Friday’s Bybit hack was a dark day for the crypto industry — and illustrates two things.
For one, even exchanges with robust security measures are vulnerable to sophisticated attacks. And two, evolving tactics mean North Korean hackers are an evolving threat, with their thefts getting larger and more frequent each year.
This was the biggest hack in the history of crypto, with $1.4 billion gone in the blink of an eye — comfortably eclipsing the $625 million swiped from the Ronin Network almost three years ago.
Here, Cryptonews will walk you through everything we know about the attack so far — including what happened, who was responsible, and the wider industry impact.
The Hack
Soon after reports of the hack started swirling, Bybit released a statement on X to confirm that “unauthorized activity” was detected in one of its ETH cold wallets.
At the time, a routine transfer was being made to a warm wallet, and the transaction had gone through multiple checks beforehand.
Bybit CEO Ben Zhou was the final person to sign off — and after making a series of security checks, he was satisfied that everything looked in order. But although the correct destination had been displayed for the transfer, behind-the-scenes manipulation meant the funds were actually sent to the hackers’ wallet.
Chainalysis says the initial compromise was via social engineering, and said:
“The hackers gained access to Bybit’s user interface by executing phishing attacks against the cold wallet signers, leading them to sign malicious transactions that replaced the Safe’s multi-signature wallet implementation contract with a malicious one.”
In a Spaces conversation on X, Zhou revealed that he received a phone call from his chief financial officer 30 minutes after the transaction was completed.
“I can feel something’s wrong because the guy was just shaking … he almost cannot speak. ‘Ben, there was an issue … we might be hacked.’”
The CEO said he initially thought that 30,000 ETH — worth about $82 million — was affected, but was then told that 401,000 ETH had been stored in this cold wallet. All of it was gone.
“I had this overwhelming breathlessness, I couldn’t breathe. For about five seconds I didn’t say anything. I think about 10 seconds later I told myself that I needed to snap out of it.”
Zhou said he enacted immediate security protocols that had been rehearsed once a month — and he used a button enabling him to wake up everyone in the company, as well as top management. At that point, the executive says his top priority wasn’t to recoup the $1.4 billion — but to protect Bybit’s reputation.
A livestream was hastily arranged so Zhou could answer questions from Bybit customers, but there were two things he wanted to stress to customers: all other cold wallets were fine, and the exchange was able to cover the loss because customer assets are backed on a one-to-one basis.
The total value locked on Bybit. Image: DeFiLlamaBefore that broadcast began, Zhou wrote a message to staff that said:
“Dear Bybuddies, understand that it’s a difficult time now. I appreciate that all of you stand in line. It’s going to be a difficult 24 to 48 hours that we will face, but I am confident that we will make it through. Please ensure we remain professional and calm to all clients and external partners. We will try our best to remain withdrawals. At the same time, I want to say even with this amount of loss, all client assets are covered. It is the time to answer clients’ questions in a timely manner, and be there with our clients, and we will use transparency and communication to remove doubts from our clients.”
Zhou accurately foresaw what was coming — and ultimately, it seems Bybit managed to come good on that promise. The exchange later revealed that it had processed a staggering 350,000 withdrawal requests within the first 10 hours of the hack… and 580,000 had successfully been completed by Saturday. Once that backlog was cleared, the company said all of its systems were operating normally.
Maintaining that aura of “business as usual” mattered, as many trading platforms have suddenly halted withdrawals in the past — and in the case of FTX, this was the precursor to a long and messy bankruptcy.
DeFiLlama data shows Bybit had close to $17 billion in total assets before the hack took place, but this had plunged to $10.8 billion by Sunday as customers raced to pull funds out of their accounts. As of Tuesday, that figure had rebounded slightly — nudging up to $11.5 billion.
Funds stolen by North Korea. Image: ChainalysisThe Hackers
As Bybit raced to calm customers and the markets, on-chain investigators were getting to work too — and finding out who was responsible.
Within hours of the $1.4 billion hack taking place, ZachXBT had uncovered definitive proof that the Lazarus Group was behind this exploit.
This is a collective that has close ties to the North Korean government, with U.S. officials claiming that stolen crypto ends up being laundered, cashed out, and used to fund the isolated state’s programs to build ballistic missiles and weapons of mass destruction.
The Lazarus Group’s fingerprints have been on some of the biggest hacks to rock the crypto industry in recent years — including the $234 million WazirX theft earlier this year, the $100 million stolen from both Atomic Wallet and Horizon, and that jaw-dropping $625 million swiped from the Ronin Network.
While crypto transactions are traceable to an extent, mixers and decentralized exchanges allow these cybercriminals to obfuscate the source of funds, making it seem like they’re gone without a trace. Looking at the Lazarus playbook following the Ronin attack, Chainalysis senior director of investigations Erin Plante said:
“They move the funds really quickly and they move them through a lot of different types of obfuscation to get to a point where they can try to quickly cash out. They hope investigations are a few stages behind because they’re only going to keep the funds in a freezable state — like a stablecoin or a centralized exchange — for five or ten minutes. And they hope that they’ve gotten just far enough ahead of investigators, and put just enough laundering in there, that the services aren’t going to know where they track back to.”
Arkham Intelligence has been tracking what’s happening to the 401,000 ETH stolen from Bybit — mapping out a constellation of wallets where the crypto has been distributed so far. It wrote:
“The Bybit Hacker is making 2-3 transactions per minute, and stops every 45 minutes for a 15 minute break. They move ETH from one address at a time, before moving onto the next one.”
So far, it seems the Lazarus Group has been swapping this stolen Ether primarily for Bitcoin, as well as the DAI stablecoin. Decentralized exchanges, cross-chain bridges and instant swap services that don’t implement Know Your Customer checks have been relied on to transport funds across blockchains.
But of course, $1.4 billion is a lot of money — and Chainalysis has warned that the hackers won’t be afraid to let some of this crypto lay dormant for a little while.
“By delaying laundering efforts, they aim to outlast the heightened scrutiny that typically immediately follows such high-profile breaches.”
The Fightback
Bybit has now launched a bounty program that’s designed to reward security experts who help recover this stolen crypto — meaning they’ll receive 10% of any funds recovered. That means there’s up to $140 million up for grabs.
But progress has been pretty limited so far. By Sunday, only $85 million of the funds taken by Lazarus Group had been frozen or recovered… amounting to barely 5% of what is missing.
On Monday, the exchange claimed that it has also managed to fully close the ETH gap of client assets within 72 hours — adding “strategic partnerships with firms like Galaxy Digital, FalconX and Wintermute, along with support from Bitget, MEXC and DWF Labs, helped Bybit replenish the reserves in record time.”
This was reinforced by a Hacken audit that confirmed the crypto platform — which is the world’s second largest in terms of trading volumes — “possesses sufficient reserves to cover user assets 1:1 across the board.”
Bybit had launched Proof of Reserves in direct response to the FTX hack — and at the time, said “laying everything on the table deters a crypto exchange from making secretive financial transactions.”
Zhou was asked on X whether he believes that there’s any chance his exchange will get this stolen crypto back — and if there’s any point in getting law enforcement agencies involved. He said:
“We will try our best … I assume it will take a long, long time for the hackers to wash this money out. We are hoping that by adding enough trouble for them, maybe they would consider returning it at some point … the Singapore police took it seriously and have already escalated it to Interpol level.”
By the looks of things so far, any chance of the Lazarus Group realizing the error of their ways and sending the crypto back looks exceedingly unlikely.
The Threat
Chainalysis has long been keeping tabs on the Lazarus Group, and it’s clear to see their hacks on crypto exchanges are escalating.
North Korea was responsible for about two-thirds of the funds stolen from this industry in 2024 — but this doesn’t tell the whole story.
Roughly $660 million was stolen by Lazarus across 20 incidents in 2023, surging to $1.34 billion in 47 hacks last year. Just two months into 2025, this group has managed to break records — and that was through just one attack.
Attention is now turning to whether such attacks can be prevented in the future — and whether crypto exchanges are a safe environment for investors to store their assets.
Ledger CEO Pascal Gauthier has argued that trading platforms need to rethink their security measures altogether, and make a concerted shift to new approaches such as “Clear Signing.” On X, he wrote:
“Security is not static — attackers are getting smarter, and our industry must stay ahead by enforcing the highest enterprise security standards to prevent the next, more sophisticated attack.”
Clear Signing means that details about a transaction are presented in a human-readable format, and Gauthier argues that Bybit’s exploit wouldn’t have happened had this security layer been implemented.
Ledger has also stressed that this latest hack underline the need for self-custody — and consumers should be relying on hardware wallets instead of entrusting their funds with exchanges.
The post The Bybit Hack Explained: What Happened, Who Did It, What Happens Next appeared first on Cryptonews.
