The darkest moment in the history of the cryptocurrency world: North Korean hacker group bloodbath at Bybit, $1.5 billion disappears.
On February 21, 2025, the cryptocurrency industry suffered the most brutal hacker attack in history—North Korea's state-level hacker group Lazarus Group successfully invaded Bybit's Safe multi-signature wallet through sophisticated social engineering attacks, stealing assets worth $1.5 billion in ETH and stETH! This figure not only sets a new record for cryptocurrency theft but also exposes fatal vulnerabilities in the industry's core infrastructure.
The attack method is horrifying: hackers first compromised the devices of Safe wallet developers, implanted malicious code to alter the front-end interface, and induced six multi-signature wallet administrators at Bybit to sign malicious contracts in 'seemingly legitimate' transactions. By exploiting the Delegate Call vulnerability, hackers directly upgraded the wallet logic, transferring funds to preset addresses. Shockingly, three signers collectively 'misoperated' in the same process, leading to the instant depletion of 400,000 ETH and 90,000 stETH!
Greece's anti-money laundering agency strikes hard, freezing $11.7 million, but $870 million remains missing.
Just five months after the incident, Greece's anti-money laundering agency (AMLO) announced the first execution of a cryptocurrency asset freeze order, successfully freezing approximately $11.7 million (10 million euros) of related funds by tracing wallet addresses associated with North Korean hackers using on-chain analysis tools Chainalysis, and returning it to Bybit. This marks the first time a national agency has directly intervened in the recovery of funds from a cryptocurrency theft case, signaling the formal penetration of traditional financial regulatory power into the Web3 space.
However, a greater crisis is still brewing: although Bybit claims to have frozen $72 million (5% of total losses), over $870 million in funds have been transferred through mixers such as Wasabi and Tornado Cash and cross-chain bridges, and are still missing. The FBI warns that these funds are highly likely to be used to support North Korea's nuclear weapons program, and the 'money laundering industrial chain' of the Lazarus Group has become increasingly sophisticated.
A major earthquake in the cryptocurrency world: trust crisis, regulatory upgrades, and a technological revolution are imminent.
1. Are exchange security systems collapsing? The myth of multi-signature wallets is shattered.
The Bybit incident completely shattered the industry's consensus that 'multi-signature wallets are absolutely secure'. As the most mainstream asset management tool in the Ethereum ecosystem, the off-chain front-end code of Safe wallets was altered, rendering the multi-signature process virtually meaningless. Ironically, Bybit CEO Ben Zhou later reflected that, 'We relied too heavily on third-party services and did not localize and deploy their code.' This vulnerability allowed hackers to 'steal the sky and change the sun' right under the users' noses.
Industry insights:
Decentralized auditing is urgent: Although Safe wallets are open-source, the transparency of their off-chain components is insufficient, and exchanges should require third-party tools to provide code audit reports in the future.
Hardware wallets become the last line of defense: The chain of hacker attacks reveals that if the offline signature devices of cold wallets are compromised, the multi-signature mechanism will become completely ineffective. Hardware security modules (HSMs) may become standard for exchanges.
2. Regulatory storm arrives: Greece's action opens 'global fox hunting'.
Greece's freezing order is by no means an isolated case. The U.S. Treasury has listed the Lazarus Group on its sanctions list, and the European Union is promoting a revision of the (Crypto Asset Market Regulation) (MiCA), requiring exchanges to share suspicious transaction data in real time. It can be anticipated:
Normalization of cross-border cooperation: In the future, multinational joint law enforcement similar to Greece will become the norm, and the hackers' 'funding safe havens' will be dismantled one by one.
Compliance costs soar: exchanges need to invest more resources to cope with on-chain monitoring, and small to medium platforms may exit the market due to cost pressures.
3. User trust collapse: funds accelerate flow to DEX.
After the incident, Bybit's withdrawal volume surged by 300%, while trading volumes on decentralized exchanges like Uniswap and dYdX rose by 20% against the trend. Users voted with their feet to indicate:
CEX trust crisis intensifies: Even major exchanges are being hacked, and the security of small to medium platforms is further questioned.
DeFi protocols face opportunities: but caution is needed! The Lazarus Group has begun attacking DeFi protocols, having stolen $235 million from a DEX in 2024.
North Korean hackers' 'cryptocurrency war': the entire industrial chain from theft to sanction evasion.
FBI report reveals that the Lazarus Group's operating model has become highly industrialized:
Technical infiltration: By using phishing emails and malware to compromise target devices, three exchange developer systems have been successfully hacked in 2025.
Money laundering: Using mixers and cross-chain bridges to disperse assets, some funds are exchanged for fiat currency through North Korea-supported 'ghost exchanges'.
Political donations: Ultimately, funds flow to North Korea's nuclear weapons development agencies, forming a closed loop of 'hacker attacks - money laundering - military support'.
Even more frighteningly: during this attack, the hackers used AI deep fake technology for the first time to simulate the Safe wallet interface, even altering the hardware wallet prompt information for the signers. This type of 'unperceived attack' may become the mainstream method in the future.
How can the cryptocurrency world save itself? The author offers three major survival guidelines.
To exchanges:
Immediately upgrade multi-signature processes and require hardware wallet second verification.
Publicly disclose third-party tool audit reports and establish a 'security whitelist'.
To users:
Large assets must use cold wallets, and change addresses after each transfer.
Beware of phishing phrases like 'high-yield financial management' and 'airdrop benefits'.
To regulators:
Promote a unified global standard for tracking cryptocurrency assets.
Implement 'on-chain sanctions' for transactions involving North Korea and freeze associated addresses.
Click on my avatar, follow me, and tell me your views on the current market? Let's chat in the comments! Opportunities and risks coexist in the cryptocurrency world; stay vigilant, and finding the right timing is key.