Hackers Stole $1.5B from Bybit – How Did They Do It?

Written by Fxigor in Cryptocurrency

Cryptocurrency exchange Bybit has confirmed a significant security breach, with hackers successfully extracting $1.5 billion in digital assets, primarily Ethereum. The attack, which exploited vulnerabilities in the exchange’s security protocols, has been labeled one of the largest cryptocurrency thefts in history. Bybit’s leadership has moved to reassure users, pledging to fully reimburse those affected and emphasizing the exchange’s financial stability. Investigations are now underway to identify the perpetrators and recover the stolen funds, as the incident fuels renewed debate about the security of digital asset platforms.

See my video with detailed explanation:

BEST BROKERS REVIEWS

 

The Bybit hack, attributed to the Lazarus Group, is one of the largest cryptocurrency thefts in history. This cyberattack was sophisticated, leveraging a masked UI and URL manipulation to trick Bybit’s internal wallet signers into approving a malicious transaction. Below is a step-by-step breakdown of how the hack was executed.

1. Exploiting a Masked UI and URL

Hackers often use phishing techniques and UI deception to manipulate victims into unknowingly signing fraudulent transactions.

  • The attackers altered Bybit’s internal user interface (UI) and its URL structure, making it look like a legitimate transaction request.
  • This tricked wallet signers (the personnel responsible for approving transactions) into authorizing a malicious transfer without realizing it.
  • The attack likely spoofed a routine transfer between Bybit’s cold wallet and warm wallet.

2. Gaining Control Over the Cold Wallet

Once the fraudulent transaction was approved, the hackers modified the smart contract logic governing Bybit’s Ethereum cold wallet:

  • Smart contracts define how transactions are executed on the blockchain. The attackers altered the contract’s execution rules, allowing them to drain the cold wallet without triggering internal security alarms.
  • Cold wallets are meant to be secure since they are not connected to the internet, but the transfer process between the cold and warm wallet exposed a temporary vulnerability.
  • Once they gained control, the hackers initiated massive fund transfers to their own wallets.

3. Transferring the Stolen Ethereum to 53 Wallets

After gaining control of Bybit’s Ethereum reserves, the attackers immediately moved the stolen funds:

  • 53 different wallets were used to scatter the Ethereum and make it harder to track.
  • These wallets are actively monitored by blockchain forensic experts, making it difficult (but not impossible) for Lazarus to move the stolen assets undetected.

4. Using Cryptocurrency Mixers to Launder Funds

To evade detection, the hackers turned to cryptocurrency mixing services:

  • Mixers like eXch break down the stolen Ethereum into smaller, randomized amounts and mix them with other users’ funds.
  • This process helps obfuscate the origin of the stolen cryptocurrency.
  • After mixing, the attackers swap the Ethereum into other cryptocurrencies (e.g., Bitcoin or Monero) to further hide their tracks.
  • The funds are then split into even smaller amounts and transferred to multiple new wallets, making it harder for blockchain analysts to trace the source.

5. Converting to Fiat Currency

Once the funds are sufficiently anonymized, they are converted into fiat currency (USD, EUR, etc.):

  • The stolen crypto is often deposited into unregulated or offshore exchanges with lax KYC (Know Your Customer) rules.
  • It may be withdrawn in small, incremental amounts to avoid detection by financial authorities.
  • Some of the funds could also be used to buy assets like real estate, gift cards, or luxury goods, further complicating the laundering process.

Why This Attack Is Significant

  • Biggest Crypto Theft in History: At $1.5 billion, this is the largest single hack ever recorded in crypto.
  • Cold Wallet Compromise: Cold wallets are supposed to be immune to online attacks, making this breach a major security concern.
  • Lazarus Group’s Growing Influence: This North Korean state-sponsored hacking group has stolen over $1.34 billion in 2024 alone, showing increasing sophistication in their methods.

How Bybit and Security Experts Are Responding

Bybit is now working with blockchain forensics firms, law enforcement agencies, and cybersecurity experts to track and recover the stolen funds.

  • Offering a $140M Bounty: Bybit is incentivizing ethical hackers and investigators to help trace and retrieve the stolen assets.
  • Monitoring the Hacker Wallets: Blockchain intelligence teams are keeping real-time surveillance on the 53 wallets holding the stolen Ethereum.
  • Improving Security Measures: Bybit is planning a security overhaul, including enhanced transaction monitoring and multi-signature approvals to prevent similar attacks.

Why the Bybit Hackers Will Be Caught

    • Blockchain Transparency – All cryptocurrency transactions are recorded on the blockchain, making it impossible to erase or hide the movement of stolen funds.
    • Wallet Monitoring – The stolen Ethereum has been traced to 53 wallets, which are actively watched by blockchain forensic teams and law enforcement.
    • Crypto Mixing Isn’t Foolproof – While mixers like eXch obscure transactions, forensic tools can deanonymize patterns over time, especially if hackers reuse addresses.
    • Exchange Blacklisting – Major exchanges flag and freeze suspicious wallets, making it difficult for hackers to cash out into fiat currency undetected.
    • Law Enforcement Cooperation – Governments and cybersecurity agencies worldwide collaborate on crypto crime, increasing the chances of tracking and seizing stolen assets.
  • Mistakes by Hackers – Even the most skilled cybercriminals make errors, such as reusing addresses or failing to properly mix transactions, which can expose them.
  • On-Chain Analysis Tools – Companies like Chainalysis and Arkham Intelligence use AI-powered tracking to follow the flow of funds across multiple transactions.
  • Huge Bounty Incentive – Bybit is offering $140 million to cybersecurity experts, meaning top blockchain analysts will be hunting for clues.
  • KYC and AML Regulations – Many crypto platforms enforce Know Your Customer (KYC) and Anti-Money Laundering (AML) laws, making it harder to cash out stolen funds without revealing identities.
  • Previous Lazarus Group Traces – The Lazarus Group has been linked to past hacks, and their known laundering techniques give investigators clues on where to look.

Even if the full amount isn’t recovered, parts of the stolen funds are likely to be frozen or traced back to individuals, leading to eventual arrests or asset seizures.

Conclusion

The Bybit hack is a textbook example of social engineering, smart contract manipulation, and sophisticated money laundering techniques. This attack underscores the growing cybersecurity threats in the cryptocurrency space and highlights the need for stronger cold wallet security and transaction verification processes.

Would you like an in-depth analysis of how Lazarus Group typically operates in crypto hacks?

Fxigor
Latest posts by Fxigor (see all)

No related posts.

Fxigor

Igor has been a trader since 2007. Currently, Igor works for several prop trading companies. He is an expert in financial niche, long-term trading, and weekly technical levels. The primary field of Igor's research is the application of machine learning in algorithmic trading. Education: Computer Engineering and Ph.D. in machine learning. Igor regularly publishes trading-related videos on the Fxigor Youtube channel. To contact Igor write on: igor@forex.in.rs

Trade gold and silver. Visit the broker's page and start trading high liquidity spot metals - the most traded instruments in the world.

Trade Gold & Silver

GET FREE MEAN REVERSION STRATEGY

Recent Posts

Terms and Conditions - Privacy Policy