The Record Breaking Bybit Crypto Heist: A Stark Warning for Decentralised Finance

Bitcoin coin near laptop on black background. Finance and crypto money concept.

Mar04

Posted by admin
Posted in Blog

The hack underscored vulnerabilities in the burgeoning decentralised finance – DeFi – sector, where users lend, borrow and save in digital tokens, bypassing the traditional gatekeepers of finance such as banks and exchanges

On February 21, 2025, the world witnessed an unprecedented act of digital robbery – $1.46 billion in cryptocurrency vanished from Bybit, a major Dubai-based exchange. Hackers used sophisticated malware to trick the exchange’s systems into approving fraudulent transactions, marking not only the largest crypto theft ever recorded but likely the biggest financial heist in modern history. The hack underscored vulnerabilities in the burgeoning decentralised finance – DeFi – sector, where users lend, borrow and save in digital tokens, bypassing the traditional gatekeepers of finance such as banks and exchanges. It’s a warning shot across the bow that innovation without guardrails can have devastating consequences in a digital world. It has sent crypto currencies crashing

Meanwhile, Bybit claimed that a forensic review found its systems were not breached; the hack originated from compromised Safe wallet infrastructure, where Lazarus Group exploited stolen developer credentials to trick staff into approving a malicious transaction via “blind signing” (approving transactions without full visibility into their content). A source nevertheless emphasised the attack was enabled by Bybit’s reliance on blind signing despite the social engineering breach.

Image: Screenshot from Elliptic Investigator, showing a small subset of the blockchain transactions used to launder the funds stolen from Bybit. The crypto assets are flowing from top to bottom, through multiple layers of wallets.

To put the entire episode in perspective, the stolen amount surpasses even the $1 billion Saddam Hussein looted from Iraq’s central bank in 2003. The company has offered a reward of 10% of any recovered funds, in a bid to claw back some of the $1.4bn in cryptocurrency that was stolen late last week. The crypto industry has suffered a series of thefts, prompting questions about the security of customer funds, with hacking hauls totalling more than $2 billion in 2024 – the fourth straight year where proceeds have topped more than $1 billion.

Nevertheless, the company claims that the use of blockchain technology has helped them to track the stolen assets proving that the inherent transparency of blockchain technology poses a significant challenge for malicious actors attempting to launder stolen funds. Every transaction is recorded on a public ledger, enabling authorities and cybersecurity firms to trace and monitor illicit activities in real time.

Blockchain security firms blacklisted addresses linked to the exploit, preventing unauthorised fund transfers. The hacker’s wallet was quickly identified, allowing the broader community to track movements in real time. While blockchain technology was instrumental in tracking the stolen assets, it did not directly lead to the recovery of the majority of the stolen funds.

According to Chainalysis, a cyber security company involved in helping Bybit to recover the stolen assets, “this attack highlights a common playbook used by the DPRK (North Korea): orchestrating social engineering attacks and employing intricate laundering methods in an attempt to move stolen funds undetected. Funds from the Bybit exploit have also consolidated in addresses holding funds from other known DPRK-linked attacks, providing further evidence that the nation state actors are behind this latest incident.”

In a remarkable play of strategic thinking and execution, Bybit replenished $1.5B in reserves within 72 hours after a historic hack, securing 447,000 ETH via emergency loans and deposits. A Hacken audit confirmed reserves now exceed 100% collateralisation for major assets ensuring open withdrawals. The breach occurred during a cold-to-warm wallet transfer due to security flaws. CEO Ben Zhou stated client funds remain fully backed, but stolen assets remain unrecovered.

A cold to warm wallet transfer occurs when cryptocurrency is moved from an offline storage system (cold wallet, highly secure but inaccessible for instant transactions) to a semi-online wallet (warm wallet, used to process withdrawals or trades). While necessary for operational liquidity, this brief exposure creates a critical vulnerability window: hackers can intercept funds during the transfer if security protocols (e.g., multi-signature approvals) fail or are bypassed, as seen in the recent $1.5B Bybit hack where attackers exploited gaps in the transfer process to redirect funds mid-transaction.

A team of investigators from, Elliptic, a company that claims to have pioneered the use of blockchain analytics for financial crime compliance and a provider of crypto compliance solutions globally identified North Korea’s Lazarus Group as the perpetrator. This shadowy cybercrime organisation, linked to Pyongyang’s missile program, has now stolen over $6 billion in crypto assets since 2017. What makes this group particularly dangerous is their evolving ability to not only breach security systems but systematically disguise stolen funds through complex blockchain manoeuvres.

Within minutes of the breach, the thieves began converting stolen cryptocurrency tokens into more anonymous forms like Ether, using decentralised trading platforms that lack oversight. This crucial first step prevents asset freezes that token issuers might otherwise execute. By the two-hour mark, the stolen fortune had been split across 50 digital wallets, each holding roughly $29 million in Ether – a classic “layering” technique to obscure the money trail.

As of February 24, over $195 million of these funds have begun moving through a labyrinth of cryptocurrency services. While some legitimate exchanges have cooperated with seizure efforts, a platform called eXch has emerged as a key enabler. Despite direct appeals from Bybit, this anonymous exchange has processed over $75 million in stolen assets, systematically converting them into harder-to-trace bitcoin.

Elliptic’s forensic teams have been working tirelessly since the attack, collaborating with Bybit and global investigators. Its transaction-tracing software now alerts thousands of financial institutions worldwide when they encounter tainted funds. This system has already enabled successful seizures, though the race continues – Lazarus Group constantly adapts their methods, employing cross-chain transfers and privacy tools to evade detection.

The implications extend far beyond financial loss. Every dollar converted through platforms like eXch potentially funds North Korea’s prohibited weapons programs. This incident underscores a harsh reality: as cryptocurrency adoption grows, so does its appeal to sophisticated criminal networks.

Acknowledgements: