The Federal Deposit Insurance Corporation (FDIC) insures U.S. personal bank deposits up to $250,000. When the Silicon Valley Bank and Signature Bank failed in 2023, the FDIC protected consumers and their money. Cryptocurrency has no similar protection. If criminals steal your crypto, you may not get it back.
On February 21, 2025, thieves stole $1.46 billion of Ethereum (ETH) using a Dubai-based Bybit cryptocurrency exchange wallet. Major news reports called it the largest cryptocurrency theft ever. Bybit could not be reached for comment.
How did it happen?
Attackers compromised the Bybit Safe{Wallet} JavaScript front end to manipulate multi-signature transaction approvals, deceiving Bybit’s cryptocurrency signers into authorizing malicious transactions.
Safe{Wallet} is a multi-signature wallet that lets users manage cryptocurrencies, requiring multiple transaction approvals. The Safe{Wallet} front end is a user interface (UI) for interacting with the Safe{Wallet}. JavaScript makes Websites interactive.
According to Andrew Fierman, head of national security intelligence at Chainalysis, a blockchain analytics company, Safe{Wallet} uses a Web-based UI with a JavaScript-based template. The attackers altered the UI by adding malicious JavaScript to the front-end code for the template. Chainalysis was heavily involved in investigating and tracking the Bybit theft.
According to Fierman, the attackers compromised a Safe{Wallet} software developer’s computer, allowing them to alter the wallet’s front-end code. The attackers deployed a malicious update to the UI JavaScript designed to catch Bybit off guard when connecting to its cryptocurrency wallet.
Further, according to Fierman, the exploit proceeded chronologically as the Bybit attackers initiated what seemed a normal transaction—a routine cold-to-hot wallet crypto fund top-up. A cold wallet stores cryptocurrency offline, disconnected from the Internet, while a hot wallet remains connected to the Internet.
Fierman said the template displayed a legitimate transaction to the signers, even though the attackers had compromised the JavaScript underneath with a malicious Safe{Wallet} smart contract update to Bybit’s Ledger device.
The Safe{Wallet} smart contract is a self-executing digital agreement stored on the blockchain. The ledger device is a hardware wallet for securely storing cryptocurrency keys.
Finally, according to Fierman, Bybit signers blindly signed and approved the transaction without verifying the full details on the hardware device. The attackers drained the ETH crypto funds as the malicious JavaScript routed the crypto to their address.
Who attacked Bybit?
According to multiple news sources, the U.S. Federal Bureau of Investigation (FBI) has confirmed that The Lazarus Group, also known as TraderTraitor, APT38, and BlueNoroff, is responsible for the $1.46-billion Bybit crypto theft. The Lazarus Group works for the North Korean government, the Democratic People’s Republic of Korea (DPRK).
“The Bybit hack follows a similar pattern to past DPRK-linked attacks, where hackers move the initially exploited funds through intermediary addresses to obfuscate their trail. Then, the hackers swapped significant portions of the stolen ETH for tokens, including Bitcoin and DAI, utilizing decentralized exchanges, cross-chain bridges, and a no-KYC instant swap service to move assets across networks,” said Fierman.
Tokens are digital assets on blockchain networks such as Bitcoin and DAI. DAI is just a name for a decentralized stablecoin pegged to the U.S. dollar. A stablecoin ties its value to another asset. Decentralized exchanges are platforms for trading cryptocurrencies without the aid of intermediaries. Cross-chain bridges are tools for transferring assets between different blockchains. No-KYC or No Know-Your-Customer identity verification processes services do not require identity verification. An instant swap service quickly exchanges one cryptocurrency for another.
AI-based threat detection didn’t stop the attack
According to a Bybit news release, the crypto exchange has been using its proprietary AI Risk Engine to inspect suspicious withdrawals since at least last year. Bybit uses AI-based protection and user behavior analytics models to detect irregular behavior patterns in large transactions and withdrawals.
The AI Risk Engine is an advanced, custom-built AI system for analyzing and evaluating crypto transactions for risks and fraud. User behavior analytics models use algorithmic formulas to analyze behavior patterns in user actions and transactions, with the goal of identifying anomalous behavior.
According to Oded Vanunu, chief technologist, WEB 3.0, and head of product vulnerability research at Check Point Software Technologies, the attackers targeted off-chain weaknesses, such as user interactions and transaction approvals, which Bybit’s AI-based threat systems struggled to detect. According to Vanunu, off-chain means off the blockchain; that is, operations that happen before the transaction moves to the blockchain network.
The Bybit attack was a supply chain attack starting at the Safe{Wallet} developer machine that manipulated the trusted off-chain Web-based UI of Safe{Wallet}. It was likely not within the scope of the AI Risk Engine to monitor the developer machine or analyze the UI update.
“Traditional AI models often focus on detecting anomalies in transaction patterns, but if an attacker gains privileged access through deception, the transactions may appear normal within expected behavior patterns,” said Vanunu.
Deception is what happened in this case. According to a Dfns report, The Lazarus Group used social engineering to gain access and elevated privileges on the developer machine. The resulting update to the UI tricked the signers, giving the attackers elevated privileges to send crypto to their address.
Blockchain forensics experts trace stolen funds
According to Andrew Lokenauth, founder of The Finance Newsletter and former finance leader at J.P. Morgan, Goldman Sachs, and Citi, advanced blockchain analysis firms deployed machine learning tools like graph-based analysis and pattern recognition to follow the money trail across the multiple blockchains involved in the Bybit crypto theft.
Graph-based analysis visualizes blockchain transactions to analyze patterns. Pattern recognition tools detect anomalies in blockchain networks by analyzing transactions, user behaviors, and network patterns.
The blockchain analysis experts tracked the funds across 12 different blockchains as law enforcement agencies globally coordinated their tracking efforts, said Lokenauth. The blockchain networks included the well-known Ethereum and Bitcoin blockchain networks, which transact the ETH and Bitcoin cryptocurrencies. Law enforcement agencies involved included the FBI and Interpol.
The blockchain analysis firms and law enforcement have recovered and frozen $40 million worth of stolen cryptocurrency on centralized exchanges, according to Lokenauth. A central authority manages centralized crypto exchanges.
According to Chainalysis’ Fierman, investigators from Chainalysis Global Services and Global Intelligence teams worked around the clock as soon as the hack was announced, tracking North Korea’s laundering efforts. “We continue to work with our global teams, customers, and partners across the public and private sectors to support multiple avenues for seizure and recovery in response to this attack,” said Fierman.
Helping crypto consumers, preventing attacks
According to Lokenauth, Bybit has established a $400-million compensation fund for affected users. “The $400-million fund is likely the maximum that Bybit can realistically provide,” said Lokenauth, adding that many victims of the Bybit theft will be left with significant losses regardless of the fund.
The crypto industry is making significant changes in response to the Bybit hack. “Crypto platforms are shifting towards real-time transaction monitoring and stronger user verification to detect manipulation attempts early. There’s a growing push for preventive security models where approvals require multi-layered authentication beyond UI-based confirmations. Collaboration between exchanges, security firms, and blockchain networks is key—threat intelligence sharing is now more crucial than ever,” said Vanunu.
Examples of these multi-layered authentication methods include hardware security modules for secure key storage and management, and FIDO2 (fast identity online) for passwordless authentication.
David Geer is a journalist who focuses on issues related to cybersecurity. He writes from Cleveland, OH, USA.
Join the Discussion (0)
Become a Member or Sign In to Post a Comment