How North Korean Hackers Stole 1.5 Billion from BYBIT
It is the 21st of February, 2025.
$1.5 billion vanished.
Not stolen from a vault. Nor taken at gunpoint.
But wiped from existence, without a single alarm going off.
And by the time Bybit realized what had happened, it was too late.
But how did we get here?
At the center of it all, were hackers trained not in Silicon Valley, but in the shadows of Pyongyang, working for one of the most dangerous cybercrime syndicates on the planet.
Lazarus Group.
This wasn’t just about money. This was about funding a rogue nation that was evading global sanctions.
This is how North Korean hackers stole $1.5 billion from BYBIT without leaving their station.
Chapter 1
BYBIT is the second-largest exchange in the world.
Fast.
Liquid.
And unfortunately, vulnerable.
On the other hand, it is North Korea’s top hacking group
Lazarus
A group that is part of the cyber warfare division of Kim Jong-un’s regime.
A group that doesn’t just hack banks.
They hack nations.
And their next target was BYBIT.
Chapter 2
The attack didn’t start with brute force. It started with a single email.
A BYBIT employee, overworked and under-caffeinated, received what looked like an urgent security update.
The email was a perfectly crafted spear-phishing attack.
One misplaced click, and the hackers were inside.
From there, it was a game of patience.
Lazarus didn’t rush.
They were, mapping BYBIT’s entire internal system, watching, learning, and waiting.
Their read-only access was more important than anyone could imagine.
They studied everything, withdrawal protocols, transaction approvals, internal control architecture and security gaps.
And one thing caught their attention.
The routine transfers from Bybit’s cold wallet to their warm wallet.
But this wasn’t news to anyone who paid enough attention, Bybit transferred their assets from the cold wallet to the warm wallet frequently.
For those who don't understand these terms.
A cold wallet is stored offline, away from the internet, this protects it from hacking but it also makes it inconvenient for quick transactions.
It is like keeping your Bitcoin in a flash drive.
Now back to Bybit.
The amount of assets that are transferred from the cold wallet to the warm wallet depended on the previous withdrawal activity and trading volume. They basically transfered the amount they felt was needed.
The hackers focused on the routine transfers between the company's cold wallet and warm wallet.
Through observation they understood some key things that would later help them pull off the hack.
And on the 21st of February, 2025, they were ready to strike.
Chapter 3
Bybit’s internal systems were so sophisticated and secure that it was almost impossible to steal their assets, so the North Korean hackers didn’t try to steal them, they simply tricked bybit into sending it to them.
The hackers hacked into a developer’s computer at Safe{Wallet}.
They then added hidden malicious code into a software update.
And when Bybit updated Safe{Wallet}, they unknowingly installed the hacker’s backdoor.
With this secret access, the hackers injected hidden JavaScript codes into Safe {Wallet}'s user interface.
This code was hosted on AWS, so it looked completely normal.
Bybit used a multi-signature system, meaning three different employees had to approve any large transaction. But the hackers already knew this from observation.
The hackers also Identify each signer.
Two senior members and Ben Zhou, the CEO of Bybit.
When Bybit’s team approved a normal transfer from the cold wallet to the warm wallet.
The hacked UI secretly swapped the destination wallet address with the hacker’s wallet address.
So while Ben thought he was sending funds to Bybit’s warm wallet, he was sending the money straight to the hackers.
But there was one problem, While the safe wallet interface was modified to display the correct transaction details, the Ledger hardware wallet would have displayed the inconsistent.
But there was yet another problem.
Ben didn’t take a good look at the raw contract interactions on the hard wallet before initiating the transfer.
And so the ETH was sent to the hacker's wallet.
In the end, a system is only as strong as its users.
In less than 48 hours the hackers converted their loot into various cryptocurrencies and stablecoins and funneled their stolen money through crypto laundry services.
And the question that everyone is asking is what is the future of the security of crypto and web 3 but I think the most important question everyone should be asking is who is there next target.
