OPN Intel
LIVE
BTC$76,620MAYER0.95×200W1.25×PI-CYCLE38%DRAWDOWN-39%PUELL0.81×W-RSI45BMSB0.97×
AS OF 2026-05-24
Threats· Feb 21, 2026· 6 min read

Bybit Lost $1.5 Billion in a Single Hack

One year ago today, North Korea’s Lazarus Group executed the largest crypto heist in history. Here’s what actually happened — and what it means for your custody decisions.

Key takeaways

  1. One year ago today, North Korea’s Lazarus Group stole $1.5 billion in Ethereum from Bybit — the largest crypto heist in history
  2. The attack compromised a single developer at Safe, the open-source wallet software Bybit used for cold storage
  3. Multisig didn’t save Bybit — the malicious code made the theft look like a legitimate transaction to every signer
  4. North Korea stole $2.02 billion in crypto across all of 2025, funding its nuclear weapons program
  5. The lesson isn’t “don’t use Bybit.” It’s that centralized custody carries risks no individual can control

What Happened

Exactly one year ago (February 21, 2025), a Bybit employee sat down to authorize what looked like a routine transfer of Ethereum from a cold wallet to a warm wallet. The transaction appeared legitimate on screen. The signing interface showed the correct destination. Multiple team members reviewed and approved it. Every one of them was looking at a lie.

North Korea’s Lazarus Group had spent months preparing the attack. They hadn’t targeted Bybit’s systems directly. Instead, they compromised a single developer at Safe, 4 the open-source software Bybit used to manage its multisignature wallets. The attackers likely used a phishing attack to gain access to the developer’s machine, then injected malicious JavaScript into Safe’s live interface — code that specifically targeted Bybit’s wallets and activated only when a Bybit employee initiated a transaction.

When the moment came, the injected code altered what Bybit’s signers saw on their screens while sending the actual funds to North Korea-controlled addresses. The interface displayed a normal transaction. The blockchain recorded a theft. Within minutes, $1.5 billion in Ethereum was gone. Two minutes after the heist, Safe’s website was updated to erase the malicious code. The FBI 1 attributed the attack to North Korea within five days.

This was a supply chain attack, not an exchange hack

Why It Matters

The critical detail most coverage missed: Bybit’s own infrastructure wasn’t directly breached. The attack went through Safe, a third-party tool Bybit relied on but had no formal business relationship with. Safe’s software is open-source. Bybit used it because it was industry-standard.

This is the supply chain problem. You can audit your own systems endlessly, but if you depend on external software (and every organization does), your security is only as strong as every developer, at every vendor, in your entire stack. One compromised laptop at Safe unwound $1.5 billion in security architecture.

Multisig is a tool, not a guarantee

The Bybit hack shattered a dangerous assumption: that multisig wallets are inherently safe because multiple people must approve a transaction. In this case, every signer approved the theft because the attack happened at the interface layer — above the cryptography. The signatures were real. The transaction they authorized wasn’t what they thought it was.

This doesn’t mean multisig is useless. It means multisig protects against one threat (a single compromised key) but not another (a compromised interface that deceives all signers simultaneously). Understanding which threats your security architecture actually addresses — and which it doesn’t — is the difference between security and security theater.

North Korea is the most persistent state-level threat to crypto

The Bybit hack wasn’t an isolated operation. According to TRM Labs, North Korea stole $2.02 billion 2 in cryptocurrency across 2025 — accounting for 76% of all exchange compromises that year. The cumulative total since 2017 now exceeds $6.75 billion. These funds directly finance North Korea’s nuclear and ballistic missile programs.

Lazarus Group’s laundering operation is industrialized. Stolen ETH was converted to Bitcoin within weeks, 2, routed through decentralized exchanges and cross-chain bridges, then processed through Chinese-language over-the-counter networks. The entire pipeline from theft to fiat conversion runs approximately 45 days.

What This Means for You

Exchanges are targets. You don’t have to be. Every exchange you hold funds on is a target for the most capable nation-state hackers on the planet. The Bybit hack didn’t compromise individual users’ wallets — it compromised the exchange’s cold storage. Self-custody removes you from that equation.

Verify what you sign, not what you see. The Bybit attack exploited the gap between what a screen displays and what the blockchain executes. A properly configured hardware wallet shows you the actual transaction details on its own screen, independent of any potentially compromised computer. If your hardware wallet and your computer show different destination addresses, stop.

Understand your software dependencies. What wallet software do you use? Who maintains it? Is it open-source? Has it been audited? You don’t need to read the code yourself, but you should know who is responsible for the tools that stand between you and your Bitcoin.

What to Watch

Whether the CLARITY Act, currently moving through Congress, addresses supply chain security standards for crypto infrastructure providers. The Bybit hack exposed a regulatory gap: Safe had no obligation to meet any particular security standard, yet exchanges managing billions depended on it.

Also watch North Korea’s targeting patterns. Lazarus Group has historically shifted tactics as defenses improve. CertiK warns that future attacks will increasingly incorporate AI-powered social engineering and deepfake technology, expanding the attack surface from software to people.

The Bybit hack wasn’t a failure of cryptography. It was a failure of trust in a supply chain. OPNorange exists because security is a posture, not a product — and understanding your actual threat model is where it starts.

Sources

  1. [1]FBI, Public Service Announcement: TraderTraitor, February 26, 2025
  2. [2]TRM Labs / Chainalysis, 2025 Crypto Crime Report — DPRK section, December 2025
  3. [3]Bybit, Post-Mortem: February 21, 2025 Security Incident, published February 2025
  4. [4]Safe (formerly Gnosis Safe), Incident Response Report, February 2025
  5. [5]UN Security Council, Panel of Experts Report on North Korea Sanctions, 2024–2025
  6. [6]CISA — Joint advisory AA25-071A on DPRK cyber operations targeting cryptocurrency firms, 2025
  7. [7]Mandiant (Google Cloud) — UNC4736 and Lazarus Group TTPs, cryptocurrency exchange targeting, 2025

More in Threats

Hinkal Lost $820,000 After Its Privacy Proof Verification Failed to Verify Anything$1.7 Million Drained Through a Single Forged Proof on TaikoFTX Repays Bitcoin Creditors at $16,871 Petition-Date Price