Shattering records and cold wallets alike, North Korean hackers orchestrated the largest cryptocurrency heist in history, stealing $1.5 billion from Bybit exchange in a sophisticated attack that has sent shockwaves through the digital asset industry. The February 21, 2025 breach, attributed to the notorious Lazarus Group (also known as TraderTraitor), exploited an Ethereum cold wallet during a routine transfer, making off with 515,000 tokens, primarily Ether and its derivatives.
The attack showcased an unprecedented level of sophistication, with hackers compromising a Safe{Wallet} developer’s machine and craftily replacing legitimate JavaScript code with malicious variants. Like digital pickpockets performing a perfectly timed sleight of hand, the attackers manipulated transaction content during the signing process, then swiftly removed their malicious code, leaving barely a trace. The criminals employed complex laundering tactics that included using multiple intermediary wallets, decentralized exchanges, and cross-chain bridges to obscure the stolen funds’ trail. Building on their extensive history of financial crimes, the hackers have amassed over $5 billion in cryptocurrency theft since 2017.
The fallout was immediate and severe for Bybit, the world’s second-largest crypto exchange. Clients withdrew $4 billion within 48 hours, forcing the platform to borrow funds to replace the stolen assets. Despite launching an aggressive bug bounty program that paid out over $4 million, only 3% of the stolen crypto has been frozen.
This breach marks a significant evolution in crypto crime, occurring amid a broader surge in digital asset theft. North Korea alone stole $1.34 billion in cryptocurrency during 2024, with the regime reportedly channeling these funds into its ballistic missile program.
The FBI’s investigation, supported by cybersecurity firms Sygnia and Verichains, confirmed that while Bybit’s infrastructure remained uncompromised, the Safe{Wallet} infrastructure served as the attackers’ entry point.
The incident has demolished the long-held belief in cold wallet impenetrability and sparked urgent calls for enhanced security measures across the industry. With illicit addresses receiving $40 billion in 2024 and projections suggesting an increase to $51 billion after full analysis, the era of massive digital-asset heists appears to be entering a new, more dangerous phase that demands increased government coordination and stricter regulatory oversight.
