ByBit Hack: Post Mortem from HYDN Security

‍

Executive Summary
‍

On February 21, 2025, cryptocurrency exchange Bybit suffered a catastrophic security breach, resulting in the theft of approximately $1.5 billion. The attack has been attributed to North Korean state-sponsored hackers, specifically the Lazarus Group. This breach, surpassing the combined cryptocurrency thefts by North Korean actors in 2024, highlights the growing sophistication of supply chain attacks in the blockchain industry. This post-mortem examines:

• How the attack unfolded: Exploiting a vulnerability in Safe{Wallet} via a supply chain compromise.
• The role of the Lazarus Group: Advanced Persistent Threat (APT) actors evolving their tactics.
• Key lessons for CISOs, CTOs, and blockchain security teams.
• Proactive security strategies to prevent similar breaches in the future.

‍

Introduction

‍

The cryptocurrency world was rocked by the largest digital heist in history when cryptocurrency exchange Bybit lost approximately $1.5 billion on February 21, 2025. This unprecedented breach has been formally attributed to North Korean state-sponsored hackers, specifically the notorious Lazarus Group. The attack, which surpasses all North Korean cryptocurrency thefts in 2024 combined, exposes critical vulnerabilities in cryptocurrency infrastructure and highlights the growing sophistication of nation-state threat actors. This comprehensive post-mortem examines how the attack unfolded through a supply chain compromise, explores the capabilities of the Lazarus Group, and discusses the significant risks that Advanced Persistent Threat (APT) groups pose to organizations worldwide.

‍

About HYDN Security

‍

HYDN is a team of cybersecurity experts with significant experience in senior roles at major organizations like Cisco, IBM X Force, NYSE, and Alert Logic. Our team's breadth of experience ensures that we understand the intricacies of cybersecurity challenges faced by large organizations. 

HYDN’s founder, Warren Mercer, has been involved in uncovering some of the biggest cyber attacks in the past decade including the 2018 Olympic Destroyer attack, labelled the “Most Deceptive Hack in History'' by WIRED. 

Warren has discussed his role in uncovering the perpetrators in many speaking and media engagements including on the BBC Podcast “Lazarus Heist” and in the documentary Tomorrow Unlocked.

HYDN's Advanced Adversarial Simulation service enables companies to simulate a tailored attack aimed at circumventing traditional network controls. HYDN's team uses the same tactics, tools, techniques and mindsets as attackers such as Lazarus Group to uncover weaknesses and help you fix vulnerabilities. With HYDN, you can stay ahead of attackers and protect you and your customers' valuable data. 

HYDN have worked with a number of huge names in both Web2 and Web3 including Consensys, Metamask, a16z, SushiSwap, Bittrex Global, Sablier, and many more. 

‍

The Anatomy of the Bybit Breach

‍

The unprecedented $1.5 billion theft from Bybit marks a watershed moment in cryptocurrency security history. The U.S. Federal Bureau of Investigation has formally attributed this attack to North Korean threat actors, specifically a cluster they track as TraderTraitor, which is also known by several other names including Jade Sleet, Slow Pisces, and UNC4899. This attribution follows a pattern of increasingly ambitious cryptocurrency heists by North Korean hackers, who stole approximately $1.34 billion across 47 incidents throughout 2024. The February attack against Bybit alone exceeds this entire annual figure, representing a dramatic escalation in both scale and impact.

‍

Timeline and Initial Compromise

‍

The foundation for the attack was methodically established days before the actual theft occurred. According to forensic analysis by security firm Verichains, the attackers initiated their operation on February 19, 2025, at 15:29:25 UTC, when they managed to replace a benign JavaScript file on app.safe.global with malicious code specifically designed to target Bybit's Ethereum Multisig Cold Wallet. This precision targeting demonstrates the attackers' detailed understanding of Bybit's infrastructure and transaction processes.

The attack preparation continued when, on February 20, 2025, at 22:21:57, the Lazarus Group registered a suspicious domain - bybit-assessment.com - just hours before the actual cryptocurrency theft took place. This domain was registered using an email address previously linked to Lazarus Group operations, creating a connection to their earlier campaigns. The attack itself was triggered on February 21, 2025, at 14:13:35 UTC, during what appeared to be a routine transfer from Bybit's Ethereum cold wallet to a hot wallet. Instead of the intended transaction completing normally, the compromised system redirected approximately 401,000 ETH—valued at nearly $1.5 billion—to addresses controlled by the attackers.

‍

The Safe{Wallet} Supply Chain Attack

‍

The investigation by multiple security firms has revealed that this breach originated not through a direct attack on Bybit's systems, but through a sophisticated supply chain compromise targeting Safe{Wallet}, the multisignature wallet platform used by Bybit for securing its cryptocurrency holdings. Forensic investigations conducted by security firms Sygnia and Verichains identified malicious code originating from Safe{Wallet}'s infrastructure as the root cause of the breach. Safe{Wallet} later confirmed that the attack "was achieved through a compromised machine of a Safe{Wallet} developer resulting in the proposal of a disguised malicious transaction.

The technical mechanics of the attack involved sophisticated phishing attacks against cold wallet signers, leading them to sign malicious transactions that effectively replaced the Safe's multi-signature wallet implementation contract with a malicious version controlled by the attackers. Security experts suspect that the AWS S3 or CloudFront account/API Key of Safe.Global was likely leaked or compromised, thereby creating the entry point for this supply chain attack. This demonstrates the Lazarus Group's sophisticated understanding of cryptocurrency infrastructure and their ability to identify and exploit vulnerabilities in trusted service providers rather than attempting to breach more heavily fortified primary targets.

‍

Post-Breach Money Movement and Laundering Operations

‍

After successfully exfiltrating the funds, the attackers employed a sophisticated strategy to obscure the money trail. According to blockchain analytics firm Chainalysis, which is assisting in the investigation, "TraderTraitor actors are proceeding rapidly and have converted some of the stolen assets to Bitcoin and other virtual assets dispersed across thousands of addresses on multiple blockchains. The FBI further noted that "it is expected these assets will be further laundered and eventually converted to fiat currency”.

The hackers implemented a complex laundering operation that involved swapping significant portions of the stolen ETH for tokens including Bitcoin and DAI. They leveraged decentralized exchanges, cross-chain bridges, and no-KYC instant swap services to move assets across networks in an attempt to obscure the trail. A notable portion of the stolen funds has remained dormant across various addresses—a deliberate strategy often employed by North Korean hackers to outlast the heightened scrutiny that typically follows such high-profile breaches.

‍

The Lazarus Group: North Korea's Elite Cyber Warfare Unit

‍

The attack on Bybit bears all the hallmarks of the Lazarus Group, one of the most formidable and effective state-sponsored hacking groups in the world. Operating under the control of North Korea's Reconnaissance General Bureau, this group has evolved from conducting politically motivated attacks to orchestrating sophisticated financial heists that serve as a crucial revenue stream for the heavily sanctioned North Korean regime.

‍

Evolution of Capabilities and Cryptocurrency Focus

‍

The Lazarus Group has undergone a strategic evolution in recent years, shifting from politically motivated attacks to financially driven operations with a particular emphasis on cryptocurrency platforms. This transformation reflects North Korea's strategic decision to use cyber operations as a means of evading international sanctions and generating foreign currency. North Korea-linked actors are estimated to have stolen over $6 billion in crypto assets since 2017. This staggering figure underscores the effectiveness of their operations and the significant threat they pose to financial institutions worldwide.

The group's capabilities have grown steadily more sophisticated, as evidenced by their increasing success rate and the growing magnitude of their thefts. According to Chainalysis data, in 2024 alone, North Korean hackers stole approximately $1.34 billion across 47 incidents—a 102.88% increase from the $660.5 million stolen in 2023. The recent Bybit hack, at $1.5 billion, exceeds all of their 2024 cryptocurrency thefts combined, demonstrating a significant escalation in both their capabilities and ambitions.

‍

Technical Tactics and Social Engineering Expertise

‍

The Lazarus Group employs a diverse arsenal of tactics, techniques, and procedures (TTPs) that blend sophisticated technical exploits with elaborate social engineering. The group has developed particular expertise in targeting companies in the Web3 sector, often tricking victims into downloading malware-laced cryptocurrency applications to facilitate theft. They have also demonstrated proficiency in orchestrating job-themed social engineering campaigns that lead to the deployment of malicious npm packages.

The TraderTraitor cluster specifically attributed to the Bybit attack has previously been implicated in other significant cryptocurrency thefts, including the $308 million heist from cryptocurrency company DMM Bitcoin in May 2024. This establishes a pattern of behavior and expertise in targeting cryptocurrency exchanges. The recent investigation has uncovered connections to another Lazarus Group campaign dubbed "Contagious Interview," where victims are typically approached via LinkedIn and socially engineered into participating in fake job interviews that serve as an entry point for targeted malware deployment, credential harvesting, and further compromise.

‍

The Organizational Risk Posed by Advanced Persistent Threats

‍

The Bybit attack vividly illustrates the significant risks that APT groups like Lazarus pose to organizations, particularly those operating in the financial and cryptocurrency sectors. These threats are characterized by their persistence, sophistication, and the substantial state resources backing their operations.

‍

Supply Chain Vulnerabilities and Third-Party Risk

‍

One of the most concerning aspects of the Bybit breach is how it effectively exploited supply chain vulnerabilities. Even organizations with robust internal security measures remain vulnerable if their trusted partners and service providers have exploitable weaknesses. The attack demonstrates that security is only as strong as the weakest link in an interconnected ecosystem of services and providers. In this case, Bybit's security was compromised not through a direct attack on their infrastructure but through a trusted third-party wallet provider.

This pattern of supply chain compromise has become increasingly common in APT operations. By targeting less-secure entities in the supply chain that have legitimate access to the primary target, attackers can bypass sophisticated security controls. For cryptocurrency organizations, this means that comprehensive security requires not only securing internal systems but also conducting thorough due diligence on all vendors and partners with access to critical assets or infrastructure.

‍

The Challenge of Defending Against State-Sponsored Threats

‍

State-sponsored threat actors like the Lazarus Group present unique challenges for defenders. Unlike financially motivated criminal groups, these actors operate with the resources and backing of a nation-state, giving them capabilities that exceed those of typical cyber criminals. They have virtually unlimited time to plan and execute attacks, substantial financial resources, and in some cases, the ability to develop or purchase zero-day exploits.

These groups can conduct extensive reconnaissance on targets, craft highly convincing social engineering campaigns, and patiently wait for the perfect opportunity to strike. Traditional security approaches that focus primarily on technological defenses often fail against such adversaries because even the most sophisticated technical controls can be circumvented if attackers can successfully manipulate authorized users through social engineering. The Bybit incident demonstrates how even specialized cryptocurrency security companies with significant resources can fall victim to these tactics.

‍

Financial and Reputational Consequences

‍

The direct financial impact of APT attacks can be devastating. The $1.5 billion loss from the Bybit attack represents one of the largest thefts of any kind in history. While Bybit has committed to covering customer losses, such incidents can threaten the solvency of affected organizations and damage confidence in the broader cryptocurrency ecosystem. Beyond immediate financial losses, these attacks carry significant reputational damage that can have long-lasting effects on customer trust and company valuation.

In response to the breach, Bybit has launched a bounty program to help recover the stolen funds, offering rewards to those who can assist in retrieving the cryptocurrency. Through industry collaboration, including efforts by Chainalysis and other security firms, more than $40 million in stolen funds have already been frozen. However, this represents less than 3% of the total stolen amount, highlighting the challenges in recovering assets once they've been stolen.

‍

Lessons for CISOs, CTOs & Security Leaders

1. Strengthen Supply Chain Security

• Conduct regular security audits of third-party service providers.
• Implement code-signing and integrity verification for software updates.
• Require multi-party validation before integrating external software components.

2. Harden Multi-Signature Wallet Security

• Implement Multi-Party Computation (MPC) to reduce reliance on single-signature authorization.
• Enforce hardware security modules (HSMs) for transaction approvals.
• Establish time-locks and anomaly detection for high-value transactions.

3. Improve Adversarial Simulations & Threat Intelligence

• Regular red team exercises to simulate APT-level attacks.
• Use threat intelligence feeds to monitor Lazarus Group activity.
• Deploy anomaly detection systems to flag suspicious transaction patterns.

4. Deploy Zero Trust & Enhanced Authentication

• Enforce Zero Trust Architecture (ZTA) with continuous authentication.
• Require biometric or behavioral authentication for high-risk transactions.
• Implement Just-In-Time (JIT) access controls to limit exposure.

‍

Proactive Defense Strategies Against APT Threats

‍

Defending against sophisticated threats like the Lazarus Group requires a proactive, multi-layered approach to security. Organizations must move beyond compliance-focused security postures to adoption of adversarial thinking and assumption-of-breach mentalities.

‍

Adversarial Simulation and Red Team Exercises

‍

One of the most effective ways to test security defenses against APT groups is through adversarial simulation. These exercises, often called red team assessments, involve ethical hackers simulating real-world attacks against an organization's people, processes, and technology. By mimicking the tactics, techniques, and procedures of groups like Lazarus, organizations can identify weaknesses before real attackers exploit them.

Effective adversarial simulations go beyond traditional penetration testing by encompassing the full attack lifecycle, including social engineering, persistence mechanisms, and data exfiltration techniques. For cryptocurrency organizations, these exercises should specifically simulate the types of supply chain attacks and social engineering campaigns that the Lazarus Group has utilized successfully in the past.

‍

Understanding Threat Actor Behavior Through Intelligence

‍

Developing a deep understanding of how specific threat actors operate is crucial for building effective defenses. Threat intelligence focused on the Lazarus Group's techniques allows organizations to implement targeted countermeasures against their most likely attack vectors. For cryptocurrency organizations, this means developing specific defenses against the social engineering tactics commonly employed by Lazarus, implementing robust multi-party computation for transaction approvals, and establishing anomaly detection systems that can identify unusual transaction patterns.

The intelligence gathered from incidents like the Bybit hack provides valuable insights into the evolving tactics of North Korean threat actors. Organizations should leverage this intelligence to continuously update their defensive posture and security awareness training programs to address the latest techniques being employed by these sophisticated adversaries.

‍

Technical and Procedural Controls

‍

The Bybit incident highlights the importance of implementing both technical and procedural controls to mitigate the risk of supply chain attacks. Key measures include implementing hardware security modules for critical key storage, requiring out-of-band verification for high-value cryptocurrency transactions, and establishing time-locks and transaction limits that provide opportunity for human review before large transfers are processed.

Additionally, organizations should conduct regular security assessments of all third-party services with access to critical systems, implement a zero-trust architecture that verifies all access attempts (even from trusted partners), and develop incident response playbooks specifically for cryptocurrency theft scenarios. These measures, when implemented as part of a comprehensive security program, can significantly reduce the risk of successful attacks.

‍

Conclusion

‍

The $1.5 billion Bybit hack represents a watershed moment in cryptocurrency security and illustrates the evolving threat landscape facing financial institutions. The sophisticated supply chain attack perpetrated by North Korea's Lazarus Group demonstrates both the technical capabilities of state-sponsored threat actors and the catastrophic impact they can have on targeted organizations.

As cryptocurrency adoption continues to grow, the incentives for attacks like these will only increase. Organizations must recognize that traditional security approaches are insufficient against APT groups with the resources, patience, and expertise of the Lazarus Group. Instead, a proactive security posture that incorporates adversarial simulation, threat intelligence, and defense-in-depth strategies is essential for protecting digital assets in this increasingly hostile environment.

The industry response to the Bybit hack, including the rapid attribution to North Korean actors and the freezing of some stolen assets, demonstrates the potential for collaborative security efforts. However, the incident serves as a sobering reminder that in the world of cryptocurrency security, defenders must get everything right, while attackers only need to succeed once. As we move forward, the lessons learned from this incident should inform more robust security practices across the cryptocurrency ecosystem and other financial sectors that may be targeted by these sophisticated state-sponsored threat actors.

‍

HYDN’s Adversarial Simulation Services

‍

At HYDN, we are not just another cybersecurity company. We are your partners in defending against complex cyber threats. Here’s why you should choose HYDN for your adversarial simulation needs:

We recognize that each organization is unique, with its own specific security needs and challenges. Our adversarial simulation services are highly customized to fit your specific environment and security requirements. We don’t believe in a one-size-fits-all approach; instead, we tailor our simulations to provide the most value and impact.

Adversarial simulation helps organizations:

• Identify Vulnerabilities: By simulating an attack, organizations can identify and address vulnerabilities before they are exploited.
• Enhance Incident Response: It tests the organization’s incident response procedures, ensuring teams are prepared to quickly and effectively respond to an attack.
• Improve Security Team Skills: Regular simulation keeps your security team sharp and prepared for any actual attacks.
• Compliance and Risk Management: Helps ensure compliance with regulatory requirements by demonstrating proactive security measures.

‍

For more information about our services and how we can help you strengthen your cybersecurity defenses, visit our website at HYDN.

Secure your future with HYDN, where cybersecurity is not just our business; it’s our mission.

‍

‍