Introduction

On the evening of February 21, 2025, global cryptocurrency exchange Bybit experienced the largest hack in the crypto industry’s history. During the breach, more than 500,000 ETH, stETH, and mETH were drained from Bybit’s wallets, with the total loss exceeding $1.46 billion based on that day’s market prices. The stolen assets were quickly moved to unidentified wallet addresses. This attack surpassed the 2021 Poly Network breach, which saw $611 million stolen, making it the most significant crypto theft.

Source: https://www.ic3.gov/PSA/2025/PSA250226

Source: https://x.com/benbybit/status/1894768736084885929

Founded in 2018, Bybit is one of the largest cryptocurrency exchanges in the world, with an average daily trading volume exceeding $36 billion. According to CoinMarketCap, Bybit held approximately $16.2 billion in assets before the hack, meaning the stolen Ethereum accounted for around 9% of its total holdings.

On-chain analyst ZachXBT provided evidence suggesting that the hack was likely carried out by the North Korea-linked hacking group Lazarus Group. He received a $30,000 bounty for his investigation into the vulnerability.

Source: https://www.chainabuse.com/report/b87c8824-8f5c-434a-a595-b7b916f641ad

Incident Timeline

The Hack

The attackers used a spoofed user interface (UI) to infiltrate the computer of a Safe (wallet provider) employee, specifically targeting the front end of Bybit’s Safe system. By mimicking a legitimate user interface, the hackers could compromise Bybit’s ETH multi-signature cold wallet. The hackers stealthily altered the transaction content during what appeared to be a normal transaction process.

Since the signers believed they were authorizing a legitimate transaction, they failed to detect that it had been replaced with a malicious contract. This resulted in the unauthorized transfer of $1.46 billion worth of ETH to unknown addresses controlled by the attackers.

Attack Workflow, Methods, and Defense:

Fund Movement and Money Laundering

Between 3:00 PM and 4:30 PM on February 21, 2025, the hackers completed the majority of fund transfers. After the attack, only about $3 million worth of ETH remained in the primary wallet. The stolen ETH was divided into 40 transactions of 10,000 ETH each, while the stETH and mETH were distributed to multiple different wallets to obscure the fund trail. Subsequently, the hackers used decentralized exchanges (DEXs) to further fragment and launder the funds, aiming to erase all traces.

Source: https://www.lazarusbounty.com/en?utm_source=Sailthru&utm_medium=email&utm_campaign=the%20node%20feb%2025%202025&utm_term=The%20Node

Market Impact

Even before Bybit officially confirmed the hack, both BTC and ETH prices began to fall. Within hours of the announcement, Bitcoin dropped by 3%, while Ethereum fell by 7%.

Over the weekend, ETH rebounded to $2,800 following a buyback initiated by Bybit, but slipped again by Monday. The hacker has now become the 14th largest ETH holder, and such a concentration of funds may put downward pressure on Ethereum’s market outlook.

Source: https://x.com/Bybit_Official/status/1893585578706227545

Controversy Over Cross-Chain Protocols

Lazarus Group frequently uses cross-chain exchange protocols like THORChain to convert stolen assets into Bitcoin. THORChain facilitates direct swaps between different blockchains, such as ETH to BTC, without going through centralized exchanges.

According to THORChain Explorer, the protocol’s 24-hour volume on March 5 reached $93 million. Developers behind the protocol have faced harsh criticism for allegedly enabling illicit transactions by North Korean hackers.

Source: https://thorchain.net/dashboard

What Is the Lazarus Group?

Lazarus Group is one of the most active and notorious hacking organizations globally. The name “Lazarus” comes from the biblical figure brought back to life, symbolizing resilience and resurgence.

Also referred to as “Guardians,” “Peace,” or the “Whois Team,” the group’s membership and internal structure remain largely unknown. However, it is widely believed to operate under the direct control of the North Korean government. Initially functioning as a cybercriminal gang, Lazarus has evolved over time due to the scale and sophistication of its attacks. It is now considered an Advanced Persistent Threat (APT) group.

Different institutions refer to Lazarus by various names:

• The U.S. Department of Homeland Security calls it “Hidden Cobra”
• Microsoft refers to it as “ZINC” or “Diamond Sleet”

According to former North Korean intelligence officer Kim Kuk-song, the group is known internally in North Korea as the 414 Liaison Office.

The U.S. Department of Justice has stated that Lazarus Group operates as an extension of the North Korean state. Its activities go beyond cyber disruption and include efforts to bypass international sanctions and generate illicit revenue. By carrying out low-cost, high-impact cyberattacks, North Korea can deploy small teams of hackers that pose significant threats to global financial systems and critical infrastructure, particularly in South Korea and Western countries.

Source: https://en.wikipedia.org/wiki/Lazarus_Group

Organizational Structure

Lazarus Group is primarily composed of two branches:

1. BlueNorOff

Also known as APT38, Stardust Chollima, or BeagleBoyz, BlueNorOff focuses on financial cybercrime, often involving fraudulent SWIFT transactions to move funds illegally. The group has targeted financial institutions in various countries, with the stolen funds believed to support North Korea’s missile and nuclear weapons programs.

Their most infamous operation occurred in 2016, when they attempted to steal nearly $1 billion through the SWIFT network. A spelling error in one of the instructions prevented the Federal Reserve Bank of New York from completing part of the transfers. BlueNorOff uses tactics such as phishing, backdoors, exploits, and malware (e.g., DarkComet, WannaCry). They also collaborate with other cybercriminal groups to expand illicit money channels, increasing global cybersecurity risks.

2. Andariel

Also known as “Silent Chollima,” “Dark Seoul,” “Rifle,” and “Wassonite,” Andariel specializes in cyberattacks targeting South Korea, and is known for its stealthy operations. According to a 2020 report from the U.S. Army, the group consists of approximately 1,600 members responsible for cyber reconnaissance, vulnerability assessments, and mapping enemy network infrastructures to prepare for future attacks.

Besides targeting South Korea, Andariel has also launched attacks on government agencies, critical infrastructure, and corporations in other countries.

Source: https://home.treasury.gov/news/press-releases/sm774

Past Operations

Over the years, Lazarus Group has launched a series of cyberattacks worldwide. Starting with early DDoS campaigns like Operation Troy (2009) and Ten Days of Rain (2011), they have evolved into more complex operations involving:

• Data-wiping (e.g., Dark Seoul Operation, 2013)
• Data theft (e.g., Sony Pictures Hack, 2014)
• Financial heists (starting in 2015)

Since 2017, the group has heavily targeted the cryptocurrency sector, launching attacks on:

• Exchanges like Bithumb, Youbit, Atomic Wallet, and WazirX
• Cross-chain bridges like Horizon Bridge
• Blockchain games like Axie Infinity

Their campaigns have stolen billions of dollars worth of digital assets.

In recent years, Lazarus has continued to expand into new sectors, including healthcare, cybersecurity, and online gambling. In 2023 alone, the group caused approximately $300 million in losses, accounting for 17.6% of all global hacking damages.

Source: https://x.com/Cointelegraph/status/1894180646584516772

How Platforms Respond to Hacker Attacks

Crypto exchanges typically adopt a comprehensive security strategy based on four key pillars: prevention, detection, incident response, and recovery.

1. Preventive Measures (Proactive Defense)

• Strengthen Security Architecture: Implement cold and hot wallet separation, store most assets in offline cold wallets, and utilize multi-signature (multi-sig) authorization mechanisms.
• Strict Access Control: Limit employee access to sensitive data and adopt a Zero Trust security model to mitigate insider threats or compromised internal systems.
• Enhance Smart Contract Security: Conduct thorough smart contract audits to avoid vulnerabilities such as reentrancy attacks and integer overflows.
• Multi-Factor Authentication (MFA): Require all administrators and users to enable 2FA (Two-Factor Authentication) to reduce the risk of account takeovers.
• DDoS Protection: Use Content Delivery Networks (CDN) and reverse proxies to defend against Distributed Denial-of-Service (DDoS) attacks, ensuring platform availability.

2. Real-Time Detection (Rapid Threat Identification)

• Anomaly Monitoring: Leverage AI and machine learning to detect suspicious transaction patterns and flag unusual withdrawals or large transfers.
• On-Chain Analysis: Collaborate with blockchain intelligence firms like Chainalysis and Elliptic to monitor blacklisted addresses and block illicit fund flows.
• Audit Logs: Maintain comprehensive logs of all sensitive operations (e.g., withdrawals, permission changes) and conduct real-time audits.

Source: demo.chainalysis.com

3. Incident Response (Post-Attack Protocols)

• Immediate Account Freezing: Upon detecting suspicious withdrawals, promptly suspend affected accounts and freeze fund transfers to prevent further losses.
• Notify Partners: Rapidly alert other exchanges, blockchain security firms, and law enforcement agencies to track stolen assets.
• Patch Vulnerabilities: Quickly analyze the attack vector, seal any vulnerabilities, and prevent recurrence.
• Transparent User Communication: Publish announcements promptly to inform users of the incident and remediation steps.

4. Asset Recovery (Mitigating Losses)

• Law Enforcement Collaboration: Work with international agencies like the FBI, Interpol, and blockchain tracing firms to recover stolen funds.
• Insurance Compensation: Some platforms maintain hacking insurance policies to compensate affected users.

• Emergency Funds: Establish emergency funds such as Gate.io’s SAFU (Secure Asset Fund for Users) to protect user assets during critical incidents.

  As of March 5, 2025, Gate.io’s reserve fund stood at $10.328 billion, underscoring its financial strength and user protection capabilities.

Source: www.gate.io

Source: https://www.gate.io/safu-user-assets-security-fund

The cornerstone of a crypto platform’s cybersecurity lies in the principle:

“Prevention first, timely detection, efficient response, and strong recovery.”

Platforms can maximize user asset protection by combining optimized security architecture, on-chain analysis, and rapid response mechanisms.

How Users Can Protect Their Crypto Assets

Cryptocurrencies are entirely digital, and once lost or stolen, recovery is usually impossible through traditional means (e.g., banks). Therefore, taking strict security precautions is essential. Below are the core strategies for safeguarding your crypto assets:

1. Choose Secure Storage Methods

Cold Storage:

• Use hardware wallets (like Ledger, Trezor) or paper wallets to store most assets offline, away from internet-based attacks.
• Note: Handle hardware wallets with care to prevent physical damage or loss. Always verify transactions carefully before signing—never confirm blindly.

Hot Wallets:

• Use only for storing small amounts intended for daily transactions. Avoid storing large holdings.
• Choose reputable wallets (e.g., MetaMask, Trust Wallet) and keep the software updated regularly.

Source: https://metamask.io/

2. Protect Your Private Keys and Seed Phrases

• Never Share: Your private key or seed phrase is the sole credential to access your assets—never share it with anyone.
• Secure Backup: Write down your seed phrase and store it in a fireproof, waterproof location (e.g., a safe). Avoid saving it on internet-connected devices.
• Split Storage: Consider dividing the seed phrase into parts and storing each in different locations to increase security.

3. Account and Exchange Security

• Enable Two-Factor Authentication (2FA): Use apps like Google Authenticator instead of SMS-based 2FA, which is vulnerable to hijacking. \
  Google Authenticator on Play Store
• Strong Passwords: Use a password that is at least 12 characters long, including uppercase, lowercase, numbers, and symbols. Change passwords regularly.
• Diversify Storage: Don’t store all your crypto in one wallet or exchange.
• Choose Secure Exchanges: Opt for platforms with features like DDoS protection and cold storage, and promptly withdraw large funds to private wallets.
• Disable Unnecessary API Access: Prevent theft via API exploits.
• Use Passkeys: Authenticate securely with device-based approval instead of passwords.

Source: play.google.com

4. Prevent Cyber Attacks

• Beware of Phishing: Always double-check website URLs, and avoid clicking on unknown emails, texts, or social media links.
• Dedicated Device: Consider using a separate device exclusively for crypto transactions to avoid exposure to malware or risky websites.
• Verify Transfer Addresses: Check the address before sending funds to avoid clipboard hijacking. \
  Source: Kratikal on Clipboard Hijacking
• Avoid Public Wi-Fi: Use a VPN and avoid making transactions over unsecured networks.

Source: https://kratikal.com/blog/clipboard-hijacking-can-turn-your-copied-text-into-a-threat/

5. Smart Contract and DeFi Safety

• Only Use Trusted Smart Contracts: Engage only with contracts audited by well-known security firms.
  Top Blockchain Auditors by Alchemy Test with Small Amounts: Start with a small test transaction before committing significant funds.
• Avoid High-Yield Scams: Be cautious of DeFi, NFT, or yield farming projects that promise unusually high returns.

Source: https://www.alchemy.com/best/blockchain-auditing-companies

6. Long-Term Security Strategy and Emergency Planning

• Use Multisig Wallets: Require multiple approvals to authorize transactions—ideal for managing high-value assets.
• Regular Audits: Periodically review asset balances and transaction histories for any anomalies.
• Legal & Estate Planning: Include crypto holdings in your estate plan or trust documentation to avoid irreversible losses due to lost keys.
• Stay Low Profile: Don’t flaunt your crypto wealth on social media or public forums to avoid becoming a hacker target.

Source: coindesk.com

Conclusion

This incident not only resulted in significant financial losses for Bybit but also raised broader concerns about trust and security within the crypto industry. Looking ahead, exchanges, project teams, and users must place a stronger emphasis on robust security practices. Key areas of focus should include private key management, the implementation of multi-signature wallets, and thorough smart contract audits.

As cyber threats become more sophisticated, global regulatory bodies are expected to introduce stricter security requirements. The Financial Action Task Force (FATF), for example, is advancing new anti-money laundering proposals that target cross-chain protocols to enhance oversight of decentralized platforms and multi-chain interactions. In parallel, agencies such as the U.S. SEC and European regulators may increase scrutiny of exchange security standards and advocate for tighter KYC and AML compliance measures.

For individual investors, protecting digital assets calls for a proactive approach. This includes choosing platforms with strong security records, diversifying asset storage methods, and staying informed about emerging risks. As the crypto ecosystem continues to evolve, security must remain a core priority to ensure sustainable growth and user confidence.