The cryptocurrency industry faces its darkest security crisis to date after hackers linked to North Korea’s Lazarus Group exploited Bybit’s Ethereum cold wallet on February 21, 2025, stealing approximately $1.5 billion in digital assets. The attack, which targeted one of the world’s largest centralized exchanges, sent immediate shockwaves through decentralized finance markets and reignited urgent questions about the security of multi-signature wallet infrastructure.
TL;DR
- Bybit loses ~$1.5 billion in ETH and ERC-20 tokens in the largest crypto hack ever recorded
- Lazarus Group (North Korea) exploited Safe wallet UI to manipulate multi-sig cold wallet transaction
- 400,000 ETH stolen and distributed across 40+ addresses within hours of the breach
- Bybit processes 350,000+ withdrawal requests within 12 hours, maintaining 1:1 reserves
- ETH price drops over 3% as DeFi protocols and DEXs become laundering channels for stolen funds
How the Attack Unfolded: A Supply Chain Exploit
The attack occurred during a routine transfer of ETH from Bybit’s multi-sig cold wallet to its hot wallet. Hackers manipulated the Safe wallet interface — the trusted tool operators use to verify transaction details — masking a malicious transaction behind what appeared to be a legitimate transfer. When Bybit’s signers approved the transaction, they inadvertently authorized code that rewrote the cold wallet’s smart contract logic, handing full control to the attackers.
Within moments, the attacker drained 401,347 ETH along with significant quantities of liquid-staked Ether (stETH), Mantle Staked ETH (mETH), and other ERC-20 tokens. The stolen funds were initially consolidated in a single address before being distributed across approximately 1,500 unique addresses in a sophisticated laundering operation that utilized decentralized exchanges including Uniswap, Paraswap, and KyberSwap.
The DeFi Ripple Effect
The hack’s impact extended far beyond Bybit itself. Ethereum’s price dropped more than 3% within hours, falling below $2,660 from its earlier trading levels near $2,740. Bitcoin also felt the pressure, slipping to approximately $96,100 as broader market sentiment soured. The DeFi ecosystem became an involuntary participant in the aftermath, as hackers converted stolen tokens to native ETH through DEXs to avoid centralized exchange controls.
Deposits to THORChain surged 58% the following day as the laundering operation intensified, highlighting how DeFi’s permissionless architecture — one of its core strengths — also serves as a double-edged sword during security crises. The incident underscores a troubling trend: attackers increasingly exploit multi-sig cold storage solutions using sophisticated social engineering and UI manipulation techniques.
Bybit’s Crisis Response: Transparency Under Pressure
Bybit CEO Ben Zhou addressed the community within 30 minutes of discovering the breach, conducting a two-hour livestream that provided real-time updates. The exchange processed over 350,000 withdrawal requests within 12 hours of the hack, an extraordinary feat that prevented the kind of panic-driven bank run that has toppled other exchanges in similar situations.
Bybit’s 1:1 reserve guarantee ensured that client assets remained fully backed, and the exchange successfully froze $42.89 million in stolen assets through coordinated action with Tether and other industry participants. Safe Wallet, whose interface was exploited in the attack, paused services within hours and implemented enhanced security measures including stricter transaction validation protocols and AI-driven monitoring systems.
Why This Matters
The Bybit hack represents a paradigm shift in how the crypto industry must think about security. This was not a simple private key compromise or a smart contract bug — it was a sophisticated supply chain attack that exploited the trust placed in widely-used infrastructure tools. When the interface designed to verify transactions can itself be compromised, the entire multi-sig security model faces scrutiny.
For DeFi protocols, the incident highlights the urgent need for better cross-protocol coordination during crisis events. The speed at which stolen funds moved through decentralized exchanges demonstrates that DeFi’s composability — normally a feature — becomes a liability when large-scale laundering occurs. As institutional capital continues flowing into crypto through ETFs and regulated products, the industry’s ability to prevent and respond to these attacks will determine whether digital assets can achieve mainstream trust.
Disclaimer: This article is for informational purposes only and does not constitute financial advice. Cryptocurrency investments carry significant risk. Always conduct your own research before making investment decisions.
a supply chain attack on the Safe UI itself. this isnt a private key leak, they literally changed what the signers saw on screen. terrifying
Ben Zhou going live for two hours within 30 minutes is genuinely impressive crisis management. Most CEOs go silent.
THORChain deposits up 58% the next day. de-fi literally laundering nation state hack proceeds in real time. permissionless is a feature until it isnt
350k withdrawals processed in 12 hours while frozen only $42.89m out of $1.5b. bybit survived but the laundering through uniswap and paraswap is already done
eth dropped 3% to 2660. honestly expected way worse for a $1.5b hack. market is desensitized to this stuff now