Lazarus Group’s $1.5 Billion Bybit Hack
North Korean Lazarus hackers stole $1.5 billion from Bybit. This was revealed by forensic investigators. The cryptocurrency exchange was targeted through a compromised developer machine. This was at the multisig wallet platform Safe{Wallet}.
The Bybit Hack Technical Details
Bybit CEO Ben Zhou shared findings from two investigations. These were by Sygnia and Verichains. Both found the attack originated from Safe{Wallet}’s infrastructure.
Verichains stated, “The attack specifically targeted Bybit by injecting malicious JavaScript into app.safe.global. This was accessed by Bybit’s signers. The payload was designed to activate only when certain conditions were met.”
This ensured the backdoor remained undetected. It compromised high-value targets.
Verichains also said, “Based on the investigation results…we strongly conclude that AWS S3 or CloudFront account/API Key of Safe. Global was likely leaked or compromised.”
Sygnia added, “Two minutes after the malicious transaction was executed…new versions of the JavaScript resources were uploaded to Safe{Wallet}’s AWS S3 bucket. These updated versions had the malicious code removed.”
Sygnia’s investigation found malicious JavaScript code. This targeted Bybit’s Ethereum Multisig Cold Wallet. The code was served from Safe{Wallet}’s AWS S3 bucket. It was modified two days before the February 21 attack. Their investigation of Bybit’s infrastructure found no evidence of compromise.
Safe{Wallet}’s Response and Security Measures
The Safe Ecosystem Foundation confirmed the attack. They stated that the Lazarus Group first hacked a Safe{Wallet} developer machine. This gave the attackers access to an account operated by Bybit.
Safe stated, “The forensic review…concluded that this attack targeted to the Bybit Safe was achieved through a compromised Safe{Wallet} developer machine.” This resulted in a disguised malicious transaction.
Safe{Wallet} restored services on the Ethereum mainnet. There was a phased rollout. This temporarily removed native Ledger integration. This was the signing device/method used in the heist. Enhanced security measures were added. These included monitoring alerts and validations for transaction hash, data, and signatures.
Safe{Wallet} rebuilt and reconfigured all infrastructure. All credentials were rotated. The attack vector was removed. External security researchers found no vulnerabilities in Safe smart contracts or source code. Safe advises users to exercise extreme caution when signing transactions.
The Largest Crypto Heist in History
BleepingComputer reported that North Korean hackers intercepted a planned fund transfer. This was from one of Bybit’s cold wallets to a hot wallet. Crypto assets were redirected. Over $1.5 billion was stolen. This is the largest crypto heist in history.
Bybit shared, “On February 21, 2025…Bybit detected unauthorized activity…during a routine transfer process. The transaction was manipulated…enabling the attacker to gain control…over 400,000 ETH and stETH worth more than $1.5 billion were transferred.”
Bybit restored ETH reserves. The CEO stated the exchange is solvent. Lost assets may not be fully recovered.
Connecting the Dots to Lazarus
Crypto fraud investigator ZachXBT discovered links between the hackers and the Lazarus Group. Stolen funds were sent to an Ethereum address. This address was previously used in Phemex, BingX, and Poloniex hacks.
Phemex/Bybit overlap (ZachXBT)
Blockchain intelligence company TRM Labs and Elliptic confirmed ZachXBT’s findings. They found overlaps between addresses. These were controlled by the Bybit hackers and those linked to North Korean thefts. They shared info on attempts to slow down tracing.
In December, Chainalysis stated North Korean hackers stole $1.34 billion in 47 crypto heists in 2024. Elliptic added that they’ve stolen over $6 billion since 2017. Proceeds reportedly fund the country’s ballistic missile program.
