.png)
Bybit Exchange Hack 2025: North Korea Steals $1.5 Billion in the Largest Crypto Theft in History
On February 21, 2025, the Lazarus Group — North Korea's premier cybercrime unit — stole approximately $1.5 billion in Ethereum from Bybit, one of the world's largest cryptocurrency exchanges. It was the single largest theft in the history of cryptocurrency, and it was executed not through a vulnerability in Bybit's own systems but through a compromise of Safe{Wallet}, the third-party multi-signature wallet infrastructure Bybit used to manage cold storage transfers. The attack demonstrated that supply chain compromise of wallet infrastructure represents an existential risk for any cryptocurrency exchange, regardless of the security of the exchange's own systems.
Lazarus Group compromised the developer infrastructure of Safe{Wallet} — a widely-used open-source multi-signature wallet platform — and injected malicious JavaScript that would activate specifically during a Bybit cold-to-warm wallet transfer. When Bybit executives reviewed what appeared to be a routine transfer for signing, the malicious JavaScript had replaced the legitimate transaction with one routing funds to Lazarus Group-controlled addresses. The executives approved the transaction believing it was legitimate. Approximately $1.5 billion in Ethereum was transferred to attacker-controlled wallets within minutes. Bybit publicly disclosed the theft immediately, launched a recovery effort, and remained solvent — processing withdrawals and maintaining operations despite the loss. Blockchain analytics firms tracked the funds through a rapid laundering campaign using mixers and DEXs. The FBI formally attributed the attack to North Korea's Lazarus Group in March 2025.
The attack had two distinct phases. Phase one: Lazarus Group compromised Safe{Wallet}'s development infrastructure — specifically an Amazon Web Services S3 bucket used to host JavaScript assets loaded by the Safe{Wallet} interface. They replaced a legitimate JavaScript file with a malicious version that detected Bybit-specific wallet addresses and substituted transaction parameters. Phase two: When Bybit's cold wallet management team initiated what they believed was a routine transfer, the compromised Safe{Wallet} interface displayed the correct transaction details while routing the actual blockchain transaction to Lazarus Group addresses. The multi-signature approval process — intended to prevent unauthorized transactions — was defeated because all signers were viewing the same compromised interface.
The Bybit attack produced three lessons critical for any organization using third-party financial infrastructure. First, multi-signature approval processes are only as secure as the interface displaying the transaction details — if the interface is compromised, the approval process is compromised. Independent transaction verification through multiple independent interfaces is the only defense. Second, supply chain attacks against financial infrastructure now target the specific moment of high-value transaction authorization — attackers are patient and precise, not opportunistic. Third, transparency worked: Bybit's immediate public disclosure and continued operations demonstrated that surviving a major crypto theft is possible, and that attempting to conceal it would have been far more damaging.
For PE sponsors with fintech, cryptocurrency, or digital asset portfolio companies, the Bybit attack establishes that third-party wallet infrastructure must be evaluated as critically as the exchange's own systems. Any digital asset custodian using multi-signature workflows must implement independent transaction verification — specifically, verifying transaction parameters through a separate, airgapped or independently-sourced interface before signing. Supply chain security for financial infrastructure providers is not optional.