How North Korea's Lazarus Group Pulled Off
the Largest Cryptocurrency Theft in History
On February 21, 2025, Bybit — a Dubai-based cryptocurrency exchange — suffered the single largest crypto theft in history. Attackers silently redirected a routine cold-to-hot wallet transfer, draining 401,347 ETH worth approximately $1.5 billion USD.
Bybit CEO Ben Zhou confirmed the breach in real time on X (Twitter), assuring users the exchange remained solvent. Within 72 hours, emergency funding of ~447,000 ETH was secured from Galaxy Digital, FalconX, and Wintermute to replenish reserves.
The FBI and blockchain intelligence firms TRM Labs, Chainalysis, and Elliptic attributed the attack to North Korea's Lazarus Group (also known as TraderTraitor) — a state-sponsored APT collective that funds Pyongyang's nuclear weapons program through cybercrime.
Attackers targeted Safe{Wallet} — the third-party smart contract wallet platform used by Bybit — rather than attacking Bybit's own infrastructure directly.
A Safe{Wallet} developer's macOS workstation was compromised via a malicious Python app delivered through Telegram or Discord social engineering.
Attackers injected malicious JavaScript into Safe{Wallet}'s statically hosted Next.js frontend at app.safe.global, silently replacing transaction destination addresses.
Stolen AWS session tokens gave attackers access to Safe{Wallet}'s cloud environment. A YAML policy file was tampered with — unsigned and undetected.
The malicious UI displayed a legitimate-looking transaction to Bybit's multi-sig signers, who unknowingly approved the fraudulent transfer — turning security into a liability.
Funds were funneled through Tornado Cash mixers, DEXs, cross-chain bridges, and P2P vendors. 86.29% of stolen ETH was converted to BTC within weeks.
Lazarus registers C2 domain getstockprice[.]com. Malicious Docker image prepared.
Safe{Wallet} Developer1's macOS workstation infected via social engineering on Telegram/Discord. AWS session tokens stolen.
Attackers enumerate IAM roles, S3 buckets, cloud assets. Attempt to register virtual MFA device. YAML policy file silently tampered.
Malicious JavaScript injected into Safe{Wallet}'s Next.js frontend. Code targets only Bybit wallets — replacing recipient addresses in real time.
Bybit operators initiate routine cold→hot wallet transfer. Multi-sig signers approve what appears legitimate. 401,347 ETH redirected to attacker wallets.
Funds split across hundreds of wallets. Tornado Cash mixers, DEXs, cross-chain bridges used. 86.29% converted to BTC. Malicious JS scrubbed from site.
Bybit implicitly trusted Safe{Wallet}'s frontend without independently verifying the integrity of the JavaScript served at runtime. No cryptographic hash checks were performed on the UI code before signing.
Safe{Wallet}'s deployment pipeline lacked mandatory code-signing on YAML policy files. The tampered configuration left no cryptographic signature or audit-log entry — evading all routine integrity checks.
Multi-signature protocols only protect against key compromise — not UI-layer manipulation. When the interface itself is poisoned, all signers become unwitting accomplices regardless of quorum size.
One compromised macOS device gave attackers a foothold into Safe{Wallet}'s entire cloud environment. No endpoint isolation or privileged access workstation (PAW) policy was enforced.
Hardware wallet signing interfaces did not display the actual on-chain transaction data in a human-readable, verifiable format — enabling "blind signing" where operators approved without seeing true details.
Lazarus Group operated with nation-state resources, patience (weeks of reconnaissance), and precision targeting — exploiting the human-machine trust relationship rather than brute-forcing cryptography.
Always verify the actual on-chain destination address and amount on the hardware wallet's own trusted display — never rely solely on the browser UI.
Enforce cryptographic signing on all CI/CD pipeline files, YAML configs, and frontend bundles. Implement Subresource Integrity (SRI) checks on all loaded scripts.
Isolate developer machines that have access to production signing keys and cloud credentials. No social media, messaging apps, or untrusted software on PAWs.
Continuously audit all third-party dependencies, SDKs, and wallet infrastructure. Treat every external library as a potential attack surface. Use SBOM (Software Bill of Materials).
Deploy blockchain analytics and on-chain monitoring to flag unusual transaction patterns, unexpected destination addresses, or abnormal transfer volumes before signing.
Train all developers and operators on spear-phishing, fake job offers, and Telegram/Discord-based lures — the primary initial access vector used by Lazarus Group globally.
Require dual-control (two independent approvers) for any changes to wallet policies, deployment configurations, or access control rules — eliminating single points of failure.
Never implicitly trust any internal or external service. Enforce least-privilege access, micro-segmentation, and continuous authentication across all systems and APIs.
The Bybit hack is not just a cryptocurrency story — it is a watershed moment for all of cybersecurity. It demonstrates that even organizations with robust cryptographic controls, multi-signature protocols, and cold storage can be defeated when attackers target the human-machine trust layer.
As AI-powered social engineering, supply chain attacks, and state-sponsored APTs converge, the security industry must evolve from perimeter defense to zero-trust, end-to-end verification at every layer — from developer workstations to transaction signing interfaces.