- Cyber Security Leadership
- March 7, 2025
Leadership & Cyber Resilience | Vol. II
The Bybit $1.4 Billion Hack: How North Korea’s Lazarus Group Breached Cold Wallet Security & Lessons Learned for Financial Leaders
The Bybit Hack: North Korea’s Lazarus Group Steals $1.4 Billion in Largest Crypto Heist Ever
On Friday, February 21, 2025, hackers from the North Korean government-backed hacking group Lazarus stole over $1.4 billion in crypto assets from Dubai-based Bybit, the world’s second-largest centralized cryptocurrency exchange (CEX). This incident is the largest and possibly most complex crypto heist ever recorded.
Crypto Threats Shift from Hot Wallets to Cold Wallets: New Risks for Exchanges
The attribution to Lazarus comes as no surprise. According to blockchain analytics firm Elliptic, Lazarus and other North Korean-affiliated groups have stolen over $6 billion in cryptocurrency since 2017. Another blockchain monitoring company, Chainalysis, reported that 61% of the $2.2 billion stolen from crypto platforms in 2024 was linked to North Korean hacking activity.
In January 2025, Lazarus is believed to have stolen approximately $73 million from Phemex, a Singapore-based CEX. The North Korean hackers accessed multiple cryptocurrencies, including Ethereum (ETH), Solana, Ripple, and Bitcoin, stored in Phemex’s hot wallets, which are connected to the internet to facilitate easy trading.
If the private keys of a hot wallet are compromised, attackers can transfer funds to wallets under their control. However, in the Bybit heist, the ETH reserve funds were stored in cold wallets, which are offline storage solutions that are generally considered the most secure option for long-term cryptocurrency storage.
How Did Lazarus Hack Bybit’s Cold Wallets? Supply Chain Compromise Explained
To its credit, ByBit has been very transparent and forward leaning in explaining what led up to the compromise. Investigations revealed that Lazarus gained access by compromising a developer at Safe{Wallet}, Bybit’s multisig wallet provider. The hackers injected malicious code into the Safe{Wallet} domain, specifically targeting Bybit’s multi-sig process. This allowed them to silently alter the underlying smart contract logic used to approve ETH transfers from cold wallets to hot wallets.
“This was a sophisticated attack that masked the signing interface, displaying the correct address while altering the underlying smart contract logic. As a result, the attacker was able to gain control of the affected ETH cold wallet and transfer its holdings to an unidentified address.”
As a result, they manipulated the signing mechanism, diverting funds to their own accounts, all while displaying legitimate addresses to those overseeing the transactions.
What the Bybit Hack Reveals About North Korea’s Lazarus Group Tactics
The attack has (again) highlighted just how sophisticated Lazarus has become. Known for developing its own attack methods and malware, the group takes a long-term, methodical approach to avoid detection. Increasingly, Lazarus focuses not only on exchanges themselves but also on trusted providers within the cryptocurrency supply chain, including wallet infrastructure, cloud platforms, and development environments. Compromising these third parties gives Lazarus access to multiple victims through a single point of failure.
In the case of ByBit, they had clearly studied the company’s internal procedures, identified, and then compromised everyone involved in the multi-sig transaction process for approving the movement of the funds between wallets. To defeat detection, the stolen ETH was then moved quickly through over 50 different wallets held in CEXs and decentralized exchanges (DEXs).
Lessons from the Bybit Hack for Cryptocurrency Exchanges and Financial Institutions
There is still more for ByBit and its cold wallet provider, Safe {Wallet}, to learn about the compromise and so more details will merge. Cryptocurrency companies and those working in the wider financial sector will want to urgently address the lessons that have already been learned from this attack.
We at Nihon Cyber Defence (NCD) have spent a lot of time studying the tactics of North Korean and other hostile state actors. We believe that, in planning their response, enterprise leaders need to work on the following three planning assumptions:
- Breadth of the attack. Lazarus and other similar North Korean aligned groups have developed a detailed understanding of the entire Cryptocurrency industry. They devote very significant resources to compromising the entire cryptocurrency supply chain. Any weakness in systems or processes will be exploited and must be urgently addressed. Further collaboration between those working within the sector is vital.
- Depth of the attack. The Lazarus Group will have already established covert access to the networks of their next targets. Network defenders must work on that basis and defend in depth. They need to segment networks have the best possible detection capabilities in place. The Security Operations Centre (SOC) needs to have what we at NCD describe as an ‘investigative’ mindset. Absence of further suspicious activity does not mean that the problem has gone away. It just means that the actors are pausing their activity.
- Security teams. Compromising the security teams is a priority for Lazarus. It is by compromising these teams that that Lazarus can operate at low risk. It is essential to put in place additional protection for security teams.
The Role of Supply Chain Security and Developer Training in Preventing Future Crypto Attacks
In addition, companies must conduct thorough supply chain security assessments to ensure that third-party vendors and service providers, particularly wallet and signing platform providers, implement and maintain robust security controls. Developers working on these critical systems should receive advanced security awareness training, as they are increasingly being targeted by sophisticated nation-state actors seeking entry points into the broader cryptocurrency ecosystem.
Nihon Cyber Defence: Supporting Enterprise Leaders Against State-Sponsored Cyber Threats
At Nihon Cyber Defence (NCD), we have extensive experience tracking the tactics of North Korean and other state-sponsored threat groups. We welcome the opportunity to discuss these evolving threats and how we can help strengthen your organisation’s defences.
John Noble
John Noble
Cyber Maturity Assessment
Nihon Cyber Defence (NCD) offers comprehensive Cyber Maturity Assessments designed to evaluate an organisations current cyber security capabilities, identify areas for improvement, and develop a strategic roadmap to enhance overall security posture.
Cyber Security Framework (NIST)
National Institute of Standards and Technology
Cyber Assessment Framework (CAF)
National Cyber Security Centre
Explore more of the NCD suite: Cyber Security Consultancy, Protective Services, Network Monitoring & Security Operations, SIEM, Incident Management
- 1
- 2
