The aftermath of the largest cryptocurrency heist in history has entered a pivotal stage as stablecoin issuers and blockchain investigators work around the clock to stem the flow of stolen assets. As of March 2, 2025, Tether and Circle have collectively frozen millions of dollars linked to the $1.4 billion Bybit exploit, marking a significant escalation in the industry’s response to state-sponsored cybercrime.
The Exploit Mechanics
The Bybit hack, which occurred on February 21, 2025, involved the theft of approximately 401,000 ETH from the exchange’s cold wallet. The attackers, widely attributed to North Korea’s Lazarus Group, executed a sophisticated supply chain attack that compromised the Safe (formerly Gnosis Safe) multisig signing interface. Bybit CEO Ben Zhou confirmed that during a routine cold-to-hot wallet transfer, the signing interface displayed a legitimate-looking transaction while the underlying smart contract code had been altered to redirect funds to attacker-controlled addresses.
The attack exploited a fundamental trust assumption in multisig wallet operations: that the interface accurately represents the transaction being signed. The Lazarus Group achieved this by compromising the front-end infrastructure or injecting malicious code that manipulated the transaction data at the smart contract level. All signers, including Zhou himself, verified the destination address and URL on the official Safe website, yet the actual execution diverged entirely from what was displayed.
Affected Systems
The hack exclusively targeted Bybit’s Ethereum cold wallet, leaving Bitcoin, USDT, and other asset wallets unaffected. However, the ripple effects have been substantial. Bybit experienced a surge in withdrawal requests immediately following the breach, with the exchange processing over 70% of requests within the first 24 hours despite significant processing delays.
Bybit secured bridge loans from institutional partners to cover the ETH liquidity deficit and maintained its 1:1 reserve commitment. The broader Ethereum ecosystem also felt the impact, with ETH dropping below $2,400 before recovering to trade around $2,520 on March 2, as market participants assessed the implications of such a large-scale theft on network sentiment.
Blockchain analytics firms, including TRM Labs and Chainalysis, have been tracing the stolen funds as they move through a complex web of intermediary wallets. The Lazarus Group has historically employed sophisticated laundering techniques including cross-chain bridges, mixers, and Peel Chains that break large transactions into smaller amounts across dozens of wallets.
The Mitigation Strategy
Tether’s intervention represents one of the largest proactive freezing operations in stablecoin history. The company confirmed it had frozen wallet addresses identified as receiving illicit funds from the Bybit hack, preventing the attackers from converting stolen USDT into other assets. Circle followed suit, freezing USDC held in flagged addresses associated with the laundering operation.
Centralized exchanges have also played a critical role. Major platforms including Binance, OKX, and others have implemented enhanced monitoring for deposits linked to known Lazarus Group wallets. Law enforcement agencies in multiple jurisdictions are coordinating to trace and potentially recover assets as they attempt to cross into the traditional financial system.
Bybit has offered a 10% bounty, equivalent to approximately $140 million, for information leading to the recovery of the stolen assets. The exchange has also engaged multiple security firms and is working with the FBI and other international law enforcement agencies.
Lessons Learned
The Bybit hack has fundamentally reshaped how the industry views cold wallet security. The assumption that cold wallets are inherently safe because they are offline has been shattered by an attack that targeted the signing infrastructure rather than the storage mechanism itself. Key takeaways include the critical importance of verifying transaction data independently of the signing interface, implementing hardware-level transaction simulation, and establishing time-locked delays for large transfers.
The incident also validates the role of stablecoin issuers as a critical security layer. The ability to freeze assets at the protocol level provides a backstop that did not exist in earlier major hacks, potentially limiting the ultimate losses even when initial breach prevention fails.
User Action Required
For Bybit users, the exchange has confirmed that all customer funds remain backed 1:1 and withdrawals are operational. Users should enable all available security features including two-factor authentication, whitelisted withdrawal addresses, and anti-phishing codes. For the broader crypto community, this incident serves as a reminder to diversify custodial risk, verify the security practices of platforms holding your assets, and consider self-custody for long-term holdings using hardware wallets with verified firmware. The crypto market showed resilience on March 2, with Bitcoin trading at approximately $94,248, suggesting that the systemic contagion risk from this hack remains contained.
Disclaimer: This article is for informational purposes only and does not constitute financial or security advice. Always conduct your own research before making investment or security decisions.
tether freezing millions is good optics but lazarus moves faster than compliance teams. the ETH is already being washed through tornado cash and bridge hops
tornado cash is just the first hop. lazarus has been using railgun and cross-chain bridges for months now
Love seeing DePIN generate real revenue – finally proving the model!
These Bybit multisig exploits keep happening – basic due diligence failure.
This Bybit multisig auditing guide is exactly what the community needed!
the supply chain attack on the Safe UI is what scares me most. if the signing interface can lie to you, no amount of multisig helps. Chris is underselling how serious this is
the UI showed a valid transaction while the contract did something completely different. how do you defend against your own eyes lying to you