Anatomy of the largest crypto theft in history: analyzing the $1.5 billion Bybit hack

On February 21, an unprecedented event took place: a sophisticated cyberattack on the Bybit exchange led to the theft of approximately $1.46 billion in Ethereum (ETH) and related tokens. This incident was the largest digital heist in history. It also exposed the vulnerabilities of even the most reputable platforms and caused turmoil in the crypto market. Hackers now own more ETH than Vitalik Buterin himself or the Ethereum Foundation. Who are these cybercriminals, how did they manage to pull off this scam, and what are the consequences of all this?

Content

1 Cyberattack on Bybit: how it happened
2 Lazarus Group’s footprint
3 Impact on the crypto market
- 3.1 Bybit licks wounds

Cyberattack on Bybit: how it happened

The hacker attack on Bybit was not a brute force attack or a simple exploitation of a smart contract vulnerability. Instead, it was a carefully orchestrated operation using social engineering, user interface (UI) manipulation, and a deep understanding of Bybit’s operational processes. The hack occurred during a routine transfer of funds from Bybit’s multisig cold wallet — a highly secure, offline storage system — to the hot wallet, which supports daily trading operations.

The attackers initially gained access to Bybit’s cold wallet signer systems through phishing emails or malware. This initial infiltration was aimed at exploiting the human element – specifically, those responsible for confirming transactions — rather than the blockchain infrastructure itself.
Once they gained access, the hackers cloned the Bybit transaction signing interface, creating a fake version that looked identical to the real thing. When the signatories checked the transfer, they saw the correct destination address and amount, with no suspicious signs. But the basic logic of the smart contract was changed.
Signatories, deceived by a fake interface, approved what they thought was a standard transaction. In fact, they authorized a transaction that rewrote the wallet’s contract, effectively handing control to the attackers. This allowed the hackers to drain the entire cold wallet — 401,347 ETH, 90,376 stETH, 15,000 cmETH, and 8,000 mETH — to an unknown address.
The attackers then quickly began to cover their tracks. The stolen ETH was distributed among more than 40 wallets, with 10,000 ETH per address. Derivatives such as stETH and cmETH were exchanged for ETH via decentralized exchanges (DEX) such as Uniswap and ParaSwap, and then the assets were split into smaller pieces to make tracing more difficult.

Over the past four days, hackers have washed 100,000 ETH (worth about $250 million), which is 18% of the total amount of ETH stolen (499,000). With a balance of 399,000 ETH still in the wallets, Bybit robbers own more ETH than Vitalik Buterin himself (250,000 ETH) or the Ethereum Foundation (269,175 ETH).

Currently, attackers mainly use the THORChain service to exchange assets between different chains for BTC, DAI, and other assets: the service allows them to do so directly between different blockchains without intermediaries or the use of wrapped tokens. Moreover, participants do not need to register, so everything is anonymous.

Lazarus Group’s footprint

Several platforms, including Arkham Intelligence and Elliptic, attributed the attack to the North Korean hacker group Lazarus, known for high-profile cryptocurrency thefts. This conclusion is based on several pieces of evidence:

Similar behavior ZachXBT researcher, who received an award from Arkham for his work, identified test transactions and wallet clusters associated with previous Lazarus operations, such as the Phemex and BingX hacks. The primary hacker address (0x47666Fab8bd0Ac7003bce3f5C3585383F09486E2) showed similarities in the distribution of funds and laundering techniques.
Historical precedent. The Lazarus group has stolen over $6 billion in cryptocurrency since 2017, including $1.34 billion in 2024 alone. Their script often involves user interface manipulation, social engineering, and targeting multi-signature wallets — tactics mirrored in the Bybit attack.
Laundering. The stolen ETH began to flow through DEX, cross-chain bridges, and centralized exchanges such as eXch, which processed over $75 million of these funds despite requests from Bybit to block them. The conversion of ETH to Bitcoin and the potential use of mixers are consistent with Lazarus’s laundering schemes.

Arkham Intelligence also noticed that the Bybit hackers were making 2-3 transactions per minute and stopping every 45 minutes for a 15-minute break. ETH was moved from one address at a time before moving on to the next.

If it can be confirmed that the money went to the DPRK, This will make North Korea one of the largest ETH holders in the worldі. At the same time, the proceeds are often used for the ballistic missile testing and launching program, writes Elliptic.

MEDIA writethat the FBI looking for North Korean hacker Park Jin-hyuk, associated with the Lazarus Group and the WannaCry ransomware virus. He is also involved in the theft of Bybit funds and many other cybercrimes:

$81 million — Central Bank of Bangladesh (2016)
$625 million — Axie Infinity (2022)
$100 million — Harmony Bridge (2022)
$41 million — Stake (2023)
$1.5 billion — (2025)

Impact on the crypto market

The consequences of the attack are felt everywhere, especially in the value of Ethereum and Bybit liquidity.

The price of Ether fell by almost 7% within hours of the attack, dropping from around $2.8k to $2.6k. This was due to concerns about a potential sell-off by hackers. However, ETH recovered to previous values over the weekend as Bybit bought back tokens to replenish its reserves.
Liquidity on Bybit took a serious hit. Market makers were leaving en masse, and Bybit’s share of global crypto liquidity dropped by half, from 5% to 2.6%. Daily trading volume also fell to $1.4 billion.
The hacking attack coincided with macroeconomic uncertainty — concerns about US economic growth and a drop in 10-year Treasury yields — which reinforced the risk aversion shift. Unlike previous incidents, when Bitcoin and Ethereum grew after hacking attacks due to the flow of funds into safer assets, this the event caused a steady downward pressure.

Bybit licks wounds

Fortunately for Bybit account holders, the withdrawal of so many assets did not lead to the exchange’s bankruptcy (as it did with FTX). The management promptly took measures to minimize losses:

CEO Ben Zhou reached out to his followers on Platform X within hours, and assured them that the exchange remained solvent, with customer assets backed by 1:1, and that losses could be covered through reserves or loans.
By Monday, February 24, Bybit had raised almost 447,000 ETH through emergency funding from firms such as Galaxy Digital, FalconX, and Wintermute, plus large deposits. CryptoQuant’s data confirmed that after the hack, Bybit’s ETH reserves increased to $874 million (from $1.1 billion). However, BTC reserves fell from $7 billion to $4.7 billion (-32%), and USDT reserves fell from $3.1 billion to $1.6 billion (-48%).

Bybit has offered a reward of 10% of the stolen amount for the return of funds, and is working with law enforcement agencies and blockchain experts to trace the assets. This will help limit the ability of hackers to dump ETH on legitimate markets.

Despite the scale of the attack, the stolen funds account for only 7.50% of the $20 billion in assets managed by Bybit.

The hacker attack on Bybit on February 21 was not just a record-breaking theft: it once again reminded us that the human factor and social engineering remain the most vulnerable points. But it will allow us to analyze the mistakes made and prevent similar things from happening in the future.