On February 21, 2025, the cryptocurrency world was shocked by the largest hack in history, where Bybit, a major crypto exchange, lost $1.4 billion worth of digital assets. The attack targeted Bybit’s cold wallets and resulted in the theft of Ethereum-based assets, including 401,000 ETH (Ethereum) and liquid-staked ETH tokens like stETH and mETH.
The primary suspect behind this massive hack is Lazarus Group, a well-known North Korean hacking organization responsible for several high-profile crypto thefts in recent years. But how did they manage to steal such a huge amount? Let’s break it down step by step.
What is Bybit?
Bybit is a cryptocurrency exchange that allows users to buy, sell, and trade digital assets like Bitcoin, Ethereum, and Stablecoins. It has millions of users and is considered one of the largest platforms in the industry. To protect user funds, Bybit stores most of its assets in cold wallets, which are offline storage solutions that are harder to hack.
Despite these security measures, hackers exploited a vulnerability in Bybit’s security system and stole funds from the exchange’s cold wallet.
How did the Bybit hack happen?
Phishing attack – Tricking Bybit executives
According to security researchers, hackers use phishing attacks, which are techniques used to trick people into revealing their login credentials or approving malicious transactions.
- The attackers created a fake version of Bybit’s wallet management platform.
- They sent this fake interface to Bybit’s executives and security team, which looked like a real Bybit login page.
- Bybit employees logged in and unknowingly approved a fraudulent transaction, giving control of the exchange’s cold wallets to the hackers.
Unauthorized transfer of funds
Once the hackers gained access to Bybit’s cold wallets, they:
- Created a fake transaction that appeared to be a normal fund transfer.
- Disguised their actions to avoid raising suspicion from Bybit’s security team.
- Transferred 401,000 ETH and other assets to an external wallet controlled by them.
Laundering the stolen crypto
After stealing the funds, the hackers needed to convert the stolen crypto into cash without being detected. Here’s how they did it:
- The stolen Ethereum was sent to multiple wallets to hide its origin.
- Some of the funds were converted into Stablecoins (like USDC) and moved to the Solana blockchain.
- Hackers used Solana-based memecoin platforms to further launder the money.
Blockchain investigator ZachXBT discovered that some of the stolen funds were linked to previous memecoin scams on the Solana blockchain, strengthening the theory that Lazarus Group was involved.
Who is Behind the Attack?
Lazarus Group – North Korean Hackers
Security firms like Arkham Intelligence and Elliptic have identified Lazarus Group as the likely attacker.
Lazarus Group is a North Korean hacking organization known for stealing billions of dollars from crypto exchanges, banks, and financial institutions. Their goal is to fund North Korea’s government and missile programs. They have been linked to previous attacks, including: the 2022 Ronin Bridge Hack in which $620 million were stolen; the Harmony Bridge Hack that took place the same year in which $100 million were stolen and; the hacking of the Phemex Exchange that took place in January 2025. Around $29 million were reportedly stolen in the last attack.
In the hacking of Bybit, blockchain traces show that the same wallets used in the Bybit hack were involved in previous Lazarus Group activities.
Also Read
Lithium is the new entrant in the Blockchain
Impact of the Bybit hack
Significant shake-up in investor confidence
The Bybit hack has damaged trust in the crypto industry, especially in Centralized Exchanges (CEXs). Many investors are now:
- Withdrawing funds from CEXs.
- Moving to decentralized finance (DeFi) platforms, which do not rely on centralized wallets.
- Demanding stricter security measures from exchanges.
Solana blockchain faces scrutiny
The hackers used the Solana blockchain to launder stolen funds, which has raised concerns about security of the Solana network.
- Many memecoin projects on Solana have been exposed as scams.
- Investor sentiment towards Solana has dropped, leading to a 40% decline in active users.
What is Bybit doing to recover the stolen funds?
Bybit has taken several steps to recover the stolen funds and improve security:
- Tracking the stolen assets – Bybit is working with blockchain security firms to trace where the stolen crypto is being sent.
- Blocking suspicious wallets – Any wallet linked to the hack is being blacklisted to prevent the hackers from cashing out.
- Improving security measures – Bybit has promised to implement stronger anti-phishing protections and multi-layer authentication for fund transfers.
- Cooperating with law enforcement – International agencies, including Interpol and the FBI, are helping to track down the hackers.
So far, crypto exchanges and regulators have frozen about $43 million worth of stolen funds.
The Bybit hack and the lessons for crypto users
This attack highlights the importance of strong security measures for both individuals and businesses in crypto. Here are some key takeaways:
- Always verify URLs – Before logging in to any crypto platform, double-check the URL to avoid phishing scams.
- Use hardware wallets – If you hold large amounts of crypto, store it in a hardware wallet instead of an exchange.
- Enable multi-signature wallets – Businesses should require multiple approvals for large transactions to prevent unauthorized transfers.
- Be cautious with new projects – Avoid investing in new and unverified meme-coins, as many turn out to be scams.
Also Read
Could Bitcoin replace gold as a marker of financial stability?
