The Bybit Hack: Crypto's Billion-Dollar Breach
The latest in notable hacks, the nearly $1.5 billion heist exposes critical vulnerabilities, re-emphasizing the need for improved security infrastructure in the digital asset space.
Feb 21, 2025On February 21, 2025, cryptocurrency exchange Bybit suffered a security breach, resulting in the theft of nearly $1.5 billion in digital assets. This is the largest hack in history, given the current elevated value of cryptocurrency.
The hacker exploited a gap in Bybit’s approval process of cold wallet transactions. While investigations are ongoing by the parties involved, let’s look at what we know so far.
What Happened?
The breach occurred around 15:00 UTC, targeting Bybit’s Ethereum multi-signature (multi-sig) cold wallet, Safe{Wallet}. The attacker manipulated the wallet’s interface, tricking signers into approving a fraudulent smart contract update. This allowed the hacker to reroute vast amounts of ether (ETH) and other crypto assets to external addresses, bypassing Bybit’s security protocols.
The stolen funds included 401,347 ETH (valued at \$1.12 billion at the time of the hack); 90,376 stETH (\$253 million); 15,000 cmETH (\$44 million); and 8,000 mETH (\$23 million).
These assets began moving through new wallet addresses, raising concerns about potential laundering via decentralized finance (DeFi) platforms and privacy-focused mixers.
Arkham Intelligence identified North Korea’s Lazarus Group as the perpetrators, citing findings from on-chain sleuth ZachXBT, who provided definitive proof, including forensic analysis of wallet transactions and timing correlations, confirming Lazarus Group's involvement.
The Players
Safe{Wallet}
Safe{Wallet} is a multi-sig wallet protocol designed to enhance the security of digital assets by requiring multiple authorized signatures before transactions are executed. It is widely used in institutional crypto custody solutions and is built to protect funds from unauthorized access. This incident highlights that even advanced multi-signature wallets, while more secure than single-key wallets, may still be manipulated through sophisticated cyberattacks.
Lazarus Group
The Lazarus Group, a notorious cybercriminal organization backed by the North Korean government, has been linked to multiple high-profile cyber heists, particularly in the cryptocurrency sector. Its notable attacks include the $615 million Ronin Network hack in 2022 and the $275 million KuCoin exchange hack in 2020.
These types of state-sponsored cyberattacks, particularly from North Korea, have been a growing concern in the cryptocurrency space. Such attacks serve as a significant revenue stream for the North Korean regime, which may use stolen digital assets to fund such projects as its nuclear weapons program and evade economic sanctions. Unlike conventional cybercriminals who seek financial gain for personal use, state-sponsored hackers operate with strategic geopolitical objectives, making them highly persistent and resourceful.
Bybit’s Response
Bybit’s co-founder and CEO, Ben Zhou, took to social media to reassure users:
"We actually already secured almost 80% of the Ethereum that's been stolen as a bridge loan to give us that liquidity, to help us with the liquidity crunch, so we can pass this crucial period."
Bybit outlined initial recovery measures. The company will not be purchasing ether. Bybit is relying on external financing from institutional partners and is assuring clients that it remains solvent, with all assets fully backed.
Bybit’s approach to recovery raises concerns about whether relying on bridge loans is sustainable for an exchange of its size. It remains to be seen how Bybit will ultimately be affected by the breach.
Market Impact
Not surprisingly, the Bybit hack triggered a downturn in the cryptocurrency market. During the course of the day, bitcoin reversed a 1.2% gain to trade down 3.3%, ending the day at \$96,117. Ether dropped more than 6.3% from its daily high, finishing the day trading at \$2,661, with altcoins, including XRP, Solana, and Dogecoin, suffering similar losses.[1]
The broader crypto market reacted to panic selling and liquidity disruptions, mirroring past failures of centralized exchanges. For instance, shares of Coinbase Global Inc. finished the day down more than 8%, despite a favorable update earlier in the day about its legal battle with the U.S. Securities and Exchange Commission.[2]
Lessons Learned: Mitigating Portfolio Risk
The Bybit hack is the latest exchange breach to shake the cryptocurrency industry. Such incidents expose fundamental risks associated with centralized exchanges (CEXs) holding large amounts of digital assets. Unlike DeFi platforms, where users retain control of their private keys, CEXs store significant amounts of assets in custodial wallets, making them lucrative targets for cybercriminals.
The Bybit hack highlights the urgent need for improved security infrastructure in the digital asset space. One of the most effective ways to mitigate exchange-related risks is off-exchange settlement, where assets remain in custody with a regulated third party rather than being stored on the exchange itself.
This approach significantly reduces the amount of capital exposed to exchange vulnerabilities—whether from cyberattacks, operational failures, or insolvencies. Since the collapse of FTX, the industry has matured, with institutional players relying more on these innovative off-exchange settlement solutions to enhance asset protection.
Several key players are driving this shift. Hidden Road offers credit intermediation to minimize counterparty risk, while Zodia Custody, Copper’s ClearLoop, and Komainu Connect provide secure off-exchange settlement networks that allow institutional traders to access liquidity without exposing their assets to exchange-related risks.
The Bybit hack has once again demonstrated the vulnerabilities of exchanges, and we expect off-exchange solutions to gain even more popularity as institutions seek safer alternatives.
Samara Alpha CEO, Wilfred Daye, recently highlighted the importance of off-exchange settlement networks in risk mitigation. In addition to methodical portfolio construction focusing on diversification, we rely on our partnerships with such key players to manage portfolio risk.
Looking Ahead
Bybit continues working with blockchain investigators and law enforcement agencies to trace and recover the stolen assets. The hack raises fresh concerns about centralized exchanges' security, underscoring the need for clear regulatory guidelines and stronger safeguards against sophisticated cyber threats.
While some countries have imposed stringent security standards on exchanges, others lack clear guidelines. The need exists for global regulations around custodial asset protection, as well as mandating insurance requirements. Enforcing stricter operational security standards may help prevent future incidents.
Ultimately, the Bybit hack is a reminder that centralized exchanges, despite their convenience, remain prime targets for cyberattacks. Unless exchanges improve security measures, move toward off-exchange settlements, and collaborate on industry-wide security standards, these breaches will continue to plague the industry.
The future of crypto security will depend on how well the industry learns from past hacks and whether it can implement meaningful reforms before another major attack occurs.
