Anatomy of a Breach

Anatomy of a Breach: Bybit — $1.4 Billion Stolen in the Largest Cryptocurrency Heist in History

> series: anatomy_of_a_breach —— part: 194 —— target: bybit —— stolen: $1,400,000,000 —— attacker: lazarus_group —— record: largest_crypto_heist_ever<span class="cursor-blink">_</span>_

Hedgehog Security 28 February 2025 13 min read
bybit cryptocurrency 1-4-billion lazarus-group north-korea ethereum cold-wallet series
Breach #194

$1.4 billion. One transaction. The largest cryptocurrency theft in history.

In February 2025, cryptocurrency exchange Bybit suffered the largest cryptocurrency theft ever recorded — approximately $1.4 billion in Ethereum (ETH) stolen from the exchange's cold wallet infrastructure. The FBI subsequently attributed the attack to North Korea's Lazarus Group, the same state-sponsored unit behind the Ronin Network heist ($620M, 2022), the Bangladesh Bank SWIFT heist ($81M, 2016), and the Sony Pictures attack (2014).

The $1.4 billion theft more than doubled the previous cryptocurrency theft record set by the Ronin/Axie Infinity heist ($620M, 2022). The attackers compromised the multi-signature signing process for Bybit's cold wallet — manipulating the transaction so that what appeared to signers as a legitimate transfer was actually redirecting funds to attacker-controlled addresses. Bybit offered a 10% bounty on recovered funds. The theft fuelled a 303% increase in cryptocurrency theft in Q1 2025 compared to the previous quarter. North Korea's cyber theft programme — now responsible for billions in cumulative cryptocurrency theft — had reached a scale where it constituted a significant funding source for the regime's weapons programmes.

Lazarus Group: From $81M to $1.4B
Recommended

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call

Bangladesh Bank (2016): $81M. Ronin (2022): $620M. Bybit (2025): $1.4B. The scale keeps doubling.

State-Sponsored Theft at Scale
North Korea's Lazarus Group has now stolen billions of dollars through cybercrime — from <a href="/blog/anatomy-of-a-breach-bangladesh-bank-swift">SWIFT bank heists</a> to <a href="/blog/anatomy-of-a-breach-ronin-axie">blockchain bridge exploits</a> to exchange wallet manipulation. The programme funds the regime's nuclear and missile programmes. <a href="https://www.cyber-defence.io/services/threat-intelligence">UK Cyber Defence's threat intelligence</a> tracks Lazarus Group operations.
Cold Wallet Signing Compromised
The attackers manipulated the multi-signature signing process — the security mechanism designed to prevent single-point-of-failure theft. When even cold wallet multi-sig can be compromised, cryptocurrency security must assume that every component of the signing process is a potential attack surface. Our <a href="/penetration-testing/web-application">application security testing</a> assesses transaction signing and approval workflows.
303% Increase in Q1 Crypto Theft
The Bybit heist fuelled a 303% increase in cryptocurrency theft in Q1 2025. The success of high-profile thefts attracts further criminal investment in cryptocurrency attack capabilities. <a href="https://www.socinabox.co.uk">SOC in a Box</a> monitors for the anomalous transaction patterns that indicate cryptocurrency theft in progress.
Cryptocurrency Exchanges Are Prime Targets
Cryptocurrency exchanges hold concentrated digital assets accessible through software interfaces — making them the highest-value targets in the financial ecosystem. For UK organisations operating in cryptocurrency or digital assets, our <a href="/penetration-testing">penetration testing</a> addresses the unique security requirements of digital asset platforms. <a href="/cyber-essentials">Cyber Essentials</a> provides the baseline controls.
Lessons

When a nation-state targets your assets, every security assumption must be tested.

The Bybit heist demonstrated that Lazarus Group's capabilities continue to scale — from $81 million (2016) to $620 million (2022) to $1.4 billion (2025). For organisations holding digital assets, the threat model must include state-sponsored adversaries with resources and patience that exceed commercial attackers. Penetration testing validates transaction security. Cyber Essentials provides the baseline. SOC in a Box monitors for anomalous transactions. And UK Cyber Defence provides incident response when state-sponsored theft is detected.

Digital Asset Security

$1.4 billion stolen. By a nation-state. In one transaction. Are your digital assets secured?

<a href="/penetration-testing">Penetration testing</a> validates transaction security. <a href="/cyber-essentials">Cyber Essentials</a> provides the baseline. <a href="https://www.socinabox.co.uk">SOC in a Box</a> monitors transactions.

Commission a Security Assessment Next: Oracle Cloud + NYU
Next Step

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call
Keep Reading

Related Articles

Anatomy of a Breach 31 March 2023

Anatomy of a Breach: 3CX — A Supply Chain Attack Born from Another Supply Chain Attack

Breach #171. In March 2023, 3CX — a VoIP communications platform used by over 600,000 organisations and 12 million daily users — was compromised in a supply chain attack attributed to North Korea's Lazarus Group. The attackers had poisoned the 3CX desktop application's build process, distributing malware through legitimate software updates. But the investigation revealed something unprecedented: the 3CX compromise had itself originated from an earlier supply chain attack on a financial trading software company (Trading Technologies). A supply chain attack born from a supply chain attack — supply chains all the way down.

3cx supply-chain
13 min read
Anatomy of a Breach 30 April 2022

Anatomy of a Breach: Ronin Network — $620 Million Stolen in the Largest Crypto Heist in History

Breach #160. On 29 March 2022, the Ronin Network — a blockchain bridge used by the popular play-to-earn game Axie Infinity — was breached, with approximately $620 million in Ethereum and USDC stolen. The theft was not detected for six days — it was only discovered when a user could not withdraw funds. The attack was attributed to North Korea's Lazarus Group, which used social engineering (a fake job offer via LinkedIn) to compromise a senior engineer's credentials and gain access to five of the nine validator nodes required to authorise transactions. The largest cryptocurrency theft in history — and it started with a LinkedIn message.

ronin-network axie-infinity
13 min read
Anatomy of a Breach 31 January 2016

Anatomy of a Breach: The Bangladesh Bank Heist — $81 Million Stolen Through the Global Banking System

Breach #085. In February 2016, hackers compromised Bangladesh Bank's connection to the SWIFT interbank messaging network and submitted 35 fraudulent transfer requests totalling $951 million. A series of fortunate accidents — including a misspelling that triggered a compliance flag — stopped most of the transfers, but $81 million was successfully routed to accounts in the Philippines and has never been fully recovered. The attack, attributed to North Korea's Lazarus Group, demonstrated that the global financial messaging system itself could be weaponised for theft at sovereign scale.

swift bangladesh-bank
14 min read
All Posts Get in Touch