It started like any other routine transaction. On Friday, February 21, 2025, cryptocurrency exchange Bybit was moving Ethereum from its cold storage wallet to a warm wallet—a standard process for managing liquidity. Everything looked normal. The transaction had passed multiple security checks, and Bybit CEO Ben Zhou himself had given the final approval.
But something was wrong.
Within 30 minutes, Zhou’s phone rang. It was his Chief Financial Officer—his voice shaking.
“Ben, there was an issue… we might be hacked,” Zhou said, as reported by CryptoNews.
At first, Zhou thought the loss was around 30,000 ETH—a huge amount, but manageable. But according to CryptoNews, the real number was far worse: 401,000 ETH—worth $1.5 billion—had been drained.
This made it the biggest crypto hack in history, surpassing the $625 million stolen from Ronin Network in 2022, according to reports from SecurityWeek, The Hacker News, and AP News.
What Is Bybit? The Exchange That Just Lost $1.5 Billion
Founded in 2018, Bybit is a cryptocurrency exchange headquartered in Dubai, UAE. It has grown into one of the largest trading platforms in the world, boasting over 60 million users and handling billions in daily trading volume. Bybit built its reputation on derivatives trading, offering leveraged positions on Bitcoin, Ethereum, and other digital assets.
Unlike some of its competitors, Bybit has largely stayed out of regulatory trouble—although it has faced restrictions in countries like the U.S., UK, and Japan.
Now, it’s making headlines for all the wrong reasons.
The Attack: A Masterclass in Deception
Bybit’s cold wallet—supposedly the most secure place for its funds—had been compromised. But this wasn’t a brute-force attack. This was surgical precision.
Blockchain analysis firm Chainalysis revealed that hackers had manipulated Bybit’s smart contract logic while keeping the front-facing interface intact. To the human eye, everything appeared normal. But in reality, the transfer was secretly rerouted to a hacker-controlled address.
How did they pull it off?
Investigators believe it was a social engineering attack targeting cold wallet signers—tricking them into signing a malicious transaction. Once approved, the hackers swapped Bybit’s secure multi-signature contract with their own, effectively giving them control over the wallet.
The result? 401,000 ETH vanished in minutes.
Who Was Behind It? The Lazarus Group’s Fingerprints Are Everywhere
According to CryptoNews, on-chain investigator ZachXBT identified North Korea’s Lazarus Group as the culprits within hours. His findings were later corroborated by Elliptic, Arkham Intelligence, and reports from The Hacker News, SecurityWeek, and International Business Times.
Known for funding North Korea’s nuclear weapons program, Lazarus Group has been behind some of the biggest crypto heists in history:
- 2022: Ronin Network hack – $625 million stolen
- 2023: Atomic Wallet hack – $100 million stolen
- 2024: WazirX hack – $234 million stolen
- Now, 2025: Bybit hack – $1.5 billion stolen
According to blockchain analytics firm Elliptic, Lazarus Group quickly began breaking up the stolen Ethereum into multiple wallets before swapping it for Bitcoin and stablecoins using decentralized exchanges and cross-chain bridges. This tactic, which has been used in previous North Korean-linked hacks, helps obfuscate the funds and makes recovery efforts more difficult.
How Bybit Responded—and Why It Didn’t Collapse
For any exchange, losing $1.5 billion could be fatal. But Bybit survived, thanks to a mix of quick action, emergency funding, and transparency.
1. Customer Funds Were Safe
Unlike FTX, which collapsed in 2022 due to missing customer funds, Bybit reassured users that their funds were safe and fully backed.
2. A Rapid Response Team Mobilized
Bybit froze all wallets, launched an internal investigation, and hired blockchain analytics firms to track stolen assets.
3. $140 Million Bounty Offered
Bybit announced a 10% bounty for anyone who could help recover the stolen funds—offering up to $140 million in rewards.
4. A Massive Liquidity Injection
Bybit secured 447,000 ETH (more than was stolen) through emergency funding from Galaxy Digital, FalconX, and Wintermute, allowing it to replenish reserves in 72 hours.
5. Tether Froze Some of the Funds
Stablecoin issuer Tether froze 181,000 USDT linked to the hack, preventing some of the stolen funds from being laundered.
Despite an initial $7 billion drop in total assets on Bybit, confidence has slowly returned.
The Bigger Question: Can Crypto Stop North Korea?
The Bybit hack is not just another crypto theft. It’s part of a larger pattern:
🔹 North Korea has stolen over $3 billion in crypto since 2017.
🔹 These funds are believed to finance the country’s nuclear weapons program.
🔹 Sanctions have failed to stop these attacks.
So, what can be done?
Some experts argue that crypto exchanges must move to better security standards, such as:
- Hardware-based signing devices instead of software-based approvals
- Clear signing protocols that eliminate transaction manipulation
- AI-driven anomaly detection to flag suspicious transactions before approval
Others say international action is needed—perhaps cyber retaliation against North Korea’s hacking infrastructure.
The Future of Bybit and the Industry
Bybit may have survived this attack, but will customers continue to trust centralized exchanges after yet another billion-dollar hack?
Some traders are moving to self-custody wallets, while regulators worldwide are increasing scrutiny on exchange security measures.
But this incident isn’t just a Bybit problem—it’s a crypto-wide wake-up call.
🚨 The Lazarus Group isn’t slowing down.
🚨 Crypto security isn’t keeping up.
🚨 And the next record-breaking hack may already be in motion.
While the $1.5 billion Bybit hack is the largest in crypto history by total value at the time of the theft, it still pales in comparison to the infamous Mt. Gox collapse in 2014—when 850,000 BTC was stolen from the Japan-based exchange.
At the time, Bitcoin was trading at $600 per BTC, putting the loss at around $500 million. But at today’s price of $90,000 per BTC, that amount would be worth an astonishing $76.5 billion—making it the biggest crypto heist ever in terms of present-day value.
Unlike Bybit, Mt. Gox never recovered, leaving users devastated. While 141,686 BTC was later secured for creditor repayments, much of the stolen Bitcoin was never recovered.
With each major attack, one question grows louder: Is crypto security evolving fast enough to keep up with the threats? Or is this just another chapter in crypto’s never-ending Wild West?
References and Further Reading
- Cryptonews – The Bybit Hack Explained: What Happened, Who Did It, What Happens Next (February 25, 2025). Retrieved February 26, 2025. Link
- International Business Times – Bybit Hack: How The $1.4B Exploit Happened, Funds Recovered, And Who’s Responsible (February 24, 2025). Retrieved February 26, 2025. Link
- SecurityWeek – Bybit Hack Drains $1.5 Billion From Cryptocurrency Exchange (February 22, 2025). Retrieved February 26, 2025. Link
- The Hacker News – Bybit Confirms Record-Breaking $1.5 Billion Crypto Heist in Sophisticated Cold Wallet Attack (February 22, 2025). Retrieved February 26, 2025. Link
- Associated Press (AP News) – Cryptocurrency exchange says it was victim of $1.5 billion hack (February 21, 2025). Retrieved February 26, 2025. Link
- Wikipedia – Bybit (Last updated February 2025). Retrieved February 26, 2025. Link
Disclaimer
The information provided in this article is based on publicly available reports, industry analysis, and expert commentary. While every effort has been made to ensure accuracy, the fast-evolving nature of cybersecurity incidents and financial markets means that new details may emerge after publication.
This article is for informational purposes only and should not be considered financial, legal, or cybersecurity advice. Readers are encouraged to conduct their own research and consult with professionals before making any financial or security-related decisions.
Neither the author nor this publication assumes any responsibility for losses or damages arising from reliance on the information contained herein. The views expressed are those of the author and do not necessarily reflect the opinions of the sources cited or any affiliated organizations.
