The $1.4B Bybit Hack: Inside the Largest Crypto Heist in History

Source: The Block

On a quiet February morning in 2024, cryptocurrency exchange Bybit lost $1.46 billion in what would become the largest crypto hack in history. But here’s the twist: the attackers never broke Bybit’s code. Instead, they broke something far more vulnerable — its people.

| Source: Arkham Intelligence

The hacker’s wallet showing a staggering $1.37B in stolen assets

When the dust settled, the damage was clear:

• 499,395 ETH stolen (0.42% of all Ethereum)
• $1.46 billion total loss
• 4 critical transactions
• Less than 24 hours to execute

But numbers only tell half the story.

Source: State Media

Rare glimpse: North Korean military personnel at cyber operations facility

The attack wasn’t random. It was orchestrated by the Lazarus Group, North Korea’s elite hacking unit. These aren’t ordinary cybercriminals — they’re state-sponsored operators with military precision.

ISafeWallet Interface Manipulation

Let me explain the code sections:

This is Bybit’s multisig wallet interface that the Lazarus Group exploited. Here’s what each part means in the attack:

• to: Where funds would be sent - hackers manipulated this to show legitimate addresses in UI while actually sending to their wallets
• value: Amount of cryptocurrency - they made large transfers look like routine amounts
• signatures: Multiple approvals needed - they socially engineered all required signers
• data: Transaction data - they showed fake data in UI while executing malicious transfers

The original vulnerable code that contributed to the hack:

This code is vulnerable because:

• It uses delegatecall without proper validation
• The operation type check (operation == 1) is too simplistic
• There’s no verification of the destination address
• The data parameter is executed without scrutiny

• Funds were routed through Chainflip.io for BTC conversion
• Target BTC address: bc1qlu4a33zjspefa3tnq566xszcr0fvwz05ewhqfq
• Multiple transactions were used to distribute the stolen funds

1. Over 350,000 withdrawal requests processed
2. 99.994% of withdrawals completed within 12 hours
3. 2.95B USDT moved to warm wallet as preventive measure

Source: Arkham Intelligence

The complex web of transactions post-hack

The attack’s brilliance lies in its simplicity. The hackers didn’t need to break encryption or find zero-day exploits. They simply made Bybit’s own multisig signers approve the transactions.

The four critical transactions that drained the wallet:

Source: Chainalysis

North Korea’s unlaundered cryptocurrency holdings by hack

What’s fascinating isn’t just how much they stole — it’s how long they hold their stolen funds. The graph shows balances as old as six years, proving this isn’t about quick profits. It’s about long-term strategy.

Source: PixOnChain

Five critical rules for cryptocurrency protection

The hack forced the industry to rethink security. Here’s the technical implementation every exchange should consider:

Transaction Monitor interface:

This represents the security systems that failed to detect the attack:

• validateTransaction: Should have caught the mismatch between displayed and actual transactions
• checkThresholds: Should have flagged unusually large transfers
• verifySignatures: Verified the signatures were real but couldn't detect the signers were manipulated

Source: Security Research

The four stages of social engineering that led to the breach

The attack followed a precise choreography:

SecureMultisig contract:

This shows how the verification system was bypassed:

• TransactionDetails: Structure storing transaction info - hackers showed fake details to signers
• verifyTransaction: Security check function - passed because signatures were real, even though signers were deceived
• dataHash: Transaction verification hash - matched because UI manipulation happened before hash generation

Key improvements in this code:

• Maintains a whitelist of approved destinations
• Verifies transaction data integrity using hashing
• Implements structured transaction details
• Separates verification logic from execution

Source: FBI

FBI Wanted poster for key Lazarus Group operatives

Meet the architects: Kim Il, Jon Chang Hyok, and Park Jin Hyok. These aren’t just hackers — they’re military-trained operatives wanted by the FBI for:

• Wire fraud conspiracy
• Bank fraud
• Computer intrusion

The Bybit hack isn’t just another crypto heist — it’s a wake-up call. The future of cryptocurrency security isn’t just about better code. It’s about understanding that your strongest security system is only as good as the humans operating it.

1. Cold storage isn’t enough if humans can be manipulated
2. UI verification can be spoofed
3. Social engineering beats technical security
4. Even the best multisig systems can fail
5. Assume you’re always a target

As cryptocurrency exchanges strengthen their defenses, one thing becomes clear: the next big hack won’t come through a technical vulnerability. It will come through the same channel this one did — human psychology.

The question isn’t whether your code is secure. It’s whether your people are.

Follow me for more deep dives into cryptocurrency security and technical analysis.

This analysis is based on current information and will be updated as new details emerge.