Analysis: Inside The $1.5bn Bybit Hack – The Largest Digital Heist In Crypto History

“The Bybit hack of $1.5 billion worth of ETH is the largest digital heist in the history of cryptocurrency,” said Andrew Fierman, Head of National Security Intelligence at Chainalysis.

In a single operation attributed to North Korean hackers, attackers stole more cryptocurrency than the hermit kingdom allegedly purloined in all of 2024.

North Korean cyber actors have stolen approximately $1.5 billion in Ethereum from Bybit—a cryptocurrency exchange—and are dispersing the stolen assets across addresses on multiple blockchains. The FBI recommends blocking transactions with these addresses: https://t.co/yjkrv7sQDw pic.twitter.com/l2ATBNbW3m

— FBI (@FBI) February 27, 2025

“This single attack accounts for more funds stolen by North Korea than was stolen in all of 2024,” Fierman told Arabian Business. Data from Chainalysis’ December 2024 report reveals a dramatic escalation in North Korean crypto theft, with hackers linked to the nation stealing approximately $1.34 billion across 47 separate incidents last year – up 102.88 per cent from the $660.50 million stolen in 20 incidents during 2023. These North Korean operations represented 61 per cent of all cryptocurrency stolen globally in 2024 while accounting for just 20 per cent of total theft incidents.

The February 21 theft, which saw 401,000 Ethereum stolen through what Bybit described as a “manipulation of the transfer process during a planned routine transfer” on one of its cold wallets, has put a spotlight on the increasingly sophisticated nature of state-sponsored crypto theft.

Cold wallet, hot target

Cold wallets – cryptocurrency storage not connected to the internet – were once considered nearly impregnable. The Bybit hack demonstrates how even these security measures have become vulnerable to advanced actors.

The FBI has linked the theft to two well-known hacker groups—TraderTraitor and the Lazarus Group, which have a history of targeting cryptocurrency platforms and financial institutions. Blockchain security firm Certik has called the incident the largest breach in blockchain history.

“This dispersion is a common tactic used by North Korean hackers in an attempt to obfuscate the trail and hinder tracking efforts by blockchain analysts,” Fierman explained.

“After moving the 401,000 ETH to addresses under their control, the hackers behind the Bybit theft moved the assets through a complex web of intermediary addresses, before swapping significant portions of the stolen ETH for tokens including BTC and DAI.”

The hackers’ playbook has become increasingly sophisticated, utilising decentralised exchanges, cross-chain bridges, and no-KYC instant swap services to move assets across networks.

Some funds deliberately remain idle – a strategic move to outlast the intense scrutiny that follows high-profile thefts.

Industry response and recovery

Despite the hackers’ sophistication, the crypto industry has mobilised a rapid response.

“We’ve already worked with partners in the industry, including Mantle and Tether, to recover over $42 million of the stolen funds,” Fierman said.

Bybit, which serves over 60 million users globally, has demonstrated remarkable resilience. The company processed more than 350,000 withdrawal requests within 12 hours of the hack and secured a bridge loan from partners enabling it to recover nearly 80 per cent of the stolen Ethereum.

Co-founder and CEO Ben Zhou has responded to the FBI’s findings by posting on social platform X, linking to a website offering $140 million in rewards for tracking and freezing the stolen assets through other exchanges.

This incident follows several major disruptions that have shaken the crypto industry in recent years. While FTX’s 2022 collapse was due to fraud rather than hacking, it resulted in approximately $8 billion in missing customer funds. Other significant breaches include the 2022 Ronin Bridge hack, where North Korean actors stole $620 million, and the 2018 Coincheck exchange breach that saw $530 million in NEM tokens stolen.

“High-profile breaches can erode public trust in the safety of digital assets and security of the technology itself. To counteract this, exchanges must prioritize transparency, promptly address security incidents, and implement measures to protect user funds,” Benjamin Ward, Financial Institutions Leader at Marsh, IMEA, told Arabian Business

He noted that Bybit’s commitment to reimbursing affected users represents “a proactive approach to maintaining this all-important customer trust.”

“The crisis management and response protocols have most definitely evolved. The processing of nervous withdrawals – not just freezing all customer funds and transactions – replenishing [or] restoring its reserves and passing a PoR audit, the coming together of other industry competitors all within 72 hours, is a far cry from previous crypto crises where customers and institutional investors were kept in the dark for a long time, panic ensuing, often no reimbursement of lost assets and with draining and protracted litigation still ongoing,” Ward added.

In a sign of the company’s continued progress despite the breach, Bybit announced Thursday it had received In-Principle Approval from the Securities & Commodities Authority to establish itself as a Virtual Asset Platform Operator in the United Arab Emirates.

“We are honoured to have received the IPA from SCA. This approval marks a crucial step in our journey to providing secure and transparent crypto trading solutions,” said Zhou, as the world’s second-largest cryptocurrency exchange by trading volume continues its expansion.

The nuclear connection

The scale and sophistication of the theft highlight the evolution of North Korea’s cyber capabilities, which have become a crucial funding source for the isolated nation.

“Hackers linked to North Korea have become notorious for their sophisticated and relentless tradecraft, often employing advanced malware, social engineering, and cryptocurrency theft to fund state-sponsored operations and circumvent international sanctions,” Fierman said.

South Korea’s intelligence agency estimates that North Korea has stolen approximately $1.2 billion in digital assets over the past five years, while a United Nations panel is investigating 58 cyberattacks linked to North Korea between 2017 and 2023, reportedly resulting in $3 billion in stolen funds which officials suspect may have been used for military purposes.

The United Nations has previously stated that North Korea directs proceeds from cryptocurrency theft toward its nuclear weapons program – giving these digital heists real-world geopolitical implications.

While the theft represents a significant security breach, blockchain technology actually offers advantages in tracking stolen funds that traditional financial systems cannot match.

“The ability to follow stolen funds in real-time like this wouldn’t be possible in traditional financial channels,” Fierman noted.

The FBI has urged private sector entities to block transactions linked to addresses associated with what it calls the “TraderTraitor” operation, leveraging the transparency of blockchain technology to help contain the damage.

The attack has impacted investor confidence, contributing to cryptocurrency market volatility. Bitcoin, which recently peaked at over $100,000 last month, traded at around $82,000 on Thursday.

The incident has also highlighted the importance of robust insurance coverage in the crypto sector. Industry experts point out that the sudden nature and magnitude of such thefts underscore vulnerabilities that comprehensive insurance policies tailored for digital asset companies could help mitigate.

Appropriate insurance coverage not only protects against financial losses but can enhance credibility with customers and investors in a manner similar to proof of reserves, providing additional assurance about fund protection.

Some regulators have already recognised this need. Dubai’s Virtual Asset Regulatory Authority (VARA) has implemented requirements for certain insurance coverage for virtual asset service providers operating under its jurisdiction.

Such incidents often lead to legal actions from affected parties, with directors, IT staff and responsible persons potentially facing personal liability. Industry observers note that maintaining comprehensive documentation of security measures frequently proves critical in subsequent legal proceedings.

As cryptocurrency adoption continues to grow globally, with exchanges like Bybit expanding their regulatory footprint across jurisdictions including India, Georgia, Kazakhstan, and Turkey, the industry faces the dual challenge of fostering innovation while defending against increasingly sophisticated threats.

The Bybit hack serves as both a watershed moment for crypto security and a testament to the industry’s growing importance in global finance – important enough to attract the attention of nation-state actors with nuclear ambitions.