On February 21, 2025, the crypto world was rocked by the largest heist in its history. Bybit, a major cryptocurrency exchange, lost a staggering $1.4 billion in Ethereum (ETH) and related tokens to North Korea’s infamous Lazarus Group. This wasn’t just a random hack—it was a meticulously planned operation that exploited Bybit’s multisig wallet system, leaving the community scrambling and the exchange fighting to reassure users. Now, as the stolen funds start moving toward Bitcoin and a reward hangs in the balance, here’s what we know about how it happened, the theories behind it, and how the crypto ecosystem is responding.
The Heist: A Multisig Masterstroke
The breach targeted Bybit’s Ethereum multisig cold wallet—a storage system designed to be ultra-secure by requiring multiple signers to approve any transaction. Cold wallets are kept offline to protect against hacks, and multisig adds an extra layer by needing consensus from several key holders. So how did Lazarus bypass this fortress?
According to Bybit CEO Ben Zhou, the attack unfolded during a routine transfer from the cold wallet to a warm wallet (one connected to the internet for faster access). The attackers used a sophisticated technique dubbed “blind signing.” Here’s the gist: the signers—Bybit employees or systems responsible for approving the transfer—saw a user interface (UI) that looked legitimate. It displayed the correct destination address and even used a URL tied to Safe, a trusted multisig platform. But behind the scenes, the signing message was tampered with. Instead of approving a standard transfer, the signers unknowingly greenlit a change to the smart contract logic, handing full control of the wallet to the attackers. Within an hour, 400,000+ ETH—worth over $1.4 billion—vanished into wallets controlled by Lazarus.
Theories abound about how Lazarus pulled this off. One leading idea is social engineering, a tactic the group has mastered in past attacks like the $600 million Ronin Network hack in 2022. They might have phished Bybit’s signers with fake emails, job offers, or even a spoofed Safe interface that tricked them into logging in. Once the signers entered their credentials, Lazarus could have injected malicious code to alter the transaction. Another theory suggests an inside job or compromised insider intel—how else could they know exactly who to target and when the transfer was happening? Posts on Crypto Twitter have pointed out that every signer approved the transaction, implying Lazarus had precise knowledge of Bybit’s team or processes. A third possibility is a supply chain attack, where Lazarus hacked a third-party tool (like Safe) used by Bybit, though Safe hasn’t reported any breaches.
What’s chilling is that there was no code exploit or stolen private keys—just human error, exploited with surgical precision. The multisig system, meant to be a safeguard, became the weak link when the people behind it were deceived.
Community and Exchange Response: Unity and Urgency
The crypto community didn’t waste time reacting. Within hours, blockchain sleuth ZachXBT traced the stolen funds on-chain, linking them to Lazarus through test transactions, wallet patterns, and connections to prior hacks like Phemex’s earlier in 2025. Arkham Intelligence confirmed ZachXBT’s findings, awarding him a 50,000 ARKM bounty (about $31,500) for identifying the culprits. His work gave Bybit and others a head start in tracking the loot.
Bybit’s response was swift and transparent. Ben Zhou took to X to assure users that the hack was isolated to one ETH cold wallet—all other wallets remained secure, and withdrawals continued uninterrupted. “Bybit is solvent even if this loss isn’t recovered,” he said, emphasizing that client funds are backed 1:1 and the exchange could absorb the hit. To prove it, Bybit secured bridge loans, including 64,452 ETH ($170 million) from Bitget and 11,800 ETH ($31 million) from a whale via Binance, stabilizing liquidity and calming jittery traders.
The broader ecosystem rallied too. OKX deployed its security team to assist Bybit, while KuCoin and Tron’s Justin Sun pledged support. Binance’s former CEO, Changpeng “CZ” Zhao, weighed in on X, praising Zhou’s transparency and suggesting a temporary withdrawal freeze as a precaution—though Bybit didn’t take that step, likely to avoid panic. CZ also drew parallels to past hacks like FTX and WazirX, noting that multisig isn’t foolproof if attackers can trick the signers. “The industry showed strength united together,” Zhou later posted, grateful for the backing.
Meanwhile, security experts urged users to adopt stronger measures—hardware wallets, multifactor authentication, and simulations to spot phishing attempts. The hack underscored a harsh truth: even the best tech can’t fully protect against human vulnerabilities.
From Ethereum to Bitcoin: The Lazarus Escape Plan and the Reward
As of February 22, 2025, Lazarus isn’t sitting still. On-chain data shows they’ve started moving the stolen ETH—5,000 ETH (~$13 million) hit a new address early Saturday, per ZachXBT. Their goal? Launder it into Bitcoin. They’re using mixers like eXch to obscure the trail and attempting to bridge the funds via Chainflip, a decentralized protocol. Bybit’s Zhou appealed to Chainflip for help, but the platform noted it can’t fully block transactions due to its decentralized nature—though it’s taking steps to slow the process.
The stolen 400,000+ ETH (now worth ~$1.37 billion) makes the hacker the 14th largest ETH holder globally, but cashing out that much is tricky. Blockchain forensic teams from Elliptic, Arkham, and others have blacklisted the associated addresses, making it harder to offload via legit exchanges. Experts predict Lazarus will convert the ERC-20 tokens to ETH, then BTC, and eventually cash out to Chinese Yuan (CNY) through Asian platforms—a playbook they’ve used before.
To fight back, Bybit and Arkham are dangling a carrot: a reward for recovering the funds or nailing the hackers. While Arkham’s initial 50,000 ARKM went to ZachXBT for ID’ing Lazarus, the promise of further bounties has crypto sleuths buzzing. Community sentiment suggests it’s a long shot—Lazarus has a knack for disappearing into the blockchain shadows—but the incentive might spur breakthroughs.
What’s Next?
The Bybit heist is a wake-up call. Lazarus Group’s $1.4 billion haul dwarfs previous records (Ronin’s $625 million, Poly’s $611 million), proving they’re evolving faster than the industry’s defenses. For Bybit, it’s a costly lesson in multisig risks, but their resilience—keeping withdrawals open and securing loans—has kept trust intact for now. Ethereum took a 3-4% price hit post-hack, dipping to $2,640 before stabilizing at $2,728, showing the market’s jitters but also its bounce-back power.
Theories will keep swirling—phishing, insider leaks, or a hacked tool—but the real question is how to stop Lazarus next time. CZ’s call for heightened security resonates: pause when in doubt, double-check everything. As the stolen ETH trickles toward Bitcoin and the reward hunt heats up, the crypto world watches with bated breath. Will Lazarus slip away again, or will this be the heist that finally trips them up? Stay tuned—this story’s far from over.