Crypto exchange Bybit was the victim of a sophisticated attack, and threat actors stole $1.5B worth of cryptocurrency from one of the company’s offline wallets.—————————————————————————————————————————————————————-Crypto exchange Bybit suffered a sophisticated cyberattack, threat actors transferred over 400,000 ETH and stETH worth more than $1.5 billion to an unidentified address.The Bybit hack is the largest cryptocurrency heist ever, surpassing previous ones like [Ronin Network](https://securityaffairs.com/129609/cyber-crime/625m-axie-infinity-ronin-hack.html) ($625M), [Poly Network](https://securityaffairs.com/121005/cyber-crime/poly-network-cross-chain-hack.html) ($611M), and [BNB Bridge](https://securityaffairs.com/136779/cyber-crime/hackers-stole-binance-funds.html) ($566M).Bybit’s ETH cold wallet was compromised in the attack that masked the signing interface, allowing threat actors to redirect funds to an unknown address.’Bybit detected unauthorized activity involving one of our ETH cold wallets. The incident occurred when our ETH multisig cold wallet executed a transfer to our warm wallet. Unfortunately, this transaction was manipulated through a sophisticated attack that masked the signing interface, displaying the correct address while altering the underlying smart contract logic.’ reads the statement published by the company on X. ‘As a result, the attacker was able to gain control of the affected ETH cold wallet and transfer its holdings to an unidentified address.’Bybit’s security team, leading blockchain forensic experts, and partners are investigating the security breach. The company assures users and partners that all other cold wallets remain fully secure, client funds are safe, and operations continue without disruption. Maintaining transparency and security is a top priority, and the company will provide updates as soon as possible.> Bybit detected unauthorized activity involving one of our ETH cold wallets. The incident occurred when our ETH multisig cold wallet executed a transfer to our warm wallet. Unfortunately, this transaction was manipulated through a sophisticated attack that masked the signing…> — Bybit (@Bybit_Official) [February 21, 2025](https://twitter.com/Bybit_Official/status/1892965292931702929?ref_src=twsrc%5Etfw)Bybit speculated attackers likely exploited a vulnerability in the Safe.global platform’s user interface but shared no technical details.> Bybit ETH multisig cold wallet just made a transfer to our warm wallet about 1 hr ago. It appears that this specific transaction was musked, all the signers saw the musked UI which showed the correct address and the URL was from [@safe](https://twitter.com/safe?ref_src=twsrc%5Etfw) . However the signing message was to change…> — Ben Zhou (@benbybit) [February 21, 2025](https://twitter.com/benbybit/status/1892963530422505586?ref_src=twsrc%5Etfw)Bybit CEO Ben Zhou assured customers that the exchange would remain solvent even if the stolen funds were not recovered. Bybit stated it has over $20 billion in assets under management and will use a bridge loan if needed to ensure user funds remain available.> Bybit is Solvent even if this hack loss is not recovered, all of clients assets are 1 to 1 backed, we can cover the loss.> — Ben Zhou (@benbybit) [February 21, 2025](https://twitter.com/benbybit/status/1892969284587966869?ref_src=twsrc%5Etfw)Zhou also highlighted that all other cold wallets managed by the exchange are secure.> Bybit ETH multisig cold wallet just made a transfer to our warm wallet about 1 hr ago. It appears that this specific transaction was musked, all the signers saw the musked UI which showed the correct address and the URL was from [@safe](https://twitter.com/safe?ref_src=twsrc%5Etfw) . However the signing message was to change…> — Ben Zhou (@benbybit) [February 21, 2025](https://twitter.com/benbybit/status/1892963530422505586?ref_src=twsrc%5Etfw)Blockchain cybersecurity firm Elliptic attributed the cyber heist to the notorious North Korea-linked APT Group [Lazarus](https://securityaffairs.com/66780/apt/lazarus-apt-cryptocurrency.html), however, Bybit has yet to confirm it.*’Almost $1.5 billion in crypto was stolen from Bybit today. That makes it by far the largest crypto heist of all time. It’s also potentially the largest single theft of any kind, ever.We’re working to help exchanges and law enforcement to trace and freeze these funds. The more difficult we make it to benefit from crimes such as this, the less frequently they will take place.’ [said Elliptic Co-founder Tom Robinson](https://www.linkedin.com/posts/tomarobinson_almost-15-billion-in-crypto-was-stolen-activity-7298798116160368641-Okp-/). ‘-*Update-* It’s now been confirmed that North Korea’s Lazarus Group were behind this hack..’*Cybersecurity firm Arkham Intelligence also attributed the attack to the Lazarus APT group.> BREAKING: BYBIT $1 BILLION HACK BOUNTY SOLVED BY ZACHXBT >>> At 19:09 UTC today, [@zachxbt](https://twitter.com/zachxbt?ref_src=twsrc%5Etfw) submitted definitive proof that this attack on Bybit was performed by the LAZARUS GROUP. >>> His submission included a detailed analysis of test transactions and connected wallets used ahead of… [pic.twitter.com/jtQPtXl0C5](https://t.co/jtQPtXl0C5)> — Arkham (@arkham) [February 21, 2025](https://twitter.com/arkham/status/1893033424224411885?ref_src=twsrc%5Etfw)The Lazarus Group has been active since at least 2009, possibly as early as 2007, it is known for using custom malware in sophisticated attacks, with experts deeming their methods highly advanced.This threat actor was involved in cyber espionage campaigns and sabotage activities to destroy data and disrupt systems. Security researchers discovered that the North Korean Lazarus APT group was behind multiple attacks against [banks](http://securityaffairs.co/wordpress/57226/cyber-crime/symantec-lazarus-apt-banks.html) end cryptocurrency exchanges.According to security experts, the group was behind, other large-scale cyber espionage campaigns against targets worldwide, including the [Troy Operation](http://securityaffairs.co/wordpress/44781/cyber-crime/lazarus-group-activities.html), the [DarkSeoul Operation](http://securityaffairs.co/wordpress/59139/cyber-crime/wannacry-ransomware-lazarus-group.html), and the [Sony Picture hack](http://securityaffairs.co/wordpress/31781/intelligence/us-sanctions-on-north-korea.html).Follow me on Twitter: [**@securityaffairs**](https://twitter.com/securityaffairs) and [**Facebook**](https://www.facebook.com/sec.affairs) and [Mastodon](https://infosec.exchange/@securityaffairs)[**Pierluigi Paganini**](http://www.linkedin.com/pub/pierluigi-paganini/b/742/559)**(** [**SecurityAffairs**](http://securityaffairs.co/wordpress/)**–** **hacking, Lazarus)**
Related Tags:
NAICS: 54 – Professional
Scientific
Technical Services
NAICS: 541 – Professional
Scientific
Technical Services
NAICS: 52 – Finance And Insurance
NAICS: 92 – Public Administration
NAICS: 922 – Justice
Public Order
Safety Activities
NAICS: 523 – Securities
Commodity Contracts
Other Financial Investments And Related Activities
NICKEL ACADEMY
Blog: Security Affairs
Guardians of Peace
Associated Indicators:
null