Bybit cold wallet heist
Lazarus operators substituted the implementation contract during a routine Safe multisig transaction, draining ~$1.5 billion in ETH and staked-ETH derivatives from Bybit's Ethereum cold wallet — the largest single cryptocurrency theft in history.
- Victim
- Bybit
- Loss
- $1.50B
On 21 February 2025, Bybit — a Dubai-based cryptocurrency exchange that ranks among the world's largest by spot and derivatives volume — lost approximately $1.5 billion in ETH and staked-ETH derivatives from its Ethereum cold wallet, in what immediately became the largest single cryptocurrency theft in history.
The operation, attributed by the FBI to North Korea's Lazarus Group, was structurally novel: rather than compromise Bybit's keys directly, the attackers compromised the Safe{Wallet} front-end interface that Bybit's signers used to prepare and sign multisig transactions.
What happened
Bybit's cold wallet was secured by a Safe (Gnosis Safe) multisig — the dominant institutional crypto custody primitive — with a 3-of-N quorum of human signers. On 21 February 2025, the signers were preparing what they believed was a routine cold-to-hot wallet transfer, batching a standard top-up of operational liquidity.
The Safe{Wallet} front-end the signers were using had been compromised earlier — Lazarus operators had pre-positioned access on a Safe{Wallet} developer's workstation weeks or months earlier (per subsequent forensic disclosures from Safe's incident response). The compromise modified the JavaScript served to certain whitelisted client IPs — specifically, the Bybit signers' offices.
The signers' UI showed the expected, legitimate transaction. The actual transaction payload presented to their hardware wallets for signing was different:
- Instead of a standard transfer, the transaction encoded a
delegateCallto attacker-controlled code that overwrote the Safe contract's implementation pointer. - After the three required signatures were collected, the malicious implementation replaced the Safe's logic.
- Lazarus operators then drained the wallet to attacker-controlled addresses in a series of follow-up transactions.
Approximately 401,000 ETH and 90,000 stETH/cmETH moved out — about $1.5 billion at prices at the time.
The signers' hardware wallets had displayed the malicious transaction's payload during signing. Hardware wallet transaction-data review is, in principle, the defence against this exact attack. But Safe transactions involve complex calldata that is not easily human-readable, and the signers — like virtually all institutional crypto signers — relied on the front-end UI's interpretation rather than parsing the raw calldata. The discrepancy between displayed and signed data was the silent payoff.
Response
Bybit's response was unusually transparent and operationally aggressive:
- CEO Ben Zhou livestream confirmation within hours of the breach, addressing depositor concerns publicly while the response was still active.
- Withdrawals briefly paused, then resumed after Bybit confirmed customer-account balances were unaffected — the loss was to corporate reserves held in the cold wallet, not directly to customer balances.
- Reserves and OTC bridge loans covered the deficit during the immediate days, with multiple major counterparties extending lines.
- Continued exchange operations through the incident without imposing a haircut on any customer.
The financial restoration cost Bybit a meaningful share of its corporate reserves. The reputational handling — public CEO accessibility, clear communication, no imposed customer losses — was widely cited as a positive example versus historical exchange-failure precedents.
Attribution
On 25 February 2025, the U.S. FBI publicly attributed the operation to North Korea's Lazarus Group, naming the TraderTraitor cluster specifically — the subset of Lazarus operations focused on cryptocurrency theft. On-chain tracking firms (Chainalysis, Elliptic, TRM Labs) identified the attacker-controlled addresses and tracked the laundering.
The laundering pipeline used eXch — a non-KYC crypto-to-crypto swap service that refused to cooperate with law enforcement. U.S. Treasury OFAC sanctioned eXch in May 2025, the second OFAC designation of a swap service after Tornado Cash and Sinbad.
Why it matters
Bybit is the canonical case for front-end compromise as a route into institutional crypto custody. It established:
- That the security perimeter of crypto custody is not just the keys — it includes the operator's UI, the front-end JavaScript supply chain, the developer's workstation, and the deploy pipeline of every dependency. Compromise any of these and the multisig itself becomes a liability.
- That hardware wallet transaction review is functionally insufficient for complex EVM transactions involving Safe-like proxy contracts. The signers had hardware wallets displaying the malicious calldata; they did not detect it.
- That Lazarus's targeting of crypto infrastructure suppliers — Safe{Wallet}, in this case — is operationally continuous with its decade-long campaign against exchange engineers, wallet teams, and DeFi protocol developers. The supplier-compromise vector scales: one Safe developer compromise enables theft against any Safe customer.
- That transparent CEO response during an active incident is reputationally survivable even at $1.5 billion in losses. Bybit's customer trust did not collapse, and the exchange continued operating.
Subsequent industry response to Bybit has centered on transaction-simulation review at the signing step (so signers see the predicted state changes, not just the calldata), client-side payload verification, and structural separation of front-end infrastructure from signing operations.
Financial impact
Reported costs in USD
- Business loss$1.50B
- Remediation$50.0M
Timeline
Lazarus operators establish persistence on a Safe{Wallet} developer's workstation — Safe being the multisig wallet infrastructure used by Bybit (and most institutional crypto custody) for cold wallet management.
Bybit signers prepare a routine cold-to-hot wallet transfer using their Safe multisig interface. The Safe{Wallet} front-end the signers are using has been compromised; it serves a malicious transaction payload while displaying a legitimate-looking UI.
Three of three required signers approve the transaction, believing they are signing a routine transfer. The signed transaction is actually a `delegateCall` that overwrites the Safe contract's implementation pointer with attacker-controlled code.
Lazarus operators immediately drain ~401,000 ETH and ~90,000 stETH/cmETH from the cold wallet to attacker-controlled addresses. Total stolen value at the time: ~$1.5 billion.
Bybit CEO Ben Zhou publicly confirms the breach via livestream within hours, taking exceptional public-communications steps to reassure depositors.
Bybit pauses withdrawals briefly, then resumes after confirming the cold-wallet theft did not affect hot-wallet or customer-account balances directly.
FBI publicly attributes the heist to North Korea's Lazarus Group (specifically the 'TraderTraitor' subset cluster). On-chain tracking firms identify the attacker addresses.
Lazarus laundering moves funds through eXch and a long chain of cross-chain bridges. eXch refuses to cooperate with law enforcement and is later sanctioned by U.S. and EU.
Bybit covers depositor balances from corporate reserves and a series of OTC bridge-loan arrangements. Operations continue without imposed haircut on customers.
Sources
- announcements.bybit.comhttps://announcements.bybit.com/article/the-truth-about-bybit-s-recent-attack--blt38aae8b3aaab19b1/
- fbi.govhttps://www.fbi.gov/news/press-releases/fbi-statement-on-north-korea-responsibility-for-15-billion-bybit-hack
- chainalysis.comhttps://www.chainalysis.com/blog/bybit-hack-february-2025/