What happened?
On 21 February 2025, attackers managed to steal a huge $1.5 billion worth of cryptoassets from ByBit, a UAE-based crypto exchange, through a sophisticated phishing attack. The scale of the theft is unprecedented and has provoked considerable attention on security practices in the industry.
The attack occurred during a routine transfer between ByBit's "hot" and "cold" wallets. Cold wallets have private keys that are kept offline for security reasons and hot wallets private keys are kept online.
Safe is a popular multi-signature wallet solution used for managing digital assets securely. According to an analysis by cryptotracing company Chainalysis, the attackers accessed a Safe developer's computer to manipulate the Safe user interface for Bybit transactions, inserting malicious code to make fraudulent transactions appear legitimate.
During the routine transfer, Bybit unknowingly signed a malicious transaction, allowing the attackers to transfer approximately 401,000 ETH, valued at nearly $1.5 billion, to their control.
The stolen assets were then dispersed through a network of intermediary addresses to obscure the trail, converted into other tokens like Bitcoin and DAI, and moved across networks using decentralised exchanges and cross-chain bridges. A significant portion of the funds remains dormant, a tactic used to avoid immediate detection. The complexity of these laundering efforts, involving intermediary addresses, token swaps, and cross-chain movements, highlights the extensive efforts to effectively launder the proceeds.
The FBI has linked this theft to two attacker groups, known as "TraderTraitor" and the infamous "Lazarus Group", both known for targeting cryptocurrency platforms and financial institutions.1 The Lazarus Group is a notorious cybercrime group believed to be linked to North Korea. It is known for its sophisticated cyber-attacks and has been active since at least 2009.
So what?
This attack represents the largest theft of crypto ever, and it will no doubt have significant impacts on the business, its customers and the wider industry. The incident has already prompted calls for increased security measures in certain crypto wallet solutions.
Industry experts have suggested several measures to prevent future attacks like the ByBit incident. Firstly, improving transaction transparency and reducing "Blind Signing", a method of authorising transactions without having full visibility which is adopted in some instances due to technical limitations of user interfaces, or for convenience. An alternative is the use of "Clear Signing", which allows users to fully verify transaction details before approval.
Secondly, experts have also recommended moving from traditional multi-signature (multi-sig) solutions to Distributed Multi-Party Computation (MPC) wallets, which enhance security by distributing key fragments across multiple parties.
Other recommended actions for the industry include implementing enterprise governance with multi-level transaction approvals, allow-listing wallet addresses, and using hardware-based verification. Securing assets with off-exchange trading solutions can also reduce reliance on vulnerable exchange wallets.
In the event of an attack, pausing withdrawals and conducting thorough investigations are crucial to prevent further losses. These measures, combined with strong leadership and crisis management, can help create a more secure and resilient crypto industry.
Bybit themselves have been praised for their clear and transparent communications and steps they took to contain the incident and minimise losses, demonstrating the value in having a pre-rehearsed incident response procedure and communications strategy.
The real challenge now is for the actors to effectively launder the proceeds. The relatively transparent nature of cryptocurrency blockchains means that funds can be monitored and potentially traced and eventually frozen. The FBI has also urged actors in the crypto space to block illicit transactions linked to addresses associated with the heist, further frustrating the "cashing out" of funds.