Bybit suffers record-breaking $1.5 billion cryptocurrency heist

Bybit, one of the world’s leading cryptocurrency exchanges, has fallen victim to the largest crypto heist in history, with cybercriminals siphoning over $1.5 billion worth of Ethereum (ETH) and staked Ethereum (stETH) from one of its offline wallets. The breach, which exploited vulnerabilities in Bybit’s ETH cold wallet system, surpasses previous high-profile attacks such as the Ronin Network ($625 million), Poly Network ($611 million), and BNB Bridge ($566 million) incidents.

According to Bybit, the attack occurred when an unauthorized transfer was executed from an ETH multisig cold wallet to a warm wallet. The sophisticated cyberattack involved a manipulation of the signing interface, deceiving the system by displaying the correct address while altering the underlying smart contract logic. As a result, the threat actors were able to redirect funds to an unidentified wallet without detection until the transaction had been completed.

Bybit promptly released a statement on X (formerly Twitter), confirming the breach and assuring customers that the company’s security team, alongside leading blockchain forensic experts and industry partners, is actively investigating the incident. The company emphasized that all other cold wallets remain secure and that customer funds are protected, with operations continuing without disruption. Transparency and security remain top priorities, and Bybit pledged to provide updates as the investigation progresses.

Industry speculation suggests that the attack may have stemmed from a vulnerability in the Safe.global platform’s user interface. However, Bybit has not yet disclosed technical details regarding the suspected exploit.

Despite the massive financial blow, Bybit CEO Ben Zhou reassured customers that the exchange remains financially stable. He stated that Bybit manages over $20 billion in assets and has access to bridge loans if necessary to ensure uninterrupted access to user funds.

Blockchain cybersecurity firm Elliptic has attributed the attack to the North Korea-linked advanced persistent threat (APT) group Lazarus. The firm’s co-founder, Tom Robinson, highlighted the scale of the heist, calling it potentially the largest single theft of any kind. Elliptic, alongside law enforcement agencies and other exchanges, is working to trace and freeze the stolen funds in an effort to mitigate further illicit transactions.

Cybersecurity firm Arkham Intelligence has also pointed to the Lazarus Group as the likely perpetrators behind the attack. The North Korean hacking collective, active since at least 2009 and possibly as early as 2007, has a long history of sophisticated cyberattacks, including cyber espionage, financial theft, and destructive operations. The group has been linked to major breaches such as the Sony Pictures hack, the DarkSeoul Operation, and the Troy Operation, as well as previous large-scale thefts from banks and cryptocurrency exchanges.