The incident of North Korean hackers attacking Bybit and resulting in approximately $1.5 billion worth of cryptocurrency being stolen. Below is a summary and analysis of key information from multiple sources.
1. Incident overview
On February 22, 2025, the cryptocurrency exchange Bybit suffered a massive hacking attack, with stolen assets amounting to approximately $1.4 to $1.5 billion, making it one of the most severe theft incidents in cryptocurrency history. According to Lookonchain data, Bybit's reserve assets before the attack were $16.2 billion, and the stolen assets accounted for about 8.64%. Although some reports mention $1.5 billion, the specific value may have statistical differences or rounding.
2. Attack methods and attribution of responsibility
- Initial suspicion of North Korean hackers: Yu Xian, founder of security company SlowMist, analyzed early in the incident that the attackers' intrusion methods targeting the Safe multi-signature wallet and money laundering patterns match the characteristics of North Korean hacking groups, but there was a lack of conclusive evidence at the time.
- Confirmation of conclusive evidence: Subsequently, the blockchain analysis platform Arkham and independent investigator ZachXBT submitted a detailed evidence chain, including test transaction records, wallet correlation analysis, and forensic charts, confirming that the attack was orchestrated by the North Korean state-sponsored hacker organization Lazarus Group.
3. Background and historical connections of the Lazarus Group
The Lazarus Group is a hacker organization supported by the North Korean government and has repeatedly launched attacks on cryptocurrency exchanges and DeFi protocols. For example, in 2023, its attack on projects like Radiant Capital has been widely recorded. The attack methods this time are highly similar to past incidents, including exploiting multi-signature vulnerabilities and using mixing services for money laundering.
4. Industry impact and response measures
- Market shock: The incident has triggered widespread concern in the cryptocurrency market regarding the security of exchanges, especially the security of multi-signature wallets and smart contracts.
- Investigation and bounty: Arkham has established a special bounty program to assist in tracking the attackers, and relevant evidence has been submitted to the Bybit team for internal investigation and judicial accountability.
- User security recommendations: Some reports mention the role of AI tools in enhancing user asset security but do not disclose specific details.
5. Controversies and subsequent challenges
Although the attribution of responsibility has been initially clarified, SlowMist's Yu Xian emphasized that further judicial verification is still needed, jokingly stating, 'If misjudged, we are willing to apologize to the North Korean hackers,' reflecting the cautious attitude of security agencies in attribution. In addition, how the stolen assets were transferred through mixing services and whether they can be recovered remains a focus of industry concern.
Summary
This incident highlights the ongoing threat of nation-state hacker organizations to the cryptocurrency ecosystem and the vulnerability of exchange security protections. In the future, cross-platform collaboration, on-chain data analysis, and smart contract audits may become key means to defend against similar attacks.
