Hackers stole approximately US$1.46 billion worth of Ethereum from Dubai-based cryptocurrency exchange Bybit on February 21, 2025, marking the largest single theft in the history of the crypto industry and highlighting ongoing security risks across the sector.
The breach eclipsed the previous record of US$615 million stolen from the Ronin Network in 2022. U.S. authorities and blockchain analytics firms Elliptic and Chainalysis traced the attack to the Lazarus Group, a state-backed hacking organisation linked to North Korea, specifically a subunit known as TraderTraitor that has been tied to multiple high-profile cyber thefts.
Investigators say the attackers did not directly breach Bybit’s internal systems. Instead, they carried out a sophisticated social engineering and supply chain attack by compromising a developer associated with Safe{Wallet}, a third-party multi-signature wallet platform used by the exchange. Malicious JavaScript code was inserted into the wallet’s interface, altering transaction data without alerting users. This manipulation led Bybit executives to approve what appeared to be a routine transfer of 401,000 ETH from a cold wallet to a warm wallet, when in reality the funds were redirected to hacker-controlled addresses.
Following the theft, large portions of the stolen Ethereum were rapidly laundered through decentralised exchanges, cross-chain bridges and crypto mixers. Analysts say the speed and complexity of these transactions were designed to obscure the trail and make recovery increasingly difficult, a tactic consistent with previous operations attributed to North Korean cyber units.
Bybit chief executive Ben Zhou said customer funds were fully backed and unaffected by the incident, emphasising that the stolen assets were corporate holdings rather than user deposits. To maintain liquidity and market confidence, the exchange reportedly secured support from industry partners including Binance and Bitget, allowing operations to continue without major disruption.
The exchange also announced a bounty programme offering up to $140 million, or 10% of the stolen amount, for information that could lead to the recovery of the funds or the identification of those responsible.
The news triggered a sharp but short-lived reaction in the crypto market, with Ethereum and Bitcoin falling between 4% and 8% before stabilising after Bybit confirmed its financial stability. Beyond price movements, the incident has intensified global scrutiny of crypto-related cybercrime. U.S. and United Nations officials have repeatedly warned that proceeds from North Korean hacking campaigns are used to finance the country’s ballistic missile and nuclear weapons programmes.
The scale and execution of the Bybit hack underscore persistent structural vulnerabilities within the crypto ecosystem, particularly around third-party service providers. As regulators and industry leaders push for stronger safeguards, the incident stands as a clear signal that security failures in digital finance can carry consequences that extend far beyond a single platform.
Bybit to restrict access for Japanese users as regulatory pressure intensifies
