Technical Analysis: Bybit Cold Wallet Hack ($1.46B)

Introduction

On February 21, 2025, Bybit exchange suffered the largest cryptocurrency theft in history, with approximately 401,346 ETH ($1.46 billion at time of attack) stolen from their cold storage multisig wallet. This analysis examines the technical details of the attack, attribution evidence linking it to North Korea's Lazarus Group, and the ongoing laundering operations.

Attack Timeline

Technical Analysis

Attack Vector: Multisig UI Manipulation

The attack exploited a vulnerability in the transaction signing workflow of Bybit's Gnosis Safe multisig implementation. Unlike previous Lazarus attacks that relied on private key theft or validator compromise, this attack manipulated the transaction data displayed to signers.

1. Attacker gains access to transaction submission interface
2. Malicious transaction crafted with legitimate-looking metadata
3. Signers see "routine transfer" but sign malicious payload
4. Safe executes attacker-controlled transaction
5. Funds drain to 0x47666fab8bd0ac7003bce3f5c3585383f09486e2

This technique, similar to the July 2024 WazirX attack, suggests Lazarus has developed specialized capabilities for targeting multisig wallet infrastructure.

Initial Fund Movement

Within hours of the theft, funds were distributed across multiple wallets in a pattern consistent with previous Lazarus operations:

Attribution Analysis

Evidence Linking to Lazarus Group

Multiple indicators support high-confidence attribution to North Korea's Lazarus Group:

• Attack methodology: UI manipulation technique matches WazirX (July 2024) and other confirmed Lazarus operations
• Wallet clustering: Funds flowed to addresses with on-chain connections to previous DPRK-attributed clusters
• Timing patterns: Transaction timing consistent with Pyongyang working hours
• Infrastructure overlap: Some dispersal wallets previously flagged in DMM Bitcoin hack cluster

Laundering Indicators

As of this writing, the stolen funds are actively being laundered. Expected techniques based on recent Lazarus patterns:

• THORChain: Cross-chain swaps to Bitcoin (observed in DMM, WazirX cases)
• Token swaps: ETH → stablecoins → other tokens to obscure trail
• Bridge usage: Movement to Arbitrum, Optimism, Polygon for cheaper transactions
• Mixer staging: Accumulation in wallets for future mixer deposits

Recommendations

For Exchanges

• Implement transaction simulation and verification for multisig operations
• Add delays and additional verification for large withdrawals
• Monitor for UI manipulation attempts in signing interfaces

For Compliance Teams

• Block transactions to/from identified cluster addresses
• Monitor for funds attempting to enter through DEXs
• Coordinate with law enforcement on freeze requests

Conclusion

The Bybit hack represents a significant escalation in Lazarus Group's capabilities and ambition. The shift toward UI manipulation attacks on multisig infrastructure suggests exchanges must fundamentally reconsider their signing workflows and verification processes.

This incident also underscores the critical importance of real-time threat intelligence sharing. The techniques used in this attack were previewed in the WazirX incident seven months earlier - highlighting the need for rapid dissemination of attack methodology information.

References

1. U.S. Treasury OFAC, "North Korea Sanctions Designations" (2024)
2. FBI, "TraderTraitor: North Korean State-Sponsored APT Targets Blockchain Companies" (2024)
3. UN Security Council Panel of Experts, "S/2024/215" (2024)
4. Chainalysis, "2024 Crypto Crime Report" (2024)