On February 21, 2025, Bybit, a prominent cryptocurrency exchange, experienced a significant security breach resulting in the loss of nearly $1.5 billion worth of ether (ETH). This incident stands as the largest digital heist in the history of cryptocurrency. Fortunately, Bybit is actively collaborating with industry experts, including Chainalysis, to trace the stolen assets. They have also launched a recovery bounty program, offering up to 10% of the recovered amount to individuals who assist in retrieving the stolen crypto.
In this blog, we’ll look at how the exploit occurred; the attackers’ tactics, techniques, and procedures (TTPs) and their consistency with the Democratic People’s Republic of Korea (DPRK); and how Chainalysis is collaborating with Bybit and law enforcement to help recover funds.
Details of the Bybit exploit
The Bybit hack serves as a stark reminder of the evolving tactics employed by state-sponsored cybercriminals, particularly those linked to the DPRK. As we recently revealed in our 2025 Crypto Crime Report, North Korea-affiliated hackers stole approximately $660.5 million across 20 incidents in 2023. In 2024, this number increased to $1.34 billion stolen across 47 incidents — a 102.88% increase in value stolen. The Bybit hack alone led to almost $160 million more stolen than all funds stolen by North Korea throughout 2024.
This attack highlights a common playbook used by the DPRK: orchestrating social engineering attacks and employing intricate laundering methods in an attempt to move stolen funds undetected. Funds from the Bybit exploit have also consolidated in addresses holding funds from other known DPRK-linked attacks, providing further evidence that the nation state actors are behind this latest incident.
Below is a step-by-step analysis of how the Bybit exploit unfolded:Â
- Initial compromise via social engineering: The hackers gained access to Bybit’s user interface by executing phishing attacks against the cold wallet signers, leading them to sign malicious transactions that replaced the Safe’s multi-signature wallet implementation contract with a malicious one.
- Initiation of unauthorized transfers: During what appeared to be a routine transfer from Bybit’s Ethereum cold wallet to a hot wallet, the attackers intercepted the process. They managed to reroute approximately 401,000 ETH — valued at nearly $1.5 billion at the time of the exploit — to addresses under their control.
- Asset dispersion through intermediary wallets: The stolen assets were then moved through a complex web of intermediary addresses. This dispersion is a common tactic used to obfuscate the trail and hinder tracking efforts by blockchain analysts.
- Conversion and laundering: The hackers swapped significant portions of the stolen ETH for tokens including BTC and DAI. They also utilized decentralized exchanges (DEXs), cross-chain bridges, and a no-KYC instant swap service to move assets across networks.
- Keeping funds dormant and strategic laundering: A notable portion of the stolen funds has remained idle across various addresses, a deliberate move often employed by North Korea-affiliated hackers. By delaying laundering efforts, they aim to outlast the heightened scrutiny that typically immediately follows such high-profile breaches.
The below Chainalysis Reactor graph showcases the complexity of the laundering efforts thus far: the web of intermediary addresses, token swaps, and cross-chain movements that not only attempt to obscure the stolen funds, but also demonstrate the far-reaching consequences of this exploit across the broader crypto ecosystem.
Industry collaboration in the wake of the Bybit hack
Despite the severity of Bybit’s attack, the inherent transparency of blockchain technology presents a significant challenge for malicious actors attempting to launder stolen funds. Every transaction is recorded on a public ledger, enabling authorities and cybersecurity firms to trace and monitor illicit activities in real time.
Collaboration across the crypto ecosystem is paramount in combating these threats. The swift response from Bybit, including its assurance to cover customer losses and its engagement with blockchain forensic experts, exemplifies the industry’s commitment to mutual support and resilience. By uniting resources and intelligence, the crypto community can strengthen its defenses against such sophisticated cyber attacks and work toward a more secure digital financial environment.
We are working with our global teams, customers, and partners across both the public and private sectors to support multiple avenues for seizure and recovery in response to this attack. Already, we’ve worked with contacts in the industry to help freeze more than $40 million in funds stolen from Bybit and continue to collaborate with public and private sector organizations to seize as much as possible. We will continue to provide updates on this matter.
This website contains links to third-party sites that are not under the control of Chainalysis, Inc. or its affiliates (collectively “Chainalysis”). Access to such information does not imply association with, endorsement of, approval of, or recommendation by Chainalysis of the site or its operators, and Chainalysis is not responsible for the products, services, or other content hosted therein.Â
This material is for informational purposes only, and is not intended to provide legal, tax, financial, or investment advice. Recipients should consult their own advisors before making these types of decisions. Chainalysis has no responsibility or liability for any decision made or any other acts or omissions in connection with Recipient’s use of this material.
Chainalysis does not guarantee or warrant the accuracy, completeness, timeliness, suitability or validity of the information in this report and will not be responsible for any claim attributable to errors, omissions, or other inaccuracies of any part of such material.