The cryptocurrency exchange Bybit fell victim to a staggering $1.5 billion hack last month, in what has now been traced back to North Korean-backed cybercriminals. The breach, which exploited a critical security flaw, has sent shockwaves through the industry, raising concerns over crypto security at a time of growing regulatory scrutiny.
A Routine Transaction Gone Wrong
On the night of February 21, Bybit CEO Ben Zhou was engaged in what appeared to be a standard approval process for a large Ethereum transfer. However, within half an hour, a chilling phone call from Bybit’s Chief Financial Officer shattered that illusion.
“All of the Ethereum is gone,” the executive told Zhou. Unbeknownst to the exchange, Zhou had inadvertently granted hackers—later identified as North Korea’s Lazarus Group—control over a critical account, enabling them to siphon off $1.5 billion in digital assets.
Exploiting a Basic Security Flaw
Investigations have since revealed that the hackers infiltrated Bybit’s systems through a widely available free software product, Safe. The exchange had relied on this storage service despite the availability of more sophisticated security tools. Cybersecurity experts now argue that this oversight made Bybit an easy target.
“The losses were completely preventable,” one security analysis firm noted. “This should not have happened.”
Safe’s storage tool, though popular among crypto hobbyists, was never designed to handle billions in customer deposits. Charles Guillemet, an executive at the crypto security firm Ledger, underscored the issue: “This really needs to change. It’s not an acceptable situation in 2025.”
Panic in the Crypto Markets
As news of the breach spread, panic gripped the market. Bitcoin plummeted 20%, marking its worst single-day decline since the 2022 collapse of FTX. Bybit, which oversees around $20 billion in customer deposits, scrambled to reassure clients while covering the staggering losses.
Zhou, in an attempt to maintain confidence, took to social media just hours after the heist, stating that his stress levels were “not too bad.” Behind the scenes, however, Bybit was in crisis mode. With insufficient reserves to cover the stolen funds, Zhou sought emergency loans from industry peers, including a $100 million Ether loan from rival exchange Bitget.
Warnings Ignored
In hindsight, the warning signs had been there. Zhou admitted that three to four months prior, Bybit had encountered compatibility issues between Safe and other security services but failed to act.
“We should have upgraded and moved away from Safe,” he acknowledged. “We’re definitely looking to do that now.”
Safe, for its part, defended its software, stating that it had since introduced enhanced security measures. “Our job is not just to fix what happened,” said Rahul Rumalla, Safe’s Chief Product Officer, “but to ensure the entire space learns from it.”
How the Hack Unfolded
Bybit’s internal audit revealed that the hackers had first compromised a Safe developer’s computer, planting malicious code that manipulated transactions. The attackers then tricked Zhou into approving what he believed to be a legitimate transfer. The moment he signed off, control of the account was transferred to the hackers, and the funds vanished.
Blockchain analysts quickly traced the stolen funds to North Korea’s Lazarus Group, notorious for its involvement in high-profile cyber heists. The funds were dispersed through a complex web of online crypto wallets, a money-laundering tactic the group has perfected over the years.
A Race to Contain the Fallout
As withdrawals surged, Bybit worked around the clock to ensure customers could retrieve their assets. Within 12 hours, Zhou claimed, the exchange had processed all pending transactions. Still, the damage had been done—close to $10 billion in crypto was withdrawn from the platform in a single day.
Gracy Chen, CEO of Bitget, expressed confidence in Bybit’s ability to recover, saying, “We never questioned their ability to pay us back.”
Lessons for the Industry
Security experts have criticized Bybit for relying on a system that lacked critical oversight. Carnegie Mellon professor and cybersecurity expert Riad Wahby noted, “Safe just does not give you the kinds of controls that you would want if you’re going to be frequently making operational transfers.”
Zhou himself has admitted regret over the oversight. “There’s a lot of regrets now,” he said. “I should have paid more attention to this area.”
Despite the debacle, Bybit remains operational. In an attempt to reassure customers, Zhou later announced that the company was moving an additional $3 billion in crypto, stating, “This is planned manoeuvre, FYI. We are not hacked this time.”
As the dust settles, the Bybit breach stands as a stark reminder of the vulnerabilities still plaguing the crypto sector. With regulatory scrutiny mounting, exchanges will need to reassess their security frameworks—or risk becoming the next target of an increasingly sophisticated cyber underworld.
