EyeOnChain
--
IN SIMPLE LANGUAGE for SIMPLE CRYPTO INVESTORS.
The $1.4B Bybit Hack: How Lazarus Pulled It Off
On February 21, 2025, Bybit was hacked for $1.4B in ETH—one of the biggest crypto heists ever. Despite having $16.2B in reserves and multi-signature cold wallets, 401,347 ETH was drained from a secure cold wallet.
Bybit’s Response
Bybit CEO Ben Zhou acted fast:
Secured a bridge loan covering 80% of losses
Confirmed user funds were safe
Kept withdrawals open, despite $1.5B in outflows
They proved their reserves were real, but the damage was done.
Who Was Behind It?
On-chain analyst @zachxbt traced the stolen ETH to Lazarus Group, a North Korean cybercrime unit.
Key evidence:
Test transactions before the exploit
Wallet connections to past Lazarus hacks
Transaction timing matching previous attacks
The Hack Explained
Lazarus didn’t breach Bybit’s servers—they tricked Bybit’s own signers into handing over control.
Step 1: The hackers mirrored Bybit’s signing page, making transactions look normal.
Step 2: When Bybit’s signers approved the transaction, they unknowingly modified the wallet’s contract code, giving hackers full control.
Step 3: The stolen ETH was split into 53 wallets.
What’s Next?
Bybit and law enforcement are tracking the funds, but Lazarus is already trying to launder them.
Lessons Learned
🔹 Even the biggest exchanges can get hacked.
🔹 Not your keys = Not your coins.
🔹 Cold storage isn’t foolproof.
That's it hope you all understand.
The $1.4B Bybit Hack: How Lazarus Pulled It Off
On February 21, 2025, Bybit was hacked for $1.4B in ETH—one of the biggest crypto heists ever. Despite having $16.2B in reserves and multi-signature cold wallets, 401,347 ETH was drained from a secure cold wallet.
Bybit’s Response
Bybit CEO Ben Zhou acted fast:
Secured a bridge loan covering 80% of losses
Confirmed user funds were safe
Kept withdrawals open, despite $1.5B in outflows
They proved their reserves were real, but the damage was done.
Who Was Behind It?
On-chain analyst @zachxbt traced the stolen ETH to Lazarus Group, a North Korean cybercrime unit.
Key evidence:
Test transactions before the exploit
Wallet connections to past Lazarus hacks
Transaction timing matching previous attacks
The Hack Explained
Lazarus didn’t breach Bybit’s servers—they tricked Bybit’s own signers into handing over control.
Step 1: The hackers mirrored Bybit’s signing page, making transactions look normal.
Step 2: When Bybit’s signers approved the transaction, they unknowingly modified the wallet’s contract code, giving hackers full control.
Step 3: The stolen ETH was split into 53 wallets.
What’s Next?
Bybit and law enforcement are tracking the funds, but Lazarus is already trying to launder them.
Lessons Learned
🔹 Even the biggest exchanges can get hacked.
🔹 Not your keys = Not your coins.
🔹 Cold storage isn’t foolproof.
That's it hope you all understand.
Disclaimer: Includes third-party opinions. No financial advice. May include sponsored content. See T&Cs.
