurrency hack in history.
Bybit’s major breach became the largest cryptocurrency theft of 2025 and history, highlighting security gaps and changing the way the industry approaches asset safety and risk.
On February 21, 2025, a historic theft occurred at the cryptocurrency exchange Bybit. Approximately 401,000 ETH worth $1.5 billion were stolen.. This is the largest single cryptocurrency heist ever recorded.
The FBI attributed the breach to the North Korean government-backed Lazarus Group, which it said carried out a sophisticated supply chain compromise.
The immediate fallout at Bybit was severe. The exchange witnessed a “bank run.” Over $5 billion in panic withdrawals processed within 12 hours.
In response, CEO Ben Zhou and his team secured emergency liquidity to ensure that users’ funds are supported 1:1.
Attack: A Supply Chain Nightmare
The first breach occurred on February 4, a few weeks before the theft.
The attackers used a malicious Docker project to compromise the workstations of SAFE, a third-party multi-signature wallet provider used by Bybit.
This access resulted in stolen AWS credentials. Multi-factor authentication has been bypassed.
The final phase began on February 19th. SAFE’s user interface was injected with malicious JavaScript code.
The trap occurred two days later when the Bybit team started making routine transfers using the 3/6 multi-signature wallet.
The compromised interface displayed legitimate transaction data to the signer.
Meanwhile, the hardware wallet showed the actual payload called “delegatecall” exploit, which redirected 401,000 ETH to an address controlled by the attacker.
Three signatories were approved without detecting any tampering.
Attack Chain Summary
| date | event |
|---|---|
| February 4th | SAFE Developer System Compromised Via Malicious Docker Project |
| February 19th | Malicious JavaScript was injected into the SAFE interface. |
| February 21st | Attack launched: 401,000 ETH stolen from Bybit’s 3/6 multisig wallet |
| February 24th | Bybit completes Proof of Reserves audit and secures 447,000 ETH emergency loan. |
Why most of the stolen funds have not been recovered
The recovery of stolen funds was significantly delayed due to the speed and coordination of the attackers, which blockchain analysts linked to the North Korean Lazarus Group.
Investigators noted that the group immediately began laundering money using techniques that surpassed manual intervention.
them 86.29% of the stolen ETH was converted to Bitcoin (initially 12,836 BTC) and distributed to 9,117 wallets..
Despite the inherent transparency of blockchain, Within the first 48 hours, $160 million was laundered..
CEO Zhou reported that while 68.57% of stolen funds remained traceable through April, 27.59% were effectively “forgotten” after being routed through cryptocurrency mixers and P2P platforms.
Nonetheless, Bybit was able to recover some of the stolen funds.
The recovery plan includes:
- $140 million bounty program providing 10% of funds recovered
- Partnership with Elliptic, Chainalytic, and TRM Labs for Forensic Tracking
- Industry-wide collaboration freezes $42.89 million in first week
A broader cryptocurrency crime wave in 2025
Bybit was not an isolated incident. It’s been a record year for cryptocurrency theft. $3.4 billion was stolen worldwide..
North Korea accounted for $2.02 billion, a 51% increase from 2024, according to Chainalytic data.
The Bybit hack surpassed North Korea’s total theft the previous year, totaling $1.34 billion across 47 separate incidents.
| exchange | loss | attack type |
|---|---|---|
| bybit | $1.5 billion | supply chain damage |
| Novitex | 90 million dollars | group of predatory sparrows |
| UPCX | 70 million dollars | Protocol Exploitation |
As we see in 2025, the biggest cryptocurrency threats will no longer attack the chain itself. They utilize centralized institutions and operational processes built around them.
