Bybit $1.5B Hack: Safe{Wallet} Supply Chain Attack by Lazarus Group | February 2025

15 min readFeb 27, 2025

Introduction

On February 21, 2025, cryptocurrency exchange Bybit suffered the largest cryptocurrency theft in history when attackers stole approximately $1.5 billion from their Ethereum multisignature cold wallet. This incident has sent shockwaves through the crypto industry, not only because of its unprecedented scale but also due to the sophisticated attack vectors employed.

What makes this attack particularly noteworthy is that it didn’t exploit a vulnerability in Bybit’s own infrastructure or smart contracts. Instead, it targeted the Safe{Wallet} interface (formerly Gnosis Safe) that Bybit used to manage its multisignature wallets. This represents a dramatic shift in how exchanges are being compromised — away from direct protocol exploits and toward operational security failures and supply chain attacks.

This article provides a comprehensive analysis of the attack, drawing from multiple security reports, on-chain data and Bybit’s official communications.

The Attack: What Happened

According to Bybit’s official statements and forensic reports, the incident began at approximately 12:30 PM UTC on February 21, 2025, during what was supposed to be a routine transfer of ETH from Bybit’s multisignature cold wallet to their hot wallet.

The Stolen Assets

The stolen assets primarily included:

401,347 ETH (approximately $1.068 billion)
8,000 mETH (approximately $26 million)
90,375.5479 stETH (approximately $260 million)
15,000 cmETH (approximately $43 million)

This combination of assets represents various forms of Ethereum and staked Ethereum tokens, revealing that the attackers knew precisely which high-value wallets to target within Bybit’s infrastructure.

The Timeline

The attack wasn’t a spontaneous event but a carefully orchestrated operation that unfolded over several days:

February 18, 2025, 3:39:11 PM UTC: The attacker deployed the first malicious contract at 0x96221423681A6d52E184D440a8eFCEbB105C7242, which contained the malicious transfer logic.
February 18, 2025, 6:00:35 PM UTC: A second malicious contract was deployed at 0xbDd077f651EBe7f7b3cE16fe5F2b025BE2969516 with implemented withdrawal capabilities.
February 19, 2025, 15:29 UTC: Malicious JavaScript code was injected into Safe{Wallet}’s AWS S3 bucket, specifically targeting Bybit’s cold wallet address. This timing is confirmed by the “Last-Modified” timestamps in browser cache files and Wayback Machine archives.
February 21, 2025, 14:13:35 UTC: The attacker successfully created a multi-signature transaction involving three signers, including the CEO of Bybit. This transaction upgraded Bybit’s multi-signature contract for Cold Wallet 1 (0x1Db92e2EbE8E0c075a02BeA49a2935BcD2dFCF4) on Safe.Global, pointing to the malicious contract deployed three days earlier.
February 21, 2025, 14:15 UTC: Approximately two minutes after the successful hack, the malicious JavaScript files on Safe{Wallet}’s AWS S3 bucket were updated with the malicious code removed, effectively covering tracks.

Initial Fund Movement

After the breach, the attackers immediately began moving and dispersing the stolen funds:

The initial hacker address 0x47666Fab8bd0Ac7003bce3f5C3585383F09486E2 distributed 400,000 ETH across 40 addresses, each receiving 10,000 ETH.
205 ETH was swapped for BTC via Chainflip and cross-chained to the address bc1qlu4a33zjspefa3tnq566xszcr0fvwz05ewhqfq
15,000 cmETH was transferred to 0x1542368a03ad1f03d96D51B414f4738961Cf4443.
8,000 mETH and 90,375.5479 stETH were transferred to 0xA4B2Fd68593B6F34E51cB9eDB66E71c1B4Ab449e, then swapped for 98,048 ETH via Uniswap and ParaSwap before being moved to 0xdd90071d52f20e85c89802e5dc1ec0a7b6475f92.
The 0xdd9 address further dispersed the ETH into 9 addresses, each receiving 10,000 ETH.

Below the network diagram reveals the sophisticated distribution pattern of stolen tokens from the Bybit hack, showing an intricate web of transactions designed to obfuscate the flow of funds through multiple interconnected wallets with critical chokepoints highlighted in red.

High Level On-Chain Transaction Analysis, by Chainanalysis

Technical Analysis: How It Happened

The Bybit hack represents a sophisticated supply chain attack that manipulated what signers saw versus what they actually signed. Here’s a detailed breakdown of the attack’s technical mechanics:

1. Compromising Safe{Wallet}’s Infrastructure

Based on forensic reports from Sygnia and Verichains, the attack began with the compromise of Safe{Wallet}’s AWS S3 bucket or CloudFront account/API key. The attackers modified two critical JavaScript files:

_app-52c9031bfa03da47.js
6514.b556851795a4cbaa.js

These files contained the core functions for creating, signing and executing transactions through the Safe{Wallet} interface. The modification timestamps (Wed, 19 Feb 2025, 15:29:43 GMT for the first file and Wed, 19 Feb 2025, 15:29:25 GMT for the second) were found in browser caches on the signers’ machines.

Crucially, investigating the Wayback Machine archives confirmed the existence of these malicious JavaScript files dating back to February 19, 2025, proving that they were legitimately served from Safe{Wallet}’s infrastructure rather than being a local browser compromise.

Wayback Machine Archive

The malicious contract address used by the attacker in this hack has been identified as:

0xbdd077f651ebe7f7b3ce16fe5f2b025be2969516

The analysis of the “_app-52c9031bfa03da47.js” JavaScript code is as follows:

2. Malicious Code Injection

The injected code was specifically designed to activate only when the following conditions were met:

The transaction originated from specific target addresses, including Bybit’s cold wallet (0x1Db92e2EbE8E0c075a02BeA49a2935BcD2dFCF4) and a test wallet (0x19C6876E978D9F128147439ac4cd9EA2582cd141)
The transaction operation was set to its default value (0)

This selective targeting ensured the malicious code remained undetected by regular users of Safe{Wallet}, as it would only execute for transactions involving the specific target addresses.

The malicious code also contained a list of “backdoor administrator” addresses (including 0x828424517f9f04015db02169f4026d57b2b07229, which was Bybit’s Safe Proposer and 0x7c1091cf6f36b0140d5e2faf18c3be29fee42d97, a hacker test wallet). If a transaction was initiated by one of these addresses, the code would trigger a page reload, preventing certain types of transactions from being properly processed.

3. Transaction Manipulation

When a Bybit signer initiated a legitimate transaction, the malicious code performed several critical manipulations:

Created a backup of the original transaction data: Using structuredClone(safeTransaction.data) to store the original transaction parameters
Modified the transaction’s recipient: Changed the to field to point to the attacker’s contract (0x96221423681a6d52e184d440a8efcebb105c7242)
Changed the operation code: From a standard call (0) to a delegate call (1), which allows the called contract to execute code in the context of the calling contract (a powerful and dangerous capability)
Injected a malicious payload: Set the data field to a specific encoded function call (0xa9059cbb…) that would interact with the malicious contract
Set specific gas parameters: Modified the safeTxGas parameter to 45746 to ensure proper execution
After execution, restored the original transaction data: Replacing the modified data with the original backup to hide the manipulation from the user interface

The code manipulated three critical functions in the Safe{Wallet} interface:

executeTransaction: Modified to execute a completely different transaction than what was shown
signTransaction: Modified to collect legitimate signatures for an illegitimate transaction
useGasLimit: Modified to return a specific gas limit (218207) for targeted transactions

4. Smart Contract Exploitation

The attack leveraged a sophisticated manipulation of Safe{Wallet}’s multisignature contract architecture:

1. The attackers first deployed two malicious contracts on February 18, 2025:

0x96221423681A6d52E184D440a8eFCEbB105C7242: The contract containing malicious transfer logic
0xbDd077f651EBe7f7b3cE16fe5F2b025BE2969516: The malicious implementation contract with withdrawal capabilities

2. The manipulated transaction approved by Bybit’s signers replaced the Safe contract’s implementation with the malicious version via transaction 0x46deef0f52e3a983b67abf4714448a41dd7ffd6d32d32da69d62081c68ad7882

3. The attackers then used DELEGATECALL functionality to inject the malicious logic into STORAGE slot 0 at 0x96221423681A6d52E184D440a8eFCEbB105C7242

4. Finally, they executed the backdoor functions sweepETH and sweepERC20 to transfer funds from the cold wallet to addresses under their control

The technical sophistication of this attack demonstrates a comprehensive understanding of both Safe{Wallet}’s frontend architecture and its underlying smart contract mechanisms.

5. Attribution and Attack Pattern Analysis

Multiple security researchers, including ZachXBT, SlowMist and Trail of Bits, have attributed this attack to the North Korean Lazarus Group (also tracked as TraderTraitor, Jade Sleet, UNC4899 and Slow Pisces), a state-sponsored threat actor with a long history of cryptocurrency theft.

Evidence includes:

Test transactions and linked wallets that match previous Lazarus Group operations
Similar techniques used in previous attacks against WazirX ($230M, July 2024) and Radiant Capital ($50M, October 2024)
Common permission-checking mechanisms in the malicious contracts, where owner addresses are hardcoded to verify contract callers
Similar error messages thrown during permission checks
The use of manipulated frontends to deceive multisignature signers, a technique seen in multiple North Korean attacks in the past year

According to Trail of Bits’ analysis, the attack represents part of a broader pattern of operational security attacks by the Reconnaissance General Bureau (RGB) of North Korea, which has shifted from targeting smart contract vulnerabilities to targeting the human and operational elements of cryptocurrency exchanges.

The attack chain typically begins with aggressive social engineering campaigns targeting multiple employees simultaneously, followed by the deployment of a sophisticated cross-platform toolkit that can:

Operate seamlessly across different operating systems and wallet interfaces
Show minimal signs of compromise while maintaining persistence
Function as backdoors to execute arbitrary commands
Manipulate what users see in their interfaces

Bybit’s Response

To their credit, Bybit’s response has been transparent and relatively effective:

Immediate Actions

Bybit confirmed the incident within hours and provided detailed explanations of what happened, including a statement from CEO Ben Zhou.
They assured users that all customer assets remain fully backed 1:1 and that the platform could cover the loss.
Withdrawals were not halted, though some delays occurred due to high volume (over 350,000 withdrawal requests were processed in the first 10 hours).
All other Bybit services (trading, deposits, etc.) remained fully operational throughout the incident.

Recovery Efforts

Within 48 hours, Bybit secured 254,830 ETH (approximately $693 million) through strategic partnerships (Loan & OTC Deals) with industry leaders including Galaxy Digital, FalconX, Wintermute, Bitget, MEXC and DWF Labs.

Through collaboration with crypto institutions, they successfully froze $42.89 million in assets:
Tether swiftly intervened to freeze 181,000 USDT
CoinEX secured 847,000 USDT and provided critical intelligence
OKX froze 2,783 ETH
FixedFloat secured 120,000 USDC and USDT
ChangeNow intercepted 34 ETH
AVAX secured 0.38755 BTC
Bitget, Circle and Thorchain provided support through blacklist implementation and intelligence sharing
The mETH Protocol recovered 15,000 cmETH (approximately $43 million) by suspending cmETH withdrawals immediately after the incident.

Asset Recovery Actions, by Lookonchain 24 Feb 2025

Enhanced Security Measures

Bybit launched a new API system designed to track and detect blacklisted wallets in real-time.
They upgraded their Bounty Rewards Program to offer a 10% reward for successful fund recovery.
Implemented advanced real-time wallet monitoring systems and integrated threat detection protocols.
Engaged multiple security firms, including Sygnia and Verichains, to conduct forensic investigations and determine the root cause of the attack.

Operational Resilience

By February 22, 2025, Bybit had fully restored all services and processed over 580,000 withdrawal requests with a 99.9% completion rate.
Deposit and withdrawal activity returned to pre-incident levels within 24 hours and total deposits slightly exceeding withdrawals by February 22, 13:00 UTC.
Trading activities quickly resumed normalcy and no abnormal liquidation or asset sell-off activity observed after the initial spike.
Client confidence remained strong, evidenced by an aggregated deposit of crypto assets valued at approximately $1.5 billion in the days following the incident.

Key Findings from Forensic Investigations

Both Sygnia and Verichains conducted forensic analyses of the incident with several important findings:

Sygnia’s Investigation

The forensic investigation highlighted that:

The malicious JavaScript code was injected directly into resources served from Safe{Wallet}’s AWS S3 bucket.
The resource modification time and web history archives suggest the injection occurred on February 19, 2025.
The malicious code was designed to activate only when transactions matched specific contract addresses (Bybit’s contract address and a test contract).
Two minutes after the malicious transaction was executed, new clean versions of the JavaScript resources were uploaded to Safe{Wallet}’s AWS S3 bucket.
No compromise of Bybit’s own infrastructure was identified.

Verichains’ Investigation

The Verichains team identified:

Specific JavaScript files (_app-52c9031bfa03da47.js and 6514.b556851795a4cbaa.js) that were modified in Safe{Wallet}’s infrastructure.
Malicious code snippets that manipulated three key functions: executeTransaction, signTransaction and useGasLimit.
Evidence from the Wayback Machine confirming the existence of the malicious JavaScript on February 19, 2025.
A comprehensive map of all addresses involved in the attack, including Bybit’s cold wallet, the attackers’ wallets and the malicious contracts.
A detailed analysis of the backdoor code flow showing exactly how the transaction manipulation occurred.

Both investigations strongly concluded that the attack originated from a compromise of Safe{Wallet}’s AWS infrastructure rather than from Bybit’s own systems.

Long-Term Implications for the Industry

The Bybit hack marks a significant evolution in the threat landscape facing cryptocurrency exchanges and DeFi platforms. Several important implications emerge:

1. The Era of Operational Security Failures

As Trail of Bits noted in their analysis, “The $1.5B Bybit Hack: The Era of Operational Security Failures Has Arrived.” This attack demonstrates that even with proper smart contract security, operational vulnerabilities and supply chain attacks remain critical risks.

Two weeks before the incident, at the DeFi Security Summit, security researcher Josselin Feist was asked if we’d see a billion-dollar exploit in 2025. His prescient response: “If it happens, it won’t be a smart contract, it’ll be an operational security issue.”

The industry has focused extensively on hardening code and improving technical security practices, but this attack shows that human factors and operational elements remain vulnerable.

2. The Evolution of North Korean Cyber Operations

The attack represents a maturing of the DPRK’s cryptocurrency theft capabilities. Rather than targeting technical vulnerabilities in protocols, they’ve built a sophisticated cross-platform toolkit specifically designed to defeat standard cryptocurrency security controls.

Their attacks now involve:

Aggressive social engineering targeting specific personnel with access to critical systems
Meticulous preparation, including the deployment of test infrastructure
Sophisticated malware that can manipulate what users see in their interfaces
Rapid fund dispersal techniques to avoid asset freezes

As Tay (@tayvano_), a renowned security researcher, bluntly stated in the Trail of Bits report: “For all these reasons and more, it’s my opinion that once they get on your device, you’re fucked. The end. If your keys are hot or in AWS, they fuck you immediately. If they aren’t, they work slightly harder to fuck you. But no matter what, you’re going to get fucked.”

3. The Need for Comprehensive Security Controls

Organizations must adopt security strategies that operate under the assumption that their infrastructure will eventually face compromise:

Infrastructure Segmentation: Critical operations like transaction signing require both physical and logical separation from day-to-day business operations.
Defense-in-Depth: Multiple, overlapping security controls that can detect and prevent sophisticated attacks, including hardware wallets, multi-signature schemes and transaction verification tools.
Organizational Preparedness: Thorough threat modeling, regular security assessments, incident response plans, security awareness training and war games that test both systems and personnel.
Air-Gapped Signing Systems: Transaction signing should occur on isolated systems that aren’t connected to the internet.
Multiple Verification Layers: Transactions should be verified through independent channels before execution.
Endpoint Detection and Response (EDR): Systems like CrowdStrike or SentinelOne should be deployed to detect suspicious activities.

4. Trust and Transparency

Despite the massive scale of the hack, Bybit has managed to maintain user trust through transparent communication and by demonstrating financial resilience. This underscores the importance of:

Clear and timely communication during security incidents
Maintaining sufficient reserves to cover potential losses
Having established relationships with industry partners for crisis support
The ability to rapidly mobilize resources for recovery efforts

5. The Evolving Role of Multisignature Wallets

This incident raises important questions about the security architecture of multisignature wallets:

Are current implementations sufficiently resilient against UI/UX manipulation?
Should additional verification layers be implemented for high-value transactions?
How can the gap between what signers see and what they actually sign be closed?
What role should hardware security modules (HSMs) play in securing multisignature operations?

Consumer Impact and Market Response

One of the fascinating aspects of this incident is how it demonstrates the maturing of the cryptocurrency industry:

Minimal Market Disruption

Unlike previous major hacks that triggered market-wide panic, the Bybit incident caused only localized and temporary market impacts. Trading volumes initially spiked as users closed positions and reallocated assets but quickly stabilized.

This relative stability suggests that the market has developed a more nuanced understanding of security incidents, distinguishing between exchange-specific problems and systemic risks.

The Role of Asset Backing

With Bybit’s reserves being 1:1 backed, consumers’ funds remained secure despite the enormous theft. As Bybit stated in their announcement: “We want to emphasize that Bybit’s reserves are strong and 1:1 backed. All client assets are fully secured and we are committed to maintaining the integrity of our platform.”

Proof of Resources Reports

This raises an interesting question: If users don’t feel direct financial impact from such breaches, will they be sufficiently motivated to demand stronger security? The fact that Bybit processed over 580,000 withdrawal requests in the days following the incident suggests that many users still preferred to secure their own assets rather than rely on the exchange’s promises.

Industry Collaboration

The rapid freezing of $42.89 million in stolen assets through collaboration with other platforms demonstrates the growing maturity of crypto industry security coordination. This kind of rapid, coordinated response would have been difficult to imagine in the early days of cryptocurrency exchanges.

The incident also highlights the value of having strategic partnerships with market makers and liquidity providers who can assist in emergency situations. Bybit’s ability to secure nearly $700 million in ETH within 48 hours was critical to maintaining platform stability.

Lessons for the Future

The Bybit hack offers several key lessons for cryptocurrency exchanges, DeFi platforms and users:

For Exchanges and Platforms

Supply Chain Security: Thoroughly assess all third-party services and tools used in critical operations. This includes not just the security of the tools themselves but also their delivery infrastructure (CDNs, S3 buckets, etc.).

2. Air-Gapped Signing: Implement physically isolated environments for transaction signing that aren’t connected to the internet or general-purpose computing devices.

3. Multiple Verification Layers: Add independent verification mechanisms that operate outside the primary interface, such as:

Out-of-band confirmation channels
Hardware security modules (HSMs) with their own display and input mechanisms
Anomaly detection systems that can flag unusual transaction patterns

4. Advanced Threat Detection: Deploy systems capable of detecting sophisticated manipulation attempts, including:

Behavioral analytics that identify unusual patterns in user interactions
Content integrity verification for critical UI components
Runtime application self-protection (RASP) for web applications

5. Incident Response Planning: Develop and regularly test comprehensive response plans for various attack scenarios, including:

Procedures for rapid asset freezing and recovery
Communication templates and channels for stakeholder updates
Technical playbooks for identifying and containing various attack types

6. Regular Security Assessments: Conduct frequent penetration testing and security audits that specifically target:

Supply chain vulnerabilities
Frontend manipulation risks
Operational security practices

For Users

Asset Diversification: Avoid keeping large amounts of cryptocurrency on a single exchange, regardless of its reputation or security claims.
Hardware Wallets: Use hardware wallets for long-term storage of significant assets, ensuring that private keys never exist on internet-connected devices.
Transaction Verification: Verify transaction details through multiple channels before signing, especially for large transfers.
Security Awareness: Stay informed about evolving threats and best practices, including:

Understanding the security mechanisms of the platforms you use
Recognizing signs of potential compromise
Knowing how to respond if you suspect a security incident

5. Regular Audits: Periodically review your own security practices and update them as needed.

For the Broader Industry

Security Standards: Develop and adopt common security standards for cryptocurrency custodians and exchanges.
Information Sharing: Establish robust channels for sharing threat intelligence and coordinating responses to attacks.
Security Research: Invest in research to develop more secure transaction signing mechanisms that are resistant to frontend manipulation.
Education: Improve security education for both industry professionals and users.

Conclusion

The $1.5 billion Bybit hack represents a watershed moment for cryptocurrency security. It signals a shift from direct protocol exploits toward more sophisticated operational and supply chain attacks that manipulate legitimate security tools.

While the immediate response from Bybit and the broader industry demonstrates significant maturity, the incident underscores that cryptocurrency security must evolve beyond code-level protections to encompass comprehensive operational security frameworks.

This attack confirms what security researchers have long warned: as smart contract security improves, attackers will increasingly target the human and operational elements of cryptocurrency systems. The sophistication of the Bybit hack — combining supply chain compromise, frontend manipulation and smart contract exploitation — demonstrates that attackers are already adapting their techniques.

As North Korean state-sponsored actors and other sophisticated threat groups continue to refine their techniques, the cryptocurrency industry faces a critical challenge: developing security practices that can withstand not just technical exploits but also the manipulation of human operators and the compromise of trusted tools.

The next billion-dollar hack isn’t a matter of if, but when. The only question is: will the industry be ready?

This article synthesizes information from multiple sources including Bybit’s official statements, forensic reports from Sygnia and Verichains analyses from SlowMist and Trail of Bits and on-chain data. All factual claims are based on these reports.