TLDR:
- Bybit cryptocurrency exchange suffered a $1.4 billion hack on February 21, 2025, with attackers draining Ethereum and related tokens from the exchange’s cold wallet
- North Korea’s Lazarus Group was identified as responsible through on-chain analysis by crypto investigator ZachXBT, who provided detailed evidence including test transactions and wallet connections
- The hack occurred during a transfer from ETH multisig cold wallet to a warm wallet, where attackers manipulated the transaction process to mask the signing interface
- Bybit CEO Ben Zhou confirmed the exchange remains solvent and can cover losses, stating all client funds are backed 1:1
- The incident caused Ethereum’s price to drop by over 3% as markets reacted to one of the largest cryptocurrency hacks in history
A massive cybersecurity breach hit cryptocurrency exchange Bybit on February 21, 2025, resulting in the theft of approximately $1.4 billion in digital assets. The hack, which targeted the exchange’s Ethereum cold storage wallet, has been traced to the North Korean state-sponsored hacking group known as Lazarus.
The stolen assets included 401,347 ETH valued at $1.12 billion, along with various other Ethereum-based tokens. The additional losses comprised 90,376 stETH worth $253.16 million, 15,000 cmETH valued at $44.13 million, and 8,000 mETH totaling $23 million.
Blockchain intelligence firm Arkham Intelligence confirmed the Lazarus Group’s involvement after receiving detailed evidence from cryptocurrency investigator ZachXBT. The proof included comprehensive analysis of test transactions, connected wallet activities, and timing patterns that matched previous attacks attributed to the group.
BREAKING: BYBIT $1 BILLION HACK BOUNTY SOLVED BY ZACHXBT
At 19:09 UTC today, @zachxbt submitted definitive proof that this attack on Bybit was performed by the LAZARUS GROUP.
His submission included a detailed analysis of test transactions and connected wallets used ahead of… https://t.co/O43qD2CM2U pic.twitter.com/jtQPtXl0C5
— Arkham (@arkham) February 21, 2025
The breach occurred during what should have been a routine transfer from Bybit’s ETH multisig cold wallet to a warm wallet. According to Bybit co-founder and CEO Ben Zhou, the attackers employed sophisticated techniques to manipulate the transaction process. They managed to mask the signing interface, making the transaction appear legitimate while altering the underlying smart contract logic.
Upon discovering the breach, Bybit immediately activated its security protocols and launched an investigation. The exchange has enlisted the help of leading blockchain forensic experts to trace the stolen funds and is working with various teams specializing in blockchain analytics and asset recovery.
In response to customer concerns, Zhou took to social media platform X to address the situation. He emphasized that all other cold wallets remain secure and withdrawals continue to operate normally. “Bybit is solvent even if this hack loss is not recovered, all of the client’s assets are 1 to 1 backed — we can cover the loss,” Zhou stated.
The market reacted swiftly to the news, with Ethereum’s price dropping by over 3% to $2,640 in the hours following the announcement. The incident ranks among the largest cryptocurrency hacks in history, sending ripples through the digital asset community.
The hack adds to a series of security incidents that have plagued the cryptocurrency industry in early 2025. Earlier in February, ZkLend, a money-market protocol on Starknet, lost $9.5 million in an exploit, though these funds were later returned through the Railgun protocol.
Ongoing Investigation
Bybit has established a security team to handle the ongoing investigation and has reached out to other organizations with expertise in blockchain analytics. The exchange maintains that regular operations continue without disruption, and all client funds remain safe despite the breach.
The stolen funds were moved through various transactions, prompting cryptocurrency security experts to flag and blacklist the associated addresses. These measures aim to make it more difficult for the attackers to convert or transfer the stolen assets.
Technical analysis of the hack revealed that the attackers used a complex series of transactions to obscure their activities. The manipulation of the smart contract logic allowed them to redirect funds while maintaining the appearance of legitimate transfers.
Bybit’s security team has implemented additional measures to prevent similar attacks in the future. The exchange is reviewing its cold wallet management procedures and enhancing its transaction verification processes.
The investigation continues as blockchain analysts work to track the movement of the stolen assets. Security experts are monitoring known cryptocurrency mixing services and exchanges for any attempts to convert the stolen funds.
Updates from Bybit indicate that the exchange’s other operational aspects remain unaffected. Trading continues on the platform, and the exchange maintains its regular services while working to address the security breach.
Oliver Dale
Editor-in-Chief of CoinCentral and founder of Kooc Media, A UK-Based Online Media Company. Believer in Open-Source Software, Blockchain Technology & a Free and Fair Internet for all. His writing has been quoted by Nasdaq, Dow Jones, Investopedia, The New Yorker, Forbes, Techcrunch & More. Contact Oliver@coincentral.com
