Bybit's $1.5B Hack One Year Later: 88% Traceable, Only 3% Frozen — What Went Wrong

On February 21, 2025, North Korea's Lazarus Group executed the largest cryptocurrency theft in history — $1.5 billion in Ethereum drained from Bybit's cold wallet in a single transaction. One year later, the numbers tell a sobering story: while blockchain analytics firms initially tracked 88.87% of the stolen funds, only 3.54% has been frozen. The rest sits in thousands of wallets, waiting.

This is not just a heist story. It is a case study in how a nation-state hacking operation outmaneuvered an entire industry's security infrastructure, and what the crypto world learned — and failed to learn — in the twelve months since.

The Attack: A Web2 Breach That Broke Web3's Biggest Wallet

The Bybit hack was not a smart contract exploit. It was not a flash loan attack or a rug pull. It was a supply chain compromise that targeted the human layer — the exact layer that multisig wallets are supposed to protect.

The Kill Chain

The attack unfolded over 17 days with surgical precision:

• February 4, 2025: Lazarus Group compromised a macOS workstation belonging to a Safe{Wallet} developer, likely through social engineering — a tactic the group has refined across hundreds of operations.
• February 19: Attackers modified JavaScript resources hosted on Safe{Wallet}'s AWS S3 bucket. The injected code contained an activation condition designed to trigger only when Bybit's specific cold wallet initiated a transaction.
• February 21: Bybit's operations team initiated a routine transfer from cold to warm wallet. The Safe{Wallet} UI displayed a legitimate-looking transaction. But behind the interface, a different payload was sent to the signers' Ledger hardware devices. Three signers approved what they believed was a standard transfer, unknowingly authorizing a malicious transaction that redirected 401,347 ETH to attacker-controlled wallets.
• Two minutes later: The attackers uploaded clean versions of the JavaScript files to the S3 bucket, erasing evidence of the injection.

The entire operation — from trigger to cleanup — took less than ten minutes of active execution. The preparation took weeks. The aftermath has lasted a year.

Why Multisig Failed

The Bybit hack shattered a fundamental assumption in crypto security: that multisig wallets with hardware signers are resistant to sophisticated attacks. The problem was not the cryptographic security of the multisig itself. It was the UI layer that sat between human signers and the transaction they were approving.

Safe{Wallet}'s interface showed one transaction. The Ledger devices received another. The signers had no practical way to verify the raw transaction data on their hardware wallets against what the web interface displayed. This "what you see is not what you sign" vulnerability turned the industry's most trusted wallet infrastructure into an attack vector.

The Laundering: How Lazarus Moves $1.5 Billion

Within hours of the theft, the Lazarus Group activated a laundering playbook refined across years of operations. The speed and sophistication were unprecedented — but the methodology was familiar to blockchain investigators.

Phase 1: Conversion and Dispersion

The hackers immediately began converting the stolen ETH into other assets. By March 20, 2025, Bybit CEO Ben Zhou confirmed that 86.29% of the stolen Ether had been converted to Bitcoin. The funds were dispersed across thousands of intermediate wallets, creating an enormous transaction graph designed to overwhelm manual investigation.

Phase 2: Mixing and Cross-Chain Obfuscation

The stolen assets flowed through decentralized exchanges, cross-chain bridges, and mixing services. THORChain — a decentralized cross-chain liquidity protocol — became a primary conduit. The anonymous exchange eXch also facilitated swaps, generating hundreds of thousands of dollars in fees while refusing Bybit's requests to block the activity.

The use of decentralized infrastructure created a philosophical and practical dilemma for the industry: permissionless protocols cannot selectively censor transactions without undermining their core value proposition. Yet allowing a nation-state to launder $1.5 billion through your protocol creates existential regulatory risk.

Phase 3: The Waiting Game

Lazarus Group historically lets stolen funds sit dormant for months or even years before attempting to cash out through fiat off-ramps. This patience is a strategic advantage. As time passes, exchanges update their compliance systems, regulatory attention shifts, and the blockchain forensics community moves on to newer incidents.

By April 2025, the traceability statistics had deteriorated significantly. The initial 88.87% traceable figure dropped to 68.6%, while the "gone dark" percentage surged from 7.59% to 27.6%. Only 3.8% remained frozen — a marginally better figure than the 3.54% reported a month earlier, but a devastating outcome given the scale of industry mobilization.

The Response: 72 Hours That Tested an Exchange

Bybit's immediate crisis response became a benchmark for the industry. Within 72 hours of the hack, the exchange restored full withdrawal functionality — a critical step in maintaining user trust during what could have been a terminal bank run.

Emergency Liquidity

The most dramatic moment came when Bitget CEO Gracy Chen extended a 40,000 ETH loan (approximately $104 million) to Bybit — without interest, without collateral. "This was simply about supporting a peer in need," Chen said. Bybit repaid the loan within three days.

In total, Bybit received approximately 446,870 ETH (about $1.23 billion) through a combination of emergency loans, whale deposits, and direct asset purchases. The exchange's reserves were effectively rebuilt, ensuring customer funds remained whole despite the theft.

The Bounty Program

Bybit launched what it called the "LazarusBounty" program, offering 10% of any recovered funds — up to $140 million — to security researchers, bounty hunters, and blockchain investigators who could help trace or freeze stolen assets.

The program attracted over 5,000 submissions, though only 63 were deemed valid. A total of $2.2 million was awarded to 12 bounty hunters. Crypto investigator ZachXBT earned 50,000 ARKM tokens for being among the first to definitively link the exploit to North Korea's Lazarus Group — a finding the FBI officially confirmed days later.

Security Overhaul

In the months following the hack, Bybit implemented over 50 security upgrades and underwent more than 30 external audits. The exchange rebuilt its wallet infrastructure, moving signing processes into isolated environments, adding stricter code-review controls, auditing all third-party tools, and implementing real-time anomaly detection. Multisig procedures were redesigned from the ground up.

Despite the breach, Bybit grew from 50 million to 80 million registered users by the end of 2025 — a testament to both the exchange's crisis management and the crypto market's short memory for security incidents.

The Bigger Picture: North Korea's Crypto War Machine

The Bybit hack did not happen in isolation. It was the crown jewel of a systematic, state-sponsored cryptocurrency theft operation that has generated an estimated $6.75 billion for North Korea over the past decade.

Escalating Scale

The numbers have been accelerating:

• 2024: Lazarus Group stole $1.3 billion across multiple operations
• 2025: Total DPRK-attributed crypto theft reached $2.02 billion — a 51% year-over-year increase — with the Bybit hack alone accounting for $1.5 billion of that figure
• 2025 total industry losses: Exceeded $4 billion, making it the worst year on record for crypto theft

The Bybit hack represented a tactical evolution. Rather than targeting DeFi bridges or exploiting smart contract vulnerabilities — the group's previous bread and butter — Lazarus went after the supply chain of a trusted infrastructure provider. The attack surface was not blockchain. It was Web2: a developer's laptop, an AWS S3 bucket, a JavaScript file.

Funding What Matters

Every dollar stolen funds North Korea's nuclear and ballistic missile programs. The UN Panel of Experts has repeatedly documented how DPRK cyber operations directly finance weapons of mass destruction development. The Bybit hack alone — at $1.5 billion — exceeds North Korea's estimated annual military budget.

This reality transforms what might otherwise be a cybersecurity story into a geopolitical one. The crypto industry's security failures have direct consequences for global nuclear nonproliferation.

What the Industry Learned (and Didn't)

The Bybit hack catalyzed meaningful improvements in crypto security practices. But one year later, the fundamental vulnerabilities that enabled the attack remain pervasive across the industry.

What Changed

Multisig verification standards improved. Major exchanges and custody providers implemented independent transaction verification channels, reducing reliance on a single UI layer. The concept of "what you see is what you sign" moved from academic concern to operational priority.

Supply chain security awareness increased. The crypto industry began adopting practices long standard in traditional software security — code signing, integrity verification for third-party dependencies, and zero-trust architecture for signing infrastructure.

Regulatory attention intensified. Agencies in the United States, Singapore, and the European Union began reviewing tighter requirements for wallet audits, risk disclosures, software supply chain controls, and incident response transparency.

What Didn't Change

The 3% recovery rate speaks for itself. Despite $140 million in bounty incentives, the combined efforts of Bybit, blockchain analytics firms, law enforcement agencies, and thousands of bounty hunters recovered less than $50 million of the $1.5 billion stolen. Permissionless infrastructure remains fundamentally resistant to post-theft asset recovery.

Decentralized protocols still cannot (or will not) censor. THORChain and eXch facilitated the laundering of billions. The tension between permissionless design and law enforcement cooperation remains unresolved, and the industry has no framework for navigating nation-state-scale theft through decentralized infrastructure.

Developer operational security remains weak. The initial compromise was a single developer's laptop. One year later, most crypto projects still lack formal security requirements for developer workstations, and the industry's reliance on browser-based wallet interfaces continues to expose signing processes to web-layer attacks.

One Year Later: Where the Money Sits

As of February 2026, the approximate breakdown of the $1.5 billion in stolen funds is:

• ~3-4% frozen (~$42-57 million): Successfully frozen through exchange cooperation and law enforcement coordination
• ~27-30% gone dark: Funds that have been mixed, bridged, or otherwise obfuscated beyond current tracing capabilities
• ~66-70% traceable but unrecoverable: Sitting in identified wallets that no centralized entity has the authority or ability to freeze

This last category is the most frustrating. The blockchain's transparency means investigators can see the money. They know where it is. But "traceable" does not mean "recoverable" in a permissionless system. The Lazarus Group can afford to wait years. The investigative community cannot.

Looking Forward

The Bybit hack's first anniversary is not a story with a resolution. It is a story still unfolding. The stolen funds continue to move in small batches. The Lazarus Group continues to probe new targets. And the structural tensions the hack exposed — between decentralization and accountability, between permissionless protocols and law enforcement, between security and usability — remain as acute as ever.

What the Bybit hack ultimately demonstrated is that the crypto industry's greatest vulnerability is not its smart contracts or its consensus mechanisms. It is the human and Web2 infrastructure that connects those systems to the physical world. Until the industry addresses that gap with the same rigor it applies to protocol design, the question is not whether the next billion-dollar hack will happen. It is when.

---

For teams building on blockchain infrastructure, security starts with the foundation. BlockEden.xyz provides enterprise-grade node infrastructure with built-in monitoring and anomaly detection across Ethereum, Sui, Aptos, and 20+ networks — designed for teams that cannot afford to compromise on security. Explore our API marketplace to build on infrastructure you can trust.