On Friday, February 21, 2025, nearly $1.5 billion worth of Ethereum was stolen from Bybit, a Dubai-based crypto exchange. The Bybit hack represents the biggest crypto hack of all time, exceeding the over $600 million stolen from Poly Network in 2021. It also represents the biggest theft of any type in the world, with the record previously held by Saddam Hussein, who reportedly stole around $1 billion from the Central Bank of Iraq on the eve of Operation Iraqi Freedom (OIF) on March 20, 2003.
Details Of The Hack
According to a February 21, 2025 post by Biybt, the exchange reported that it had detected suspicious activity relating to one of its Ethereum (ETH) cold wallets. The incident involved the execution of a transaction from a cold wallet to a warm wallet. As a result, the hacker withdrew funds from the cold wallet to an unidentified address.
The exchange said its security team was working with blockchain forensic experts to investigate the incident. They also called on assistance from any experts and teams that could assist with the tracking of the assets. Bybit stated that all other cold wallets were secure, and client funds were safe.
For this attack, a social engineering approach was used with transaction substitution. As a result, when an employee was sending funds, they did not realize that the transaction was going to another wallet address.
The Lazarus Group Connection
Blockchain analysis firm Elliptic stated that the attack was likely carried out by the Lazarus Group, a state-sponsored hacking group based in North Korea. Since 2017, North Korean-linked hackers have stolen over $6 billion in crypto, with proceeds reportedly going to the country’s ballistic missile testing program. The group not only hacks and steals crypto assets, but it also has complex mechanisms for laundering funds.
Some of the pointers that it is the Lazarus Group include the theft of Ethereum. The group typically steals tokens from native blockchains since other types of tokens often have a safety mechanism that allows the funds to be frozen in the stolen wallets. During the attack, hundreds of millions of dollars of stETH and cmETH were converted to Ether. The group used several decentralized exchanges since centralized exchanges are more likely to be locked.
The second step they use is layering, where the funds are sent to thousands of wallets, moving funds to other exchanges via cross-chain bridges, switching between crypto assets, using mixers, and other techniques. Within two hours of the theft, the funds were split into 50 wallet addresses, with each wallet holding around 10,000 ETH.
How Exchanges Reacted
Within hours of the hack, the funds were being moved to decentralized exchanges, cross-chain bridges, and centralized exchanges.
According to the Elliptical report, the hackers favored the xXch service, as it is known to allow users to swap digital assets anonymously. As of Monday, February 24, 2025, over $75 million worth of funds had been laundered through eXch, with the platform refusing to assist Bybit in recovering the funds.
Thus far, most other mainstream exchanges are working with Bybit to ensure that if the funds land in their system, they will be immediately frozen. Even decentralized exchanges are working with Bybit. For instance, the Chainflip decentralized exchange announced that it had upgraded its code to block all funds from the hack. Chainflip decided to upgrade its code after it detected part of the stolen funds being exchanged for USDC via its platform.
Bybit has offered a 10% bounty for the recovery of the funds. However, there is little to no hope of recovering those funds. The Lazarus Group is notorious for not returning funds once they take control of them. For instance, after stealing $600 from Axie Infinity, authorities were only able to recover $30 million.
Bybit Recovers From The Attack
Following the attack, Bybit CEO Ben Zhou posted on X that they had fully recovered from the attack. The CEO stated that the exchange had fully replenished its ETH wallets after it secured around 447K in emergency funding from firms like FalconX, Galaxy Digital, and Wintermute. According to an audit report by Hacken, Bybit was able to fully restore reserves, and all major assets exceeded 100% collateralization.
The Aftermath
One of the positive outcomes of the Bybit attack was that there was no bank run on the exchange. This is partly because Bybit is a major exchange, renowned for its robust security system, and responsiveness to customer issues. However, there were still some sporadic withdrawals by cautious crypto investors.
Initially, social media users were quick to attack Bybit, accusing it of being negligent, particularly due to the lack of standard on-chain monitoring, and the blind signing of transactions.
However, this initial assessment was not fair since Bybit is not a basement operation; it is one of the biggest crypto exchanges in the world. As such, this points to a wider problem within the crypto sector, where attackers view it as a prime target for quick gains. Coupled with the fact that the hackers are state-backed, it makes it even harder to deal with such attacks.
The attack highlights the need for better security systems on crypto exchanges, especially in terms of how crypto assets are stored.
In addition to technical issues, there are also a large number of legal questions. How is it that stolen funds move freely between exchanges, protocols, and wallets?
