The $1.5 Billion Heist: Lazarus Group and the Largest Cryptocurrency Theft in History
The $1.5 Billion Heist: Lazarus Group and the Largest Cryptocurrency Theft in History
At 2:16 PM UTC on February 21, 2025, Bybit CEO Ben Zhou was watching an alert that didn’t make sense.
The Dubai-headquartered exchange’s cold wallet — one of the most heavily protected addresses in the company’s custody infrastructure, holding approximately 401,347 ETH — was draining. Transfer after transfer, the funds were moving to addresses Bybit had never authorized. The transactions had valid cryptographic signatures. The multi-signature threshold had been met. Every technical control the exchange had implemented said the withdrawal was legitimate.
It was not. Bybit had just lost $1.5 billion in Ethereum in less than two hours. It was the largest theft of any kind from a cryptocurrency exchange in history, and it was complete before anyone fully understood what had happened.
Zhou went live on X. “Bybit ETH multisig cold wallet just got attacked,” he typed. “The attacker managed to take control of the specific ETH cold wallet and transferred all the ETH in the cold wallet to this unidentified address. All other cold wallets are secure.”
The investigation into how — not whether — would take hours. The answer was an object lesson in why “the blockchain was never hacked” has always been the wrong sentence to say.
What Bybit Is — And What It Was Protecting
Bybit was founded in 2018 in Singapore and registered in Dubai, growing into one of the world’s top three cryptocurrency derivatives exchanges by trading volume, with reported assets under custody exceeding $20 billion at the time of the attack. Like all major exchanges, Bybit maintained a tiered custody architecture: hot wallets for liquidity to process withdrawals, and cold wallets — air-gapped hardware wallets disconnected from the internet — for the bulk of customer assets.
The specific wallet targeted was Bybit’s ETH multi-signature cold wallet, managed through Safe{Wallet} — the enterprise multi-signature wallet infrastructure operated by the Safe Ecosystem Foundation (formerly Gnosis Safe). Safe is the dominant multi-sig solution for institutional crypto custody: a smart-contract-based system requiring a threshold of authorized signatures to execute any transaction. Bybit’s cold wallet required 3 of 5 authorized signers to approve any outbound transfer. The five signers held hardware security keys — physical devices generating cryptographic signatures offline.
Three hardware devices. Five authorized people. An offline multi-sig threshold. This was, by the standards of the industry, a gold-standard security architecture.
Threat Actor Profile: Lazarus Group / TraderTraitor
Designation: Lazarus Group; the Bybit intrusion is specifically attributed to the subgroup tracked as TraderTraitor (FBI), UNC4899 (Mandiant), Sapphire Sleet (Microsoft) Attribution: Democratic People’s Republic of Korea, Reconnaissance General Bureau, Bureau 121; attributed by the FBI within six days of the theft Primary Mission: Dual-purpose — state-directed geopolitical operations (Sony Pictures 2014) and financially motivated cryptocurrency theft to fund North Korea’s ballistic missile and nuclear programs under sanctions Known Tradecraft (TraderTraitor): Social engineering targeting cryptocurrency firms, DeFi developers, and Web3 professionals; lure-based deployment via fake job offers, investment opportunities, and open-source package poisoning; supply chain attacks against developer tooling; particular interest in compromising trusted infrastructure used by multiple downstream targets simultaneously
Notorious Operations:
- Bangladesh Bank SWIFT Heist (2016): $81M stolen via fraudulent SWIFT transfer orders; the opening salvo of North Korea’s financially motivated cyber program.
- Ronin Network (2022): $625M stolen from the Axie Infinity gaming blockchain bridge — previously the record for the largest crypto theft.
- Harmony Horizon Bridge (2022): $100M stolen; same TraderTraitor methodology — compromise of a trusted bridge operator, not the blockchain itself.
- Atomic Wallet (2023): $100M stolen from individual wallets after compromising the wallet software’s infrastructure.
The arithmetic of Lazarus Group’s crypto theft program is significant: UN panels of experts have estimated $3 billion in total cryptocurrency theft since 2017, with proceeds assessed as funding approximately 40% of North Korea’s weapons of mass destruction development budget. The Bybit theft in a single operation exceeded the annual revenue of many UN member states.
The Supply Chain: How Safe{Wallet} Became the Attack Vector
The theft did not exploit a vulnerability in Bybit’s internal systems. It did not break Ethereum’s cryptographic primitives. It exploited the space between what the signers were shown and what they were actually signing.
Weeks before February 21, North Korean operators — using techniques consistent with TraderTraitor’s established methodology — compromised the workstation of a Safe{Wallet} developer through social engineering. The exact lure has not been publicly confirmed, but TraderTraitor’s documented playbook involves fake job interviews, fake investment opportunities, and direct outreach via LinkedIn and Telegram — providing what appears to be legitimate professional contact before deploying malware through a document or repository link.
The developer’s machine ran macOS. The implant deployed — assessed by Mandiant as the BYTEMITE tooling family associated with TraderTraitor — established persistent access to the developer’s working environment, including their AWS credentials and the repository pipelines used to deploy Safe{Wallet}‘s frontend infrastructure.
The attackers waited. They monitored the developer’s access patterns. They identified the specific deployment pathway used to update the JavaScript files served to Safe{Wallet} users.
Then, at a moment calculated for maximum impact, they modified the Safe{Wallet} JavaScript loaded by Bybit’s signers’ browsers — but only for Bybit. The modification was conditional: the malicious code checked whether the wallet address being accessed matched Bybit’s known cold wallet address. If it did, the attack activated. For every other user of the Safe platform, the code was untouched.
The Signing Event: What the Signers Saw and What They Signed
On February 21, 2025, Bybit’s authorized signers connected to perform a routine transfer from the ETH cold wallet to the hot wallet — a standard operational process for maintaining exchange liquidity. This was not an unusual event; such transfers happened regularly.
Each signer’s browser loaded the Safe{Wallet} frontend. What they saw was the interface they had always seen: the correct source address, the correct destination address, the correct amount. The transaction details displayed by the Safe interface appeared entirely legitimate.
What was actually inside the transaction data their hardware keys were asked to sign was different. The smart contract logic had been altered: the malicious JavaScript was constructing a transaction that, upon execution, would transfer ownership of the Safe smart contract to attacker-controlled addresses. The signers were not approving a transfer. They were approving a change in who controlled the vault.
The hardware keys signed it. The threshold was reached. The transaction executed.
The attackers now had full control of the smart contract holding Bybit’s cold wallet. They immediately drained the entire balance — 401,347 ETH, worth approximately $1.5 billion at prevailing prices — across a rapid sequence of transactions to attacker-controlled addresses.
The attack had required no vulnerability in Ethereum. No flaw in the multi-sig cryptography. The private keys were never compromised. The signers acted exactly as intended by the security model. What changed was the information those signers were given — and the content of what the hardware was asked to sign. This attack class is known as blind signing: approving a cryptographic transaction based on what a software interface displays rather than the raw bytes being signed.
The Forensic Response: ZachXBT and the Six-Day Attribution
Within minutes of the theft, blockchain analyst ZachXBT — a pseudonymous on-chain researcher — identified the draining transactions and published them publicly. The open nature of Ethereum’s blockchain made the transfer trail immediately visible to anyone with the tooling to read it.
The $1.5 billion in ETH began moving through a laundering chain that blockchain forensics firms Elliptic, Chainalysis, and TRM Labs tracked in near real time: through Tornado Cash and other mixers for privacy, across cross-chain bridges to other blockchains, through decentralized exchanges to swap tokens, into networks of wallets designed to fragment and distribute the funds.
ZachXBT published an independent analysis identifying the theft as Lazarus Group / TraderTraitor within hours — citing matching on-chain patterns from the Ronin and Harmony heists, consistent laundering methodologies, and cluster analysis of infrastructure. The FBI formally attributed the attack to TraderTraitor on February 26, 2025, five days after the theft — an attribution timeline that was itself remarkable for its speed, reflecting the FBI’s increasing capability in blockchain forensic analysis.
By the time of FBI attribution, the attackers had already moved the funds through dozens of intermediate wallets and converted significant portions to other assets. Blockchain is transparent; it is not reversible.
Bybit’s Response and the Recovery
Ben Zhou made an immediate decision: Bybit would not collapse. Within hours of the theft, the exchange secured bridge loans from industry participants — including an emergency liquidity transfer from the trading firm Galaxy Digital — and processed customer withdrawal requests normally. Zhou’s public communication was continuous and direct, providing updates on the investigation via live stream and social media in a manner that contrasted sharply with the opacity that had characterized exchange responses to earlier crises.
Bybit launched a bug bounty / recovery program, offering 10% of any recovered funds to white-hat researchers and blockchain forensics firms. Within two weeks of the theft, Bybit had replaced the lost ETH via over-the-counter purchases and loans, restoring its proof-of-reserves ratio and maintaining operations.
The exchange also retained Mandiant and Chainalysis for forensic reconstruction of the intrusion, producing a detailed post-mortem that for the first time publicly documented the Safe{Wallet} developer compromise and the conditional JavaScript injection methodology.
Safe Ecosystem Foundation temporarily suspended service for certain user groups, audited its deployment pipeline, and rotated all infrastructure credentials. The question of whether institutional custody should rely on browser-based interfaces — where JavaScript can be modified by anyone with access to the serving infrastructure — became a focal point of post-incident analysis.
Legacy: The Blind Signing Crisis
The Bybit hack became the defining event of a debate that the cryptocurrency industry had been avoiding: blind signing.
Hardware wallets — Ledger, Trezor, GridPlus — display transaction summaries on their screens before asking the user to confirm. But hardware devices cannot execute arbitrary smart contract logic or interpret the complex byte structures of modern DeFi transactions. They show what the connected software tells them to show. The actual bytes being signed may differ from the description displayed. Every institution that has used a hardware wallet to sign a complex smart contract has, in some sense, blind-signed.
The ERC-7702 and EIP-712 structured data signing standards, and subsequent hardware wallet firmware updates from Ledger, Trezor, and others, accelerated after February 2025 — attempting to give signing devices more native ability to parse and display what they were actually approving rather than relying entirely on the host software’s representation.
The United Nations Panel of Experts on North Korea included the Bybit theft in its 2025 report on North Korean sanctions evasion, confirming that cryptocurrency theft had become a principal funding mechanism for the DPRK’s weapons programs and that no single countermeasure had proven effective against the patient, intelligence-driven social engineering methodology TraderTraitor had developed.
The Ethereum blockchain continued to operate without disruption. The cryptography was never at risk. The trust layer — the human, the interface, the software between the key and the signature — was the vulnerability, as it has been in every significant cryptocurrency theft of consequence.
The $1.5 billion has not been recovered.
Attack Chain: Lazarus Group / TraderTraitor — Bybit Exchange Compromise
graph TD
A["Target Identification\nTraderTraitor identifies Safe{Wallet}\nas infrastructure trusted by\nmultiple high-value crypto institutions"] --> B["Developer Social Engineering\nFake job / investment lure sent\nto Safe{Wallet} developer via LinkedIn\nor Telegram — malware delivered\nvia document / repository link"]
B --> C["Developer Workstation Compromise\nmacOS implant (BYTEMITE family)\nEstablishes persistent access\nHarvests AWS credentials + deploy keys"]
C --> D["Supply Chain Positioning\nAttackers map Safe frontend\ndeployment pipeline\nMonitor Bybit operational patterns\nPrepare conditional JS payload"]
D --> E["Targeted JS Injection\nModify Safe{Wallet} JavaScript\nserved to browsers — BUT ONLY\nwhen Bybit's specific cold wallet\naddress is accessed"]
E --> F["Signer Session Intercept\nBybit signers connect for\nroutine cold→hot wallet transfer\nMalicious JS loads undetected\nDisplays correct-looking transaction"]
F --> G["Blind Signing\n3 of 5 hardware keys sign\nwhat appears to be a normal transfer\nActual payload: transfer smart\ncontract ownership to attacker"]
G --> H["Vault Takeover\nSmart contract ownership transferred\nAttackers have full control of\n$1.5B ETH cold wallet"]
H --> I["Fund Draining\n401,347 ETH transferred to\nattacker-controlled addresses\nin under 2 hours — Feb 21, 2025"]
I --> J["Laundering Operation\nTornado Cash · cross-chain bridges\nDEX swaps · fragmentation wallets\nZachXBT & Elliptic trace in real time"]
J --> K["FBI Attribution\nFeb 26, 2025: FBI attributes\ntheft to TraderTraitor\n5 days after the attack"]
K --> L["Legacy\nBybit recovers via loans/OTC\nBlind signing debate accelerates\nHardware wallet firmware updates\nUN: $1.5B funds DPRK weapons"]
style A fill:#1a1a2e,color:#e0e0e0
style B fill:#1a3a1a,color:#90ee90
style E fill:#c0392b,color:#fff
style G fill:#c0392b,color:#fff
style H fill:#8e44ad,color:#fff
style I fill:#8e44ad,color:#fff
style L fill:#2c3e50,color:#e0e0e0