Lazarus Group Infrastructure Setup Exposes Pre-Mediation Tactics Behind Record Crypto Heist

On February 20, 2025, cybersecurity researchers uncovered a chilling detail about one of the largest cryptocurrency thefts in history. The North Korean-linked Lazarus Group registered the suspicious domain “bybit-assessment[.]com” at 22:21:57 UTC, mere hours before executing a devastating attack on the Bybit cryptocurrency exchange that resulted in the theft of approximately $1.5 billion in digital assets. The discovery, first reported by blockchain analytics firm TRM Labs and later confirmed by Silent Push threat intelligence, sheds new light on the meticulous planning behind state-sponsored crypto crime.

The Exploit Mechanics

The attack on Bybit was traced to a supply chain compromise of Safe{Wallet}, the multi-signature wallet infrastructure used by the exchange to manage its cold wallet operations. According to a post-mortem analysis by HYDN Security published on February 21, the Lazarus Group had been laying the groundwork for weeks before the actual theft occurred. The domain registration on February 20 served as a critical command-and-control node, designed to host phishing infrastructure that mimicked a legitimate Bybit security assessment portal.

The attackers exploited a vulnerability in the transaction signing process. When Bybit executives initiated what appeared to be a routine transfer from their cold wallet, the compromised Safe{Wallet} interface displayed a legitimate-looking transaction while the actual underlying smart contract code had been modified to redirect funds to attacker-controlled addresses. This type of attack, known as a “blinded transaction” exploit, is particularly insidious because even experienced operators reviewing the transaction details on screen would see nothing amiss.

The scale of the theft was unprecedented. Approximately $1.5 billion worth of ether and ERC-20 tokens were drained from Bybit’s cold wallet in a single transaction. Bitcoin was trading at approximately $98,333 at the time, with Ethereum hovering around $2,740, making the stolen assets immediately liquid and valuable.

Affected Systems

The primary target was Bybit’s cold storage infrastructure, specifically the Safe{Wallet} (formerly Gnosis Safe) smart contract-based multi-signature wallet. This is the system that exchanges use to secure the bulk of their customer funds offline. The compromise of this layer represents a significant escalation in attack sophistication, as cold storage has traditionally been considered the gold standard for crypto asset security.

Beyond Bybit itself, the attack raised concerns across the broader ecosystem about the integrity of shared infrastructure. Safe{Wallet} is used by numerous decentralized finance protocols, DAOs, and institutional custody solutions. The supply chain nature of this attack meant that the vulnerability could potentially have affected any organization relying on the compromised version of the wallet software.

The Mitigation Strategy

In the immediate aftermath, Bybit CEO Ben Zhou publicly confirmed the breach and assured users that the exchange remained solvent, with sufficient reserves to cover all customer withdrawals. The exchange processed withdrawal requests normally in the hours following the attack, a move that analysts credit with preventing a broader panic-driven bank run.

The FBI issued a formal attribution statement confirming that North Korea’s Lazarus Group was responsible for the theft. This rapid public attribution by U.S. law enforcement represented an unusual step, reflecting the severity of the attack and the desire to facilitate rapid asset tracing and freezing by exchanges and stablecoin issuers.

Blockchain analytics firms including TRM Labs, Chainalysis, and Elliptic immediately began tracking the movement of stolen funds. The Lazarus Group’s typical laundering playbook involves rapid conversion through decentralized exchanges, cross-chain bridging, and mixing services to obscure the trail.

Lessons Learned

The Bybit incident highlights several critical security lessons for the crypto industry. First, cold storage is only as secure as the software interface used to manage it. Organizations must implement independent verification of transaction payloads at the byte-code level, not merely rely on what the wallet interface displays. Hardware-based transaction signing with independent display verification can mitigate blinded transaction attacks.

Second, supply chain security for critical infrastructure like multi-signature wallets requires constant vigilance. Regular code audits, reproducible builds, and integrity checks of deployed smart contract bytecode are essential to detect unauthorized modifications before they can be exploited.

Third, the speed of attribution and response matters enormously. Bybit’s transparent communication and the FBI’s rapid public attribution enabled the broader ecosystem to respond quickly, freezing addresses and disrupting the laundering process.

User Action Required

For individual users, the Bybit hack serves as a reminder to diversify custody solutions. No single exchange or wallet provider should hold the entirety of one’s crypto holdings. Hardware wallets with verified firmware, multi-signature configurations with independent signing devices, and regular security audits of wallet software remain the best defense against even sophisticated state-sponsored threat actors. Users should also monitor official communications from their exchanges and be prepared to withdraw funds quickly if security incidents are announced.

Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Always conduct your own research before making any financial decisions.