What lessons can we learn from the largest cryptocurrency heist in history?
Written by: Zhou Zhou, Foresight News
This is the largest hacking theft in history.
The hackers behind the attack were the North Korean state-sponsored hacking group Lazarus Group, which has stolen over $4.5 billion in assets from financial institutions and crypto platforms over the past 10 years. The victim was the top-3 global crypto exchange Bybit, which lost $1.46 billion, about its entire year's revenue.
The incident began around 10 pm on February 21, 2025 and lasted nearly 72 hours. During this harrowing 72 hours, Bybit and the entire crypto market faced a major test. This will undoubtedly become a landmark event that will continue to impact the entire crypto ecosystem.
Bybit loses nearly $1.5 billion, the largest crypto heist in history
Bybit lost $1.46 billion (over 10 billion yuan), the largest hacking theft and robbery case in history.
The incident occurred during the process of Bybit's Ethereum cold wallet transferring funds to a hot wallet. Hackers somehow managed to interfere with the multi-signature wallet Safe's signing process. Bybit's cold wallet uses a multi-signature mechanism, requiring the consent of four key holders including CEO Ben Zhou to execute transactions. However, this attack showed that the hackers were able to disrupt this process, either by infiltrating the signers' devices or by forging a trusted front-end interface to have the signers unknowingly approve the malicious transactions.
Ultimately, about $1.46 billion worth of cryptocurrencies (including over 400,000 ETH and stETH) were stolen from Bybit's cold wallet.
This incident surpassed the largest known theft in the traditional financial industry - the 2016 Iraq Central Bank theft (about $1 billion), as well as the previous largest crypto theft - the March 2022 Ronin Network attack (loss of $620 million).
In a post-incident interview, Bybit CEO Ben Zhou reflected on the incident, saying: "I feel there are things I didn't do well, like we could have diversified the funds in our cold wallet instead of putting all the Ethereum in one wallet."
In history, there have been many cases of hacked exchanges, including Binance ($569 million), FTX ($473 million), and Kucoin ($285 million). Some crypto exchanges have even gone bankrupt due to theft, the most famous being the "Mt. Gox hack" in 2014, where hackers stole 750,000 Bitcoins worth about $473 million at the time, accounting for 7% of the total circulation, ultimately leading to the exchange's bankruptcy in February 2014. It's worth noting that after the Mt. Gox hack, the exchange chose to conceal the news for several days.
After this theft, Bybit CEO Ben Zhou was almost immediately transparent and released the latest updates online. Around 8 am on February 22nd, Ben Zhou stated that in the 10 hours since the attack, Bybit had experienced the most withdrawals in its history, receiving over 350,000 withdrawal requests, with about 2,100 withdrawal requests still pending, and 99.994% of withdrawals had been processed.
Bybit promptly addressed and resolved the issues, with transparent and efficient actions that stabilized many users' emotions. They also received help and support from fellow exchanges like Bitget, Matcha, and industry OGs like Du Jun, helping them through the most difficult time.
Lazarus Group, putting a "Damocles' Sword" over everyone's head
The mastermind behind this attack has been identified as the Lazarus Group (a North Korean state-sponsored hacking organization), which has stolen $4.5 billion from crypto and financial institutions through hacking over the past 9 years.
Incomplete statistics show that since 2015, Lazarus Group has attacked and successfully stolen from more than 20 financial institutions and cryptocurrency platforms. As of February 2025, Lazarus Group's cumulative theft has exceeded $4.5 billion.
Initially, Lazarus Group focused more on traditional financial institutions, stealing $12 million from Ecuador's Banco del Austral in 2015 and $1 million from Vietnam's Tien Phong Bank in 2016. In 2016, they organized the Bangladesh Central Bank theft ($81 million).
2017 was a turning point, as Lazarus Group gradually shifted its theft targets from financial institutions to crypto institutions. In 2017, they attacked the South Korean crypto exchange Bithumb (stealing $70 million in Bitcoin), the 2018 Malaysia Central Bank theft ($390 million), the 2018 Japanese crypto exchange Coincheck hack (stealing $530 million in cryptocurrencies), the 2021 crypto industry theft (stealing $40 million from at least 7 crypto institutions), and the 2022 Ronin Network attack (stealing $620 million in ETH and USDC).
Lazarus Group has been attacking prominent crypto institutions almost every year, and their level of professionalism has been constantly improving, with the amount of successful thefts becoming larger and larger. It can be predicted that large crypto institutions will continue to face attacks from this hacking group in the future. Crypto practitioners will continue to face the potential risk of asset theft.
In conclusion
The crisis has passed its most difficult moment, but the impact on the future may continue.
After this theft incident, Bybit's assets saw a net outflow of $5.5 billion within a week. DeFilama data shows that as of the evening of February 23rd, Bybit's 7-day net capital outflow reached $5.5 billion, while its current total assets are $10.9 billion. In terms of total assets, it has now fallen behind Binance, OKX, and Bitget.
It's worth mentioning that the top three crypto exchanges with the highest net inflows in the past 7 days are: Binance ($2.15 billion), Bitfinex ($410 million), and HTX ($360 million). When other exchanges have problems, most users and funds choose to flock to the top exchange Binance for safety.
Whether Bybit can regain user trust and recover the lost funds in the short term will be a concern for practitioners and users. With frequent crypto exchange incidents, where almost all top exchanges have experienced major fund security incidents, how to better prevent or mitigate the severity of such problems will also be a focus of attention for interested stakeholders for a long time.
