Nihon Cyber Defence

Leadership & Cyber Resilience | Vol. II

The Bybit $1.4 Billion Hack: How North Korea’s Lazarus Group Breached Cold Wallet Security & Lessons Learned for Financial Leaders

Bybit Hack 2025 - $1.4 Billion Stolen by Lazarus Group

The Bybit Hack: North Korea’s Lazarus Group Steals $1.4 Billion in Largest Crypto Heist Ever

On Friday, February 21, 2025, hackers from the North Korean government-backed hacking group Lazarus stole over $1.4 billion in crypto assets from Dubai-based Bybit, the world’s second-largest centralized cryptocurrency exchange (CEX). This incident is the largest and possibly most complex crypto heist ever recorded.

Crypto Threats Shift from Hot Wallets to Cold Wallets: New Risks for Exchanges

The attribution to Lazarus comes as no surprise. According to blockchain analytics firm Elliptic, Lazarus and other North Korean-affiliated groups have stolen over $6 billion in cryptocurrency since 2017. Another blockchain monitoring company, Chainalysis, reported that 61% of the $2.2 billion stolen from crypto platforms in 2024 was linked to North Korean hacking activity.

In January 2025, Lazarus is believed to have stolen approximately $73 million from Phemex, a Singapore-based CEX. The North Korean hackers accessed multiple cryptocurrencies, including Ethereum (ETH), Solana, Ripple, and Bitcoin, stored in Phemex’s hot wallets, which are connected to the internet to facilitate easy trading.

If the private keys of a hot wallet are compromised, attackers can transfer funds to wallets under their control. However, in the Bybit heist, the ETH reserve funds were stored in cold wallets, which are offline storage solutions that are generally considered the most secure option for long-term cryptocurrency storage.

How Did Lazarus Hack Bybit’s Cold Wallets? Supply Chain Compromise Explained

To its credit, ByBit has been very transparent and forward leaning in explaining what led up to the compromise. Investigations revealed that Lazarus gained access by compromising a developer at Safe{Wallet}, Bybit’s multisig wallet provider. The hackers injected malicious code into the Safe{Wallet} domain, specifically targeting Bybit’s multi-sig process. This allowed them to silently alter the underlying smart contract logic used to approve ETH transfers from cold wallets to hot wallets. 

“This was a sophisticated attack that masked the signing interface, displaying the correct address while altering the underlying smart contract logic. As a result, the attacker was able to gain control of the affected ETH cold wallet and transfer its holdings to an unidentified address.”

As a result, they manipulated the signing mechanism, diverting funds to their own accounts, all while displaying legitimate addresses to those overseeing the transactions.

What the Bybit Hack Reveals About North Korea’s Lazarus Group Tactics

The attack has (again) highlighted just how sophisticated Lazarus has become. Known for developing its own attack methods and malware, the group takes a long-term, methodical approach to avoid detection. Increasingly, Lazarus focuses not only on exchanges themselves but also on trusted providers within the cryptocurrency supply chain, including wallet infrastructure, cloud platforms, and development environments. Compromising these third parties gives Lazarus access to multiple victims through a single point of failure.

In the case of ByBit, they had clearly studied the company’s internal procedures, identified, and then compromised everyone involved in the multi-sig transaction process for approving the movement of the funds between wallets. To defeat detection, the stolen ETH was then moved quickly through over 50 different wallets held in CEXs and decentralized exchanges (DEXs).

Lessons from the Bybit Hack for Cryptocurrency Exchanges and Financial Institutions

There is still more for ByBit and its cold wallet provider, Safe {Wallet}, to learn about the compromise and so more details will merge. Cryptocurrency companies and those working in the wider financial sector will want to urgently address the lessons that have already been learned from this attack.

We at Nihon Cyber Defence (NCD) have spent a lot of time studying the tactics of North Korean and other hostile state actors. We believe that, in planning their response, enterprise leaders need to work on the following three planning assumptions:

  • Breadth of the attack. Lazarus and other similar North Korean aligned groups have developed a detailed understanding of the entire Cryptocurrency industry. They devote very significant resources to compromising the entire cryptocurrency supply chain. Any weakness in systems or processes will be exploited and must be urgently addressed. Further collaboration between those working within the sector is vital.

  • Depth of the attack.  The Lazarus Group will have already established covert access to the networks of their next targets. Network defenders must work on that basis and defend in depth. They need to segment networks have the best possible detection capabilities in place.  The Security Operations Centre (SOC) needs to have what we at NCD describe as an ‘investigative’ mindset. Absence of further suspicious activity does not mean that the problem has gone away. It just means that the actors are pausing their activity.

  • Security teams. Compromising the security teams is a priority for Lazarus.  It is by compromising these teams that that Lazarus can operate at low risk. It is essential to put in place additional protection for security teams.

The Role of Supply Chain Security and Developer Training in Preventing Future Crypto Attacks

In addition, companies must conduct thorough supply chain security assessments to ensure that third-party vendors and service providers, particularly wallet and signing platform providers, implement and maintain robust security controls. Developers working on these critical systems should receive advanced security awareness training, as they are increasingly being targeted by sophisticated nation-state actors seeking entry points into the broader cryptocurrency ecosystem.

Nihon Cyber Defence: Supporting Enterprise Leaders Against State-Sponsored Cyber Threats

At Nihon Cyber Defence (NCD), we have extensive experience tracking the tactics of North Korean and other state-sponsored threat groups. We welcome the opportunity to discuss these evolving threats and how we can help strengthen your organisation’s defences.

John-Noble (1)

John Noble

Commander of the Order of the British Empire (CBE), Non-Executive Director @ Nihon Cyber Defence

John Noble

Commander of the Order of the British Empire (CBE), Non-Executive Director @ Nihon Cyber Defence
With 40 years in UK Government, Noble co-founded the UK NCSC, now advises organizations globally on cyber security and strategic transformation.
Edit Template

Cyber Maturity Assessment

Nihon Cyber Defence (NCD) offers comprehensive Cyber Maturity Assessments designed to evaluate an organisations current cyber security capabilities, identify areas for improvement, and develop a strategic roadmap to enhance overall security posture.

Cyber Security Framework (NIST)

National Institute of Standards and Technology

NIST Framework Graphic

Cyber Assessment Framework (CAF)

National Cyber Security Centre

CAF Framework Graphic
Edit Template

More from NCD​

Lessons from the UK CyberFirst Program for Japan

Japan can bridge its cybersecurity talent gap by leveraging public-private partnerships, corporate sponsorships, and government-backed education programs, inspired by CyberFirst...

Educational Strategies and Initiatives to Address the Cyber security Talent Gap

Japan faces a cybersecurity talent shortage. Explore educational initiatives, RISS certification, and strategies to build the next generation of cybersecurity professionals...

The Rise of AI-Driven Warfare

Artificial intelligence is reshaping modern warfare, from autonomous drone strikes to AI-powered cyber threats targeting critical infrastructure. Learn how nations and enterprises can defend against...

Leadership & Cyber Resilience | Vol. II

North Korean hackers from Lazarus stole $1.4B in crypto from Bybit, exploiting cold wallet security flaws. Learn how the attack happened & what it means...

Japan’s Growing Cyber Security Talent Gap and Its Impacts

Japan faces a cyber security talent shortage of 110,000 experts. Explore the challenges, impacts, and solutions to bridge this critical skills gap...

Preparing for Active Cyber Defense (ACD)

Japan’s Active Cyber Defense (ACD) policy is set to transform cyber security, requiring critical infrastructure operators to comply with new reporting mandates. Ret. Adm. Akira Ichida explores the...

Nihon Cyber Defence and Fivecast Partner to Enhance Cyber Threat Intelligence for Japan

The collaboration combines Fivecast’s advanced AI-powered OSINT technology with NCD’s expertise in cyber threat intelligence and Japanese cyber security needs, delivering actionable intelligence...

Navigating Cyber Incident Response 

Unprepared cyber incident response can lead to prolonged damage. Learn practical strategies to strengthen resilience, improve decision-making speed, and build a proactive response framework in this...

Safeguarding Japan’s Critical Infrastructure 

Japan's energy and food security depend on resilient supply chains, but cyber threats to critical infrastructure are rising. Discover strategies to safeguard OT systems and protect vital industries in...
Edit Template