Protect What Matters
Secure endpoints, email, and employees with the power of our 24/7 SOC. Try Huntress for free and deploy in minutes to start fighting threats.
Bybit
In February 2025, Bybit suffered one of the largest cryptocurrency thefts on record when attackers manipulated a routine transfer from an Ethereum cold wallet and redirected the assets to addresses they controlled. Public reporting and post-incident analysis describe the event as a targeted crypto heist involving Bybit’s multisig wallet workflow, not a confirmed mass compromise of customer personal data records.
What happened in the Bybit hack?
Bybit said it detected unauthorized activity on February 21, 2025 during a scheduled transfer from its ETH multisig cold wallet to its hot wallet. Investigations published after the incident found that attackers manipulated the transaction approval process so authorized signers believed they were approving a legitimate internal transfer when they were actually authorizing a malicious transaction that handed control of the wallet to the attackers. Multiple reports place the value of the theft at roughly $1.4 billion to $1.5 billion, making it the largest crypto heist of its kind at the time.
When did the Bybit hack happen?
The theft was executed on February 21, 2025 during the wallet transfer process. Later forensic reporting said attacker activity inside the affected third-party environment likely began earlier in February, with malicious changes to the Safe wallet interface identified before the theft itself.
Who is behind the Bybit hack?
Public reporting and investigations widely attributed the operation to North Korea-linked Lazarus activity. The FBI publicly linked the theft to the TraderTraitor cluster, which is also associated with names including Jade Sleet, Slow Pisces, and UNC4899.
How did the Bybit hack happen?
The attack was widely described as a supply-chain style compromise involving Safe{Wallet}, the multisig platform used in Bybit’s signing workflow. Reporting and technical analysis said a Safe developer machine was compromised, malicious JavaScript was introduced into the Safe interface, and the altered UI showed Bybit signers what looked like a normal transaction while changing the underlying transaction logic and destination. In practice, that meant the multisig process itself was not bypassed by stolen keys so much as subverted through deceptive transaction presentation and blind signing risk.
Bybit hack timeline
Early February 2025: Investigators later reported attacker activity tied to a compromised Safe developer environment.
February 19, 2025: Reporting said malicious JavaScript was introduced into the Safe interface used in the targeted workflow.
February 21, 2025: Bybit detected unauthorized activity during a routine transfer from its ETH cold wallet to its hot wallet.
Late February 2025: Bybit shared conclusions from outside investigations linking the attack to Safe infrastructure and Lazarus attribution grew stronger through public reporting and the FBI statement.
Technical details
Technical reviews said the attackers tampered with the Safe web interface so it behaved normally for most users but selectively altered transactions involving targeted Bybit wallets. Analysis from NCC Group said the malicious code modified what signers saw and what they signed, enabling the attackers to replace a benign transfer with a transaction that changed the wallet’s control logic. Other reporting described the incident as a blend of supply-chain compromise, UI manipulation, and smart contract abuse rather than a straightforward exchange-server breach.
What was compromised?
The confirmed impact was the theft of crypto assets from Bybit’s Ethereum cold wallet environment, including large amounts of ETH and related assets such as stETH. Public reporting around the incident focused on stolen funds and wallet control, not on a confirmed exposure of customer PII, customer account databases, or unencrypted wallet keys belonging to retail users.
How many people were affected?
There is no widely confirmed public count of individual users whose personal data was exposed because the incident was reported primarily as an exchange wallet theft. The direct confirmed impact was on Bybit’s custodial holdings involved in the compromised wallet workflow.
Was my data exposed?
Based on the public reporting reviewed here, there was no clearly established public disclosure that this event involved a broad customer data breach. Any claim that names, emails, phone numbers, financial records, or wallet keys for large numbers of customers were exposed should be independently verified before publication. Bybit launched a LazarusBounty program that's offering a 10% reward for successful recovery of the missing funds.
Key impacts of the Bybit hack
The most immediate impact was the loss of roughly $1.4 billion to $1.5 billion in crypto assets. The incident also intensified scrutiny on multisig operational security, third-party wallet infrastructure, software supply-chain risk, and the danger of relying on user interfaces as the primary verification layer for high-value transactions.
Response to the Bybit hack
Bybit disclosed the unauthorized activity and shared investigation conclusions from external firms including Sygnia and Verichains. Safe said it rebuilt and reconfigured infrastructure, rotated credentials, and added additional validation and monitoring after the attack. Public reporting also noted ongoing tracing and laundering activity tied to the stolen funds and law-enforcement attribution efforts connected to DPRK-linked actors.
Lessons from the Bybit hack
Third-party trust can become a primary attack surface.
A compromise in a trusted provider’s environment can defeat strong internal controls if transaction reviewers depend on that provider’s interface.Multisig is not enough without independent verification.
If signers cannot reliably validate transaction intent outside the UI they are using, attackers can manipulate approvals without stealing the keys themselves.Front-end integrity controls matter for high-risk operations.
Monitoring for unauthorized changes, validating signatures and transaction hashes, and hardening software delivery paths are critical when large asset movements depend on web interfaces.Operational security is just as important as cryptography.
This incident showed how human-machine trust relationships, workflow design, and blind-signing risk can undermine otherwise strong wallet security models.
Is Bybit safe after the hack?
Any statement that Bybit is now fully safe would go beyond the public evidence reviewed here. A more accurate framing is that Bybit and affected partners implemented response and hardening measures after the theft, while the incident remains a lasting example of how sophisticated actors can target operational processes around digital asset custody.
Mitigation & prevention strategies
Organizations handling high-value crypto or sensitive approvals should:
Require out-of-band verification of destination addresses and transaction intent for critical transfers.
Treat third-party admin panels and wallet interfaces as untrusted until verified.
Harden software supply chains, cloud access, and developer environments.
Add integrity checks, transaction-hash validation, and strong change monitoring for front-end assets.
Reduce reliance on blind signing and use workflows that present human-readable transaction details wherever possible.
Related educational articles & videos
FAQs
Public reporting reviewed here described it primarily as a crypto heist targeting Bybit’s wallet operations, not as a confirmed large-scale customer data breach.
Investigations said attackers compromised the Safe wallet workflow, injected malicious JavaScript into the signing interface, and tricked authorized signers into approving a malicious transaction.
The attack was widely attributed to North Korea-linked Lazarus activity, and the FBI linked the theft to the TraderTraitor cluster.
Do not rely on a trusted UI alone for critical approvals. High-risk transactions need independent validation, strong supply-chain controls, and workflows designed to resist blind-signing deception.
