Bybit Confirms $1.5B Crypto Heist in Cold Wallet Attack

Cryptocurrency exchange Bybit disclosed on Friday that a highly sophisticated cyberattack resulted in the theft of over $1.5 billion worth of cryptocurrency from one of its Ethereum cold wallets. The incident marks the largest single crypto heist in history.

According to Bybit, the breach occurred when its ETH multisig cold wallet initiated a transfer to its warm wallet. However, the transaction was manipulated through an advanced attack that altered the underlying smart contract logic while displaying the correct address in the signing interface. This allowed the attacker to gain control of the ETH cold wallet and move the funds to an unidentified address.

In a separate statement on X, Bybit CEO Ben Zhou reassured users that all other cold wallets remain secure. The company has reported the attack to the relevant authorities.

While Bybit has yet to officially confirm the perpetrators, blockchain intelligence firms Elliptic and Arkham Intelligence have attributed the hack to the notorious Lazarus Group. The scale of the theft surpasses previous record-breaking crypto breaches, including Ronin Network ($624 million), Poly Network ($611 million), and BNB Bridge ($586 million).

Independent blockchain researcher ZachXBT linked the Bybit hack to a recent attack on Phemex, another cryptocurrency exchange targeted late last month.

Lazarus Group, a North Korean state-backed cybercriminal organization, has orchestrated numerous crypto heists to generate funds for the sanctions-hit regime. Google previously described North Korea as "arguably the world's leading cyber criminal enterprise." In 2024 alone, the group is estimated to have stolen $1.34 billion across 47 cryptocurrency hacks, accounting for 61% of all stolen digital assets, according to Chainalysis.

Cybersecurity firm Mandiant, owned by Google, noted last month that cryptocurrency heists are increasing due to their lucrative nature, difficulties in tracing stolen funds, and the lack of familiarity with Web3 security among many organizations.

Update

Bybit later provided an update, revealing that the unauthorized activity was detected during a routine transfer process on February 21, 2025, at approximately 12:30 p.m. UTC. The transaction was part of a scheduled ETH transfer from its cold wallet to its hot wallet but was compromised by an attack that manipulated smart contract logic and masked the signing interface. Over 400,000 ETH and stETH, valued at more than $1.5 billion, were transferred to an unknown address.

TRM Labs has also linked the attack to the Lazarus Group, citing significant overlaps between addresses used in the Bybit hack and previous North Korean thefts.

Cybersecurity firm Check Point Research described the breach as a new evolution in attack strategies, involving user interface manipulation rather than just protocol exploitation. The attackers leveraged advanced social engineering tactics and manipulated the Gnosis Safe Protocol’s execTransaction function, demonstrating that even multisig cold wallets can be compromised if signers are deceived or tricked.