A Guide to “the Largest Crypto Heist in History”
On February 21st 2025, $1.46 billion worth of Ethereum (ETH) was stolen in a sophisticated cyberattack on Bybit, one of the world’s most popular cryptocurrency exchange and trading platforms. It’s the largest heist in the industry’s history. In this post, we shed light on what happened and who is thought to be responsible.
What is Bybit?
Founded in 2018 and headquartered in Dubai, Bybit is the world’s second-largest cryptocurrency exchange by trading volume and has more than 60 million users worldwide.
It offers a range of services for buying, selling, and trading digital assets like Bitcoin (BTC), Ethereum (ETH), and other cryptocurrencies.
How did the attack occur?
According to Bybit, the hack occurred while the company was conducting a routine transfer of Ethereum. Hackers reportedly used phishing techniques to access a wallet and transfer the funds.
The stolen funds were then moved through a complex network of addresses and mixed to obscure their origin, making it harder for law enforcement to trace the stolen assets.
The consequences
The attack has severely damaged Bybit’s reputation and eroded customer trust. In the aftermath, hundreds of thousands of clients rushed to withdraw their funds, leading to over $4 billion in additional withdrawals and bringing the total outflow to $5.5 billion.
Bybit was forced to secure emergency loans and large deposits fast to process the withdrawals as hackers had made off with roughly 70% of their clients’ Ethereum.
Between February 23rd and March 1st, Ethereum’s value fell by over 19%.
Who was responsible for the attack?
Cybersecurity experts and government agencies, such as the FBI, have identified the hackers as the Lazarus Group and TraderTraitor.
The Lazarus Group is a notorious hacking group allegedly linked to North Korea’s government. It is sometimes referred to as APT38, Hidden Cobra, or Kimsuky, among other names.
The group is known for its cyber espionage, financial theft, and disruptive cyber operations and ****have been blamed for previous large-scale heists, including the $615m theft from the blockchain project Ronin Group in 2022.
TraderTraitor is considered a subgroup or alias within the Lazarus Group. Like other Lazarus Group operations, TraderTraitor employs highly advanced cyber tactics, including phishing, malware, and advanced persistent threats (APTs).
A bounty hunt is underway
On February 25th 2025, Bybit CEO Ben Zhou posted on X, “Join us on war against Lazarus,” with a link to lazarusbounty.com.
Join us on war against Lazarus – https://t.co/6DnaH1WTId
— Ben Zhou (@benbybit) February 25, 2025
Industry first bounty site that shows aggregated full transparency on the sanctioned Lazarus money laundering activities. V1 includes:
– Becoming a bounty hunter by connecting your wallet and help tracing the fund, when…
The website presents a bounty scheme and explains that, each time stolen funds are traced and frozen, 5% of the total amount will be awarded to the person who traced the funds, and 5% will be awarded to the entity that froze the funds. This means up to $140 million is up for grabs, however, history indicates that recovering the stolen crypto is unlikely.
“The stolen funds have been transferred to untraceable or freezable destinations, such as exchanges, mixers, or bridges, or converted into stablecoins that can be frozen. We require cooperation from all involved parties to either freeze the funds or provide updates on their movement so we can continue tracing.”
$4,326,175 has already been awarded to 19 bounty hunters.
Protect your business.