The Bybit Heist

In February 2025, the Dubai-based cryptocurrency exchange Bybit announced that its cold-wallet operation had been compromised in a single transaction that moved approximately four hundred thousand Ether — worth roughly 1.5 billion US dollars at the time — to attacker-controlled addresses. It was the largest known cryptocurrency theft on record.

A poisoned signing interface

The intrusion did not target Bybit's own infrastructure directly. The attackers — later attributed to North Korea's Lazarus Group by the FBI and multiple blockchain analytics firms — compromised the development environment of Safe{Wallet}, the multi-signature wallet platform Bybit used to hold its reserves. From inside Safe{Wallet}'s build pipeline, they modified the user-facing transaction-approval interface so that a routine transfer Bybit's signers were expecting would, when approved, in fact delegate full control of the cold wallet to attacker-controlled logic.

The signing interface showed the legitimate transaction. The blockchain recorded the malicious one. The window between approval and the irreversible on-chain confirmation was seconds.

A laundering campaign at internet speed

Within hours, the stolen Ether was being fragmented across hundreds of addresses and routed through decentralized exchanges. Industry trackers including Chainalysis and Elliptic followed the flow in near real time, and parts of it were eventually frozen by cooperating exchanges. A substantial fraction was not.

What the chronicle remembers

Bybit reframed the cryptocurrency supply chain. The attack did not exploit a smart contract or a private key. It exploited the human-readable layer between a signer and the blockchain — the assumption that what a UI shows is what the chain receives. Every wallet provider in the industry spent the following weeks publishing transaction-simulation hardening guides.