Bybit's recent $1.5 billion hack was traced back to a compromised SafeWallet developer’s machine, allowing North Korea’s Lazarus Group to execute the largest crypto theft in history.
Bybit's recent $1.5 billion hack was traced back to a compromised SafeWallet developer’s machine, allowing North Korea’s Lazarus Group to execute the largest crypto theft in history. A forensic investigation by Sygnia and Verichains found that attackers injected malicious JavaScript into SafeWallet’s Amazon Web Services (AWS) infrastructure, tricking signers into approving fraudulent transactions. The breach on Feb. 21 targeted Bybit’s Ethereum multisig cold wallet, redirecting over 400,000 ETH and liquid-staked ETH to an attacker-controlled address.
The attack was designed to remain undetected, with the injected JavaScript only activating under specific conditions when accessed by Bybit signers. Two minutes after the stolen funds were moved, the malicious code was removed from SafeWallet’s AWS S3 bucket. Sygnia’s investigation found that these changes had been made two days before the hack, indicating a premeditated attack.
Bybit CEO Ben Zhou confirmed that while SafeWallet’s infrastructure was breached, Bybit’s internal systems were not compromised. Following the attack, Bybit replenished user funds by borrowing 40,000 ETH from Bitget, which has since been repaid. The exchange also secured reserves through asset purchases and large-holder deposits, ensuring full backing of client assets.
SafeWallet responded by rebuilding and reconfiguring its entire infrastructure, rotating credentials, and temporarily removing Ledger integration while restoring services. The company stated that no vulnerabilities were found in its smart contracts or front-end code but urged users to exercise caution when signing transactions.
Blockchain analysts, including ZachXBT, TRM Labs, and Elliptic, linked the Bybit attack to previous hacks by Lazarus Group, citing wallet overlaps with past breaches at Phemex, BingX, and Poloniex. Elliptic reported that since 2017, North Korean hackers have stolen over $6 billion in cryptocurrency, with funds allegedly used to support the country’s missile program. Chainalysis estimated that North Korean cybercriminals stole $1.34 billion in crypto in 2024 alone.
Bybit first detected unauthorized activity in its Ethereum cold wallet on Feb. 21 at 12:30 p.m. UTC during a routine transfer to a hot wallet. The attackers intercepted the process, altered smart contract logic, and masked the signing interface, allowing them to execute the fraudulent transfer. The incident accounted for over 60% of all crypto funds stolen last year, surpassing the 2022 Ronin Network and 2021 Poly Network hacks.
Despite the massive loss, Bybit maintained operations without significant downtime, restoring reserves and resuming withdrawals. SafeWallet has since implemented additional security measures, including enhanced monitoring alerts and validation checks for transaction data. Bybit’s forensic review found no direct compromise of its systems, but the attack has rattled investor confidence, contributing to a decline in Ether prices and broader market instability.
This article contains links to third-party websites or other content for information purposes only (“Third-Party Sites”). The Third-Party Sites are not under the control of CoinMarketCap, and CoinMarketCap is not responsible for the content of any Third-Party Site, including without limitation any link contained in a Third-Party Site, or any changes or updates to a Third-Party Site. CoinMarketCap is providing these links to you only as a convenience, and the inclusion of any link does not imply endorsement, approval or recommendation by CoinMarketCap of the site or any association with its operators.
This article is intended to be used and must be used for informational purposes only. It is important to do your own research and analysis before making any material decisions related to any of the products or services described. This article is not intended as, and shall not be construed as, financial advice.
The views and opinions expressed in this article are the author’s [company’s] own and do not necessarily reflect those of CoinMarketCap.
