Bybit’s $1.5 Billion Hack: What Happened and Who’s Behind It?

One of the biggest cryptocurrency hacks in history just hit Bybit, with hackers draining 401,346 ETH (worth approximately $1.5 billion) from the exchange’s cold wallet.

Blockchain investigator @zachxbt has linked the attack to Lazarus Group, a notorious North Korean hacking organization.

The scale of this breach is staggering, surpassing even the Axie Infinity hack of 2022, which saw $620 million stolen.

Let’s break down how this happened, who’s responsible, and what it means for the crypto industry.

On February 22, 2025, hackers managed to alter the smart contract logic in Bybit’s cold wallet, giving them full control over its funds.

Instead of making a standard transaction, they changed the way the wallet processes transfers, allowing them to move all stored ETH to an unknown address.

Blockchain forensic expert ZachXBT traced the stolen funds and found links to another major exchange hack – Phemex – which was attacked just days earlier on February 20, 2025.

The overlapping wallet addresses used in both hacks suggest that Lazarus Group was behind them, reinforcing their reputation for targeting crypto platforms.

Source: Bybit X account

In response to the attack, Bybit has pledged 10% of any recovered funds to ethical cyber and network security experts who help retrieve the stolen cryptocurrencies.

This move aims to incentivize white-hat hackers and forensic investigators to track down the stolen assets and identify vulnerabilities.

Read more about crypto fraud statistics

Since the attack, several large transfers have been made to Bybit: (Source: Lookonchain)

• Binance Whales withdrew 47,800 ETH ($127.56M) and deposited it into Bybit as loans.
• Bitget sent 40,000 ETH ($106M) to Bybit in loan support.
• Whale “0x3275" transferred 20,000 ETH ($53.7M) to Bybit.
• MEXC contributed 12,652 stETH ($33.74M) in loans.
• Whale “0xd7CF” purchased 15,427 ETH ($42.2M) from centralized and decentralized exchanges before depositing it into Bybit.
• A suspected Fenbushi Capital wallet deposited 10,000 ETH ($27M).
• DWF Labs (@DWFLabs) added 2,200 ETH ($6.02M) just an hour ago.

Lazarus Group is a North Korea-backed cybercriminal organization responsible for some of the most notorious hacks in history.

Their operations have stolen billions of dollars, allegedly funding North Korea’s weapons and government programs to bypass international sanctions.

One of their top operatives, Park Jin Hyok, is suspected of orchestrating this attack.

He is known for using the same techniques as those seen in the $230 million WazirX hack just months ago.

Notable Attacks by Lazarus Group:

• Sony Pictures Hack (2014): Leaked corporate files and disrupted operations.
• Bangladesh Bank Heist (2016): Nearly stole $1 billion through fraudulent SWIFT transfers.
• WannaCry Ransomware (2017): A global cyberattack that infected 200,000+ computers.
• Axie Infinity Hack (2022): Stole $620 million from the Ronin Network.

Lazarus Group uses advanced cyber tactics, including:

• Spear-phishing & Zero-Day Exploits – Targeting employees and security flaws.
• Fake Projects & Social Engineering – Convincing insiders to give access.
• Blockchain Mixing & Tornado Cash – Laundering stolen funds.

Since 2017, they’ve stolen over $3 billion in cryptocurrency by exploiting weaknesses in security systems across the industry.

• Bybit’s Cold Wallet Breached – 401,346 ETH stolen.
• Funds Are Being Laundered – Blockchain security firms are tracking the assets.
• Biggest Crypto Hack Ever – Surpassing the $620M Axie Infinity heist.
• Links to Phemex Hack – Stolen funds from both attacks are intermingling.
• ZachXBT’s Findings – Direct wallet connections between Bybit, Phemex, and past Lazarus attacks.

1. Cold Wallets Are Not Infallible: Many believe cold wallets are safer than hot wallets, but this hack proves they can still be compromised.

Proper auditing and multi-layer security are important.

2. Lazarus Group Is Still a Major Threat: Their tactics continue to evolve, and they are successfully breaching even the biggest crypto platforms.

Exchanges must step up security or risk losing billions.

3. Crypto Security is Not Optional: This attack is a wake-up call for founders, investors, and everyday users. If major exchanges can be hacked, anyone can be at risk.

The Bybit hack is a stark reminder that crypto security must be a top priority. The Lazarus Group has proven they are still active and getting more sophisticated.

For exchanges, strengthening security protocols, conducting regular audits, and educating employees on cyber threats are critical steps.

For users, storing assets in self-custody wallets and enabling security features like two-factor authentication can help reduce risk.

The crypto industry is built on innovation and decentralization, but without proper security, it remains vulnerable.

The question is how many more billion-dollar hacks will it take before real change happens?

If you enjoyed this article, feel free to reach out to me at [email protected] or connect with me on social media:

Twitter: _FinegirlDami

LinkedIn: Oluwadamilola Olaniyan

I’m open to gigs, collaborations, feature opportunities, and promotional partnerships.