On February 21, 2025, a sophisticated supply chain attack on Bybit resulted in the theft of approximately $1.46 billion in digital assets, primarily Ethereum (ETH). This breach, attributed to North Korea's notorious Lazarus Group, is the largest crypto hack in history. The hackers exploited Bybit's multi-signature wallet system, manipulating the transaction approval process through malware. They compromised the Safe{Wallet} infrastructure via a developer's machine and executed a phishing campaign, deceiving wallet signers into approving fraudulent transactions. This led to an unauthorized contract upgrade, replacing Bybit's wallet contract with a malicious version and initially draining around 401,346 ETH.
After the initial theft, the hackers employed various laundering techniques to conceal their tracks. They converted stolen assets into ETH and distributed them across multiple wallets, utilizing cross-chain swaps to move assets between different blockchain networks. Mixing services like eXch mixer helped obscure transaction trails, while decentralized exchanges (DEXs) facilitated the conversion and laundering of funds. The hackers even engaged in peel chain transactions, moving funds in small increments through multiple addresses to avoid detection.
As the investigation unfolded, the stolen assets were swiftly moved to unidentified addresses. The hackers converted ETH into Bitcoin and other cryptocurrencies, transferring funds in exact tranches of 10,000 ETH. By late February 2025, over $335 million had already been laundered, with approximately $900 million still under the hackers' control. Blockchain analytics firms and law enforcement agencies began tracking the stolen funds, flagging over 11,000 wallet addresses suspected to be linked to the hack. Some cryptocurrency service providers even froze assets associated with the hackers, highlighting the ongoing efforts to recover the stolen assets.
This hack underscores the significance of the necessity for robust blockchain intelligence inherent in centralized exchanges' security infrastructure. It emphasizes the need for robust cybersecurity measures and rigorous training for employees to mitigate risks. Recommendations, like utilizing multiple air-gapped cold storages, have emerged as necessary precautions. Furthermore, there's a growing call for improved regulatory oversight in the crypto industry to prevent such incidents in the future.
In response to the attack, Bybit assured users that they'd absorb losses and enhance security measures. They continued processing withdrawals without disruption while collaborating with authorities to recover the stolen assets. The incident has sparked discussions on cyber resilience and the importance of safeguarding digital assets in an increasingly complex threat landscape.
