How Bybit Was Hacked: Analysis of the Largest Cryptocurrency Theft

Introduction

On February 21, 2025, one of the largest cryptocurrency thefts in history took place. Hackers from the North Korean group Lazarus managed to steal 0.42% of all Ethereum in circulation, totaling approximately $1.4 billion. This amount exceeds the holdings of Ethereum’s founder, Vitalik Buterin, and institutional investors like Fidelity.

Unlike conventional exchange hacks, this attack did not involve:

• Exploiting code vulnerabilities.
• Leaking private keys.
• Manipulating smart contracts.

Instead, hackers tricked Bybit employees into approving a malicious transaction through a multi-signature wallet, making it appear as a routine transfer.

How the Hack Was Executed

The attack was meticulously planned and executed in several stages.

1. Identifying Multi-Sig Signers

Hackers first identified the key Bybit employees responsible for confirming large transactions. They achieved this through:

• Insider leaks or compromised communications.
• Social engineering techniques such as phishing and spear-phishing.
• Malware infiltration on employees’ devices.

2. Gaining Access to Internal Systems

Once the hackers had information on key personnel, they infiltrated Bybit’s internal infrastructure through:

• Compromising corporate emails and internal messaging platforms.
• Deploying malware that allowed them to monitor internal communications.
• Impersonating trusted individuals within Bybit’s security framework.

3. Transaction Manipulation

To execute the theft, the attackers manipulated transaction data so that employees saw legitimate transaction details while, in reality, the Ethereum was being sent to hacker-controlled addresses.

4. Obtaining Multi-Sig Approval

Bybit’s security system required multiple signers to authorize large transactions. However, since the hackers had infiltrated the system and manipulated the transaction display, employees unknowingly approved the fraudulent transfer.

What Happened After the Hack?

• The stolen Ethereum was immediately distributed across 53 different wallets.
• Lazarus is known for holding stolen assets for years before laundering them through mixing services, DeFi protocols, and crypto exchanges.
• According to Chainalysis, the group still possesses $55 million in unlaundered assets from attacks dating back six years.

Why Couldn’t Bybit Prevent the Hack?

The main reason the attack succeeded was human error. Despite robust cybersecurity protocols, Bybit employees unknowingly facilitated the breach. Key security flaws included:

• Lack of multi-layer verification for high-value transactions.
• Failure to detect suspicious internal activity from employees.
• Compromised internal communication channels, making phishing easier.

Bybit’s Response and Industry Reaction

Following the attack, Bybit implemented emergency measures:

• No withdrawal freeze – despite panic, Bybit processed 350,000 withdrawal requests within 10 hours to reassure users.
• Active communication from the CEO, keeping users informed in real-time.
• Support from major crypto exchanges, offering liquidity assistance and security reviews.

Key Lessons and Security Measures

• Social engineering remains the most effective hacking method, as human error is harder to mitigate than technical vulnerabilities.
• Companies must enhance transaction approval protocols, requiring additional verification layers for large transfers.
• Regular cybersecurity training for employees can help prevent phishing attacks and social engineering tactics.

This hack highlights that even top-tier exchanges are vulnerable to well-orchestrated attacks. The key takeaway for crypto platforms is that technical security alone is not enough—strong employee awareness and verification mechanisms are just as critical.