Nihon Cyber Defence

Leadership & Cyber Resilience | Vol. II

The Bybit $1.4 Billion Hack: How North Korea’s Lazarus Group Breached Cold Wallet Security & Lessons Learned for Financial Leaders

Bybit Hack 2025 - $1.4 Billion Stolen by Lazarus Group

The Bybit Hack: North Korea’s Lazarus Group Steals $1.4 Billion in Largest Crypto Heist Ever

On Friday, February 21, 2025, hackers from the North Korean government-backed hacking group Lazarus stole over $1.4 billion in crypto assets from Dubai-based Bybit, the world’s second-largest centralized cryptocurrency exchange (CEX). This incident is the largest and possibly most complex crypto heist ever recorded.

Crypto Threats Shift from Hot Wallets to Cold Wallets: New Risks for Exchanges

The attribution to Lazarus comes as no surprise. According to blockchain analytics firm Elliptic, Lazarus and other North Korean-affiliated groups have stolen over $6 billion in cryptocurrency since 2017. Another blockchain monitoring company, Chainalysis, reported that 61% of the $2.2 billion stolen from crypto platforms in 2024 was linked to North Korean hacking activity.

In January 2025, Lazarus is believed to have stolen approximately $73 million from Phemex, a Singapore-based CEX. The North Korean hackers accessed multiple cryptocurrencies, including Ethereum (ETH), Solana, Ripple, and Bitcoin, stored in Phemex’s hot wallets, which are connected to the internet to facilitate easy trading.

If the private keys of a hot wallet are compromised, attackers can transfer funds to wallets under their control. However, in the Bybit heist, the ETH reserve funds were stored in cold wallets, which are offline storage solutions that are generally considered the most secure option for long-term cryptocurrency storage.

How Did Lazarus Hack Bybit’s Cold Wallets? Supply Chain Compromise Explained

To its credit, ByBit has been very transparent and forward leaning in explaining what led up to the compromise. Investigations revealed that Lazarus gained access by compromising a developer at Safe{Wallet}, Bybit’s multisig wallet provider. The hackers injected malicious code into the Safe{Wallet} domain, specifically targeting Bybit’s multi-sig process. This allowed them to silently alter the underlying smart contract logic used to approve ETH transfers from cold wallets to hot wallets. 

“This was a sophisticated attack that masked the signing interface, displaying the correct address while altering the underlying smart contract logic. As a result, the attacker was able to gain control of the affected ETH cold wallet and transfer its holdings to an unidentified address.”

As a result, they manipulated the signing mechanism, diverting funds to their own accounts, all while displaying legitimate addresses to those overseeing the transactions.

What the Bybit Hack Reveals About North Korea’s Lazarus Group Tactics

The attack has (again) highlighted just how sophisticated Lazarus has become. Known for developing its own attack methods and malware, the group takes a long-term, methodical approach to avoid detection. Increasingly, Lazarus focuses not only on exchanges themselves but also on trusted providers within the cryptocurrency supply chain, including wallet infrastructure, cloud platforms, and development environments. Compromising these third parties gives Lazarus access to multiple victims through a single point of failure.

In the case of ByBit, they had clearly studied the company’s internal procedures, identified, and then compromised everyone involved in the multi-sig transaction process for approving the movement of the funds between wallets. To defeat detection, the stolen ETH was then moved quickly through over 50 different wallets held in CEXs and decentralized exchanges (DEXs).

Lessons from the Bybit Hack for Cryptocurrency Exchanges and Financial Institutions

There is still more for ByBit and its cold wallet provider, Safe {Wallet}, to learn about the compromise and so more details will merge. Cryptocurrency companies and those working in the wider financial sector will want to urgently address the lessons that have already been learned from this attack.

We at Nihon Cyber Defence (NCD) have spent a lot of time studying the tactics of North Korean and other hostile state actors. We believe that, in planning their response, enterprise leaders need to work on the following three planning assumptions:

  • Breadth of the attack. Lazarus and other similar North Korean aligned groups have developed a detailed understanding of the entire Cryptocurrency industry. They devote very significant resources to compromising the entire cryptocurrency supply chain. Any weakness in systems or processes will be exploited and must be urgently addressed. Further collaboration between those working within the sector is vital.

  • Depth of the attack.  The Lazarus Group will have already established covert access to the networks of their next targets. Network defenders must work on that basis and defend in depth. They need to segment networks have the best possible detection capabilities in place.  The Security Operations Centre (SOC) needs to have what we at NCD describe as an ‘investigative’ mindset. Absence of further suspicious activity does not mean that the problem has gone away. It just means that the actors are pausing their activity.

  • Security teams. Compromising the security teams is a priority for Lazarus.  It is by compromising these teams that that Lazarus can operate at low risk. It is essential to put in place additional protection for security teams.

The Role of Supply Chain Security and Developer Training in Preventing Future Crypto Attacks

In addition, companies must conduct thorough supply chain security assessments to ensure that third-party vendors and service providers, particularly wallet and signing platform providers, implement and maintain robust security controls. Developers working on these critical systems should receive advanced security awareness training, as they are increasingly being targeted by sophisticated nation-state actors seeking entry points into the broader cryptocurrency ecosystem.

Nihon Cyber Defence: Supporting Enterprise Leaders Against State-Sponsored Cyber Threats

At Nihon Cyber Defence (NCD), we have extensive experience tracking the tactics of North Korean and other state-sponsored threat groups. We welcome the opportunity to discuss these evolving threats and how we can help strengthen your organisation’s defences.

John Noble
John Noble

Commander of the Order of the British Empire (CBE), Non-Executive Director @ Nihon Cyber Defence

With 40 years in UK Government, Noble co-founded the UK NCSC, now advises organizations globally on cyber security and strategic transformation.

Edit Template

Cyber Maturity Assessment

Nihon Cyber Defence (NCD) offers comprehensive Cyber Maturity Assessments designed to evaluate an organisations current cyber security capabilities, identify areas for improvement, and develop a strategic roadmap to enhance overall security posture.

Cyber Security Framework (NIST)

National Institute of Standards and Technology

NIST Framework Graphic

Cyber Assessment Framework (CAF)

National Cyber Security Centre

CAF Framework Graphic
Edit Template

More from NCD​

Susumu Toriumi Appointed COO of Nihon Cyber Defence

NCD appoints Susumu Toriumi as Chief Operating Officer to lead growth and scale Japan-built cyber defence solutions across critical infrastructure...

Why Software Is Reshaping Global Warfare

Software is redefining national defence. Explore how Japan, the US, and allies are adapting to software-defined warfare and cyber security leadership...

UNC3944: What Business Leaders Need to Know

UNC3944 is not traditional ransomware. Learn how critical sectors can prepare for persistent access, real-time disruption, and identity-based attacks...

Robert Stevenson Appointed CRO of Nihon Cyber Defence

Robert Stevenson joins Nihon Cyber Defence as Chief Revenue Officer, bringing decades of experience in cyber security, OT, and enterprise tech in Japan...

What Cyber Leaders Need to Know About RansomHub’s Collapse and the Ransomware Cartel Model

Learn how RansomHub’s collapse signals a shift to ransomware cartel models. NCD CTO Toshio Nawa explains what Japanese cyber leaders must know to defend critical sectors...

John Moore Appointed CFO of Nihon Cyber Defence

Nihon Cyber Defence names John Moore as CFO to guide financial strategy and scalable growth. Moore brings over 20 years of leadership experience across Japan, APAC, and global markets, strengthening...

China’s APT Threats to Japan’s Critical Infrastructure

China-linked APT groups—Salt, Volt, and Silk Typhoon—are reshaping cyber warfare. Learn how these threats target Japan’s critical infrastructure and how to respond effectively...

Empowering the Next Generation of Cyber Security Talent

NCD joined the Empower Girls event in Belfast, inspiring 600 young girls to explore careers in cyber security through hands-on learning and role models...

Nihon Cyber Defence and Netcraft Strategic Partnership

NCD and Netcraft are teaming up to deliver real-time phishing detection and takedown in Japan. Learn how this partnership boosts national cyber resilience...
Edit Template