North Korea Hackers Just Stole $1.46B from Bybit, Largest Cybercrime in History

Introduction

On 21 February 2025, Bybit, one of the world's largest cryptocurrency exchanges by trading volume, lost approximately 1.46 billion in ETH and related ERC-20 tokens. This is the largest cryptocurrency theft in history(and the largest cybercrime). It was attributed to the Lazarus Group, a hacking team linked to the North Korean government. This heist surpassed their previous records, such as the 625 million Ronin Network Attack in 2022.

Timeline of The Incident

1. February 21, 2025, ~10:00 AM EST

• ZachXBT detects suspicious outflows exceeding $1.46 billion from Bybit’s wallets.

2. February 21, 2025, Afternoon

• Bybit’s CEO, Ben Zhou, issues a public statement confirming the breach. He emphasized that all other cold wallets are secure.
• Source: X.com @benbybit

3. February 21, 2025, Evening

• Arkham Intelligence, a blockchain analytics firm, announces a bounty of 50,000 ARKM tokens(approximately $31,500) for information identifying the attackers.
  • Source: x.com @arkham - the bounty

3. February 21, 2025, 19:09 UTC

• ZachXBT submits evidence to Arkham Intelligence, linking the attack to the Lazarus Group.
  • Source: X.com @arkham
• Their submission includes:
  • Test transaction records
  • Connected wallet patterns
  • Timing and behavioural similarities to prior Lazarus

5. February 22, 2025

• Multiple cybersecurity firms, including Elliptic and Chainalysis, corroborate ZachXBT’s findings, attributing the hack to the Lazarus Group based on blockchain forensics.

How the attack happened

The attackers breached Bybit’s Ethereum cold wallet, an offline and secure storage system. They compromised the transaction approval process during a wallet migration from a multisig cold wallet to a warm wallet, then exploited the "Blind Signing" method, a process where signers approve transactions without fully verifying the underlying code.
After that, a fake user interface was presented to Bybit's wallet signers, and the transaction appeared legitimate. Signers then approved what they believed was a routine transfer.
As a result, approximately 401,347 ETH(valued at $1.46 billion) was transferred to an unidentified address. The funds were split across multiple wallets and laundered through decentralized exchanges(DEXs).

How They Laundered the Stolen Funds

1. Token Exchange to Ether

• The attackers exchanged hundreds of millions of dollars in stolen ERC-20 tokens (such as stETH and cmETH) for Ether (ETH) using decentralized exchanges (DEXs).

2. Fund Splitting

• Within two hours of the theft, the stolen Ether was split across 50 different wallets, each holding smaller amounts (e.g., 10,000 ETH per wallet).

3. Converted to Bitcoin

• eXch has reportedly allowed over $75 million of the stolen assets to be exchanged.
• Approximately 10% of the stolen assets have been converted to Bitcoin.

4. More information

• Blockchain analytics firms like Elliptic and Chainalysis have flagged 39 addresses tied to the attack.

Conclusion

ETH price dropped by over 8% after the 1.46 billion theft, and if it's really done by Lazarus Group then North Korea is one of the largest holders of ETH. Some say they swiped over 3 billion in crypto since 2017. Bybit also started a 140 million bounty for the return of stolen funds. The total stolen amount stated might be incorrect(other sources say 1.44 B, 1.4 B, 1.5B, 1.936 B). This article assumes it is 1.46 B, aligning with ZachXBT’s on-chain analysis of 401,347 ETH.