How Attackers Stole $1.5B from Bybit: What We Can Learn

In February 2025, the world witnessed the largest crypto heist in history when attackers drained $1.5 billion worth of Ethereum from Bybit, one of the leading global cryptocurrency exchanges. The company depended on a third-party cold wallet management tool known as Safe{Wallet}, which was designed to protect funds by requiring multiple employee approvals/signatures before any transfer could be completed. Earlier that month, however, a developer at Safe{Wallet} fell victim to a social engineering scheme, allowing hackers to compromise his workspace and steal sensitive session tokens. With these tokens, the attackers were able to bypass critical safeguards such as multi-factor authentication (MFA) and set the stage for the massive theft.

After gaining access to a Safe{Wallet} account through stolen session tokens, the attackers didn’t rush to make their move. Instead, they waited patiently, blending into normal activity and carrying out their efforts during employees’ regular working hours to avoid raising suspicion. While remaining undetected, they carefully replaced and tampered with JavaScript code within Safe{Wallet} with their own malicious injection code. This subtle change manipulated the user interface (UI) for employees, making every transaction appear legitimate while secretly altering the true destination of the Ethereum transfers to their hidden address.

On February 21, 2025, their plan reached its peak. Bybit employees, believing they were authorizing a routine transfer, signed off on what looked like a standard transaction. What they couldn’t see was that the injected code had redirected the funds straight into hacker-controlled wallets. By the time the approval went through, $1.5 billion in Ethereum had vanished, marking the largest digital theft in history. The breach was later attributed to North Korea’s Lazarus Group, a state-sponsored hacking collective with a long history of targeting cryptocurrency platforms.

What We Can Learn

The Bybit breach makes one thing clear: even billion-dollar security systems can crumble when basic safeguards are overlooked. If Bybit or Safe{Wallet} had enforced stricter security standards, this heist might never have happened. For example, every large transaction should undergo an independent review before approval, providing a second check beyond the signing process itself. Validating the identity of the requester, the destination address, and the amount being transferred would have created a much stronger layer of protection. In addition, implementing multi-layer verification, such as requiring multiple devices or even different departments to confirm a transfer, could have caught the manipulated code before it was too late. Finally, enforcing a time delay on high-value withdrawals would have allowed abnormal transactions to be flagged and investigated before billions could disappear in a single click.

This attack also highlights how social engineering remains one of the most effective weapons for hackers worldwide. By tricking a single developer, the Lazarus Group gained the access they needed to bring down an entire exchange. This amplifies the importance of employee training for them to be equipped for phishing attempts, suspicious requests, and other tactics that open the door to bad actors.

Takeaway

This Bybit hack uncovers a critical truth in cybersecurity: Access control is everything. Lazarus Group didn’t break encryption, but they stole session tokens and abused them to bypass MFA and trick the system into approving malicious transfers. Cold wallets and multi-sig approval mean little without stronger transaction-level controls that verify what is being approved, not just who.

Three Access Control Practices That Could Have Stopped This Attack

1. Transaction Reviews – Require secondary human or departmental approval for all high-value transfers.

2. Time-Delay Withdrawals – Enforce a delay window for large crypto movements, giving anomalies time to be flagged.

3. Context-Aware Verification – Validate both identity and transaction details (destination address, amount) before final approval.