← Back to archive
Hack·ongoing

Bybit Cold-Wallet Hack — February 2025

During a routine multi-sig transfer from an Ethereum cold wallet, malicious code injected into the signing UI tricked three Bybit executives into approving the transfer of approximately 401,000 ETH to a Lazarus-controlled address — at $1.46 billion, the largest cryptocurrency theft on record.

Bybit operated approximately 70-80 Ethereum cold wallets requiring three-of-three multi-sig approval for outbound transfers, with signing performed through the Safe (Gnosis Safe) wallet interface.

On 21 February 2025, the operations team initiated a routine internal transfer of approximately 401,000 ETH from one cold wallet. Three executive signers each approved through Safe's UI, which displayed the expected destination and parameters. However, the signed payload — submitted to the Safe contract by an attacker who had compromised the Safe front-end via a malicious deployment of Safe's wallet UI — instead invoked a delegate-call that handed wallet control to a Lazarus-controlled address.

The full balance was drained within a single block. CEO Ben Zhou announced the loss within 30 minutes and assured users that withdrawals would continue uninterrupted, funded from internal capital and short-term bridge loans from market-makers.

On 26 February 2025 the FBI and the US Treasury jointly attributed the attack to North Korea's Lazarus Group, citing tooling consistent with prior Lazarus exploits including the Ronin Bridge and DMM Bitcoin attacks. The stolen ETH has subsequently been laundered through mixer services and OFAC-sanctioned addresses through 2025.

Timeline

  1. 401,000 ETH drained from cold wallet in a single block

    A routine internal multi-sig transfer is intercepted at the signing UI; the executed payload delegates wallet control to a Lazarus-controlled address.

  2. CEO Ben Zhou announces loss publicly

    Within 30 minutes of the on-chain event. Promises uninterrupted user withdrawals funded from internal capital.

  3. Withdrawal volume surges; Bybit honours all requests

    Market-maker bridge loans top up reserves. No user balance impairment.

  4. FBI and Treasury attribute attack to Lazarus Group

    Joint statement cites tooling consistent with Ronin Bridge and DMM Bitcoin exploits. OFAC extends SDN listings to identified laundering addresses.

Who was involved

Legal record

Ofac Action
extended SDN listings to laundering addresses
Fbi Attribution Date
2025-02-26

Structural failures identified

Related records

Sources

  1. FBI statement on Bybit hack, Federal Bureau of Investigation — Lazarus Group attribution