Bybit

What happened

On 21 February 2025, the cryptocurrency exchange Bybit lost approximately $1.46 billion of Ethereum and Ethereum-derivative tokens in a single transaction batch. It is the largest theft in cryptocurrency history by a clear margin — roughly the value of every previous mainstream crypto exchange compromise added together.

The funds came out of an Ethereum cold wallet during what Bybit’s operators believed was a routine consolidation transfer to a warm wallet. The transaction was authorised by the required quorum of Bybit’s signers using the Safe{Wallet} multi-signature interface. The signers each looked at the transaction, checked it appeared correct in the Safe{Wallet} UI, and approved it. The transaction that actually executed on-chain was a different one — one that handed control of the wallet’s logic to an attacker-controlled contract, which then drained the balance.

Within hours, Bybit CEO Ben Zhou had publicly acknowledged the theft, processed customer withdrawals using emergency liquidity, and committed to making depositors whole regardless of recovery. Five days later, the FBI publicly attributed the operation to the Democratic People’s Republic of Korea, naming the activity cluster TraderTraitor — an arm of what is more commonly known as Lazarus Group.

How it worked

The compromise did not happen at Bybit. It happened at Safe{Wallet} (formerly Gnosis Safe), the open-source multisig contract framework Bybit used to manage the cold wallet. Safe’s forensic post-mortem and Mandiant’s subsequent analysis converge on the same picture.

A Safe{Wallet} developer’s workstation was compromised. With access to that engineer’s machine, the attackers pushed malicious JavaScript into the production Safe{Wallet} web frontend. The malicious code was conditional: it only altered behaviour when the connected wallet matched a small allowlist of high-value targets, including the Bybit cold-wallet address. For everyone else, Safe{Wallet} behaved normally — a property that delayed detection considerably.

When a Bybit signer connected their hardware wallet to approve the consolidation transaction, the Safe{Wallet} interface displayed the legitimate transfer in the human-readable summary panel. The actual transaction payload sent to the hardware wallet for signing was different. It was a delegatecall to an attacker-controlled implementation contract that, once executed, replaced the wallet’s logic and routed all subsequent funds to addresses controlled by the attackers.

Because the signers verified the transaction by reading the Safe{Wallet} UI rather than decoding the raw call data on the hardware device, the discrepancy went unnoticed. Hardware wallets do display the data being signed, but what they show is a hexadecimal delegatecall payload that requires specialist tooling to interpret. In practice, almost no production crypto operation today verifies transactions at that level of granularity.

Within minutes of the malicious transaction being mined, the attackers fragmented the funds across several hundred intermediate wallets and began funnelling the proceeds through a sequence of cross-chain bridges, mixers, and OTC desks. Chainalysis was tracking the laundering trail in close to real time. By the time of the one-year retrospective in early 2026, most of the funds had been moved or converted, but a meaningful proportion had been frozen by exchanges acting on rapid intelligence sharing.

Timeline

• 21 February 2025, 12:00 UTC — Bybit signers authorise a routine ETH consolidation in Safe{Wallet}.
• 21 February 2025, 12:14 UTC — Malicious delegatecall executes; wallet logic is replaced; funds begin to drain.
• 21 February 2025, ~13:00 UTC — On-chain monitors flag the anomalous outflow.
• 21 February 2025, evening — Bybit confirms the incident; CEO Ben Zhou tweets.
• 22 February 2025 — Bybit issues a 1:1 reserve attestation; opens emergency credit lines from market makers to keep withdrawals open.
• 23–25 February 2025 — Safe{Wallet} suspends the standard web interface, begins frontend forensics, identifies the injected JavaScript and the developer-workstation compromise.
• 26 February 2025 — FBI publicly attributes the theft to DPRK / TraderTraitor.
• March 2025 onward — Funds laundered through cross-chain bridges and OTC desks; partial freezes by cooperating exchanges; ongoing tracing by Chainalysis and TRM Labs.

What defenders should learn

The Bybit operation is not a story about cryptography. The cryptography held. The signing keys never left the hardware wallets. What failed was the trust boundary between the signing device and the human reading the screen.

Three patterns from this incident generalise far beyond crypto. First, supply-chain compromises that target development environments rather than production environments will keep working until organisations apply the same scrutiny to the build path that they apply to runtime infrastructure. Second, when a security control depends on a human verifying something on a screen, the screen itself must be in scope — and almost never is. Third, allowlist-based malware that fires only against specific high-value targets defeats most monitoring; the malicious code looked normal to every developer who reviewed Safe{Wallet} traffic in the days before the heist.

For organisations whose value moves through human-approved transactions — wire transfers, treasury operations, privileged systems changes — the segmentation and Zero Trust angle here is straightforward to layer in. The signing endpoint, the verification surface, and the developer build environment all need to be treated as in-scope critical assets, not as user-class workstations or developer conveniences.