Bybit hack
The largest crypto theft on record: about $1.5B in Ether was stolen from the Bybit exchange on February 21, 2025. The FBI attributed it to North Korea (TraderTraitor/Lazarus), which compromised the Safe{Wallet} signing interface to redirect a routine cold-wallet transfer.
Also known as: Bybit, Bybit hack, TraderTraitor
Summary
On February 21, 2025, the cryptocurrency exchange Bybit lost approximately $1.5 billion — about 401,000 ETH — in what is widely described as the largest cryptocurrency theft in history. [1][2]
How it happened
Rather than breaking Bybit's own systems or the Safe{Wallet} smart contracts, the attackers carried out a supply-chain/operational-security attack: they compromised a Safe{Wallet} developer environment and injected malicious code into the wallet interface so that, when Bybit signers approved a routine transfer from cold storage, the interface displayed legitimate details while the signature actually authorized a malicious contract that drained the wallet. [1][2]
Attribution
On February 26, 2025, the FBI attributed the theft to North Korea, referring to the activity as "TraderTraitor" (part of the Lazarus Group umbrella); investigators including ZachXBT and Arkham independently linked it to the same actor. Bybit said it secured bridge financing to cover any unrecoverable losses. [1][3]
Bracketed numbers refer to the numbered sources listed below.
Linked scams & cases
People & entities involved
- Lazarus GroupAttributed actor (TraderTraitor)Organizations & groupsThe most widely used name for North Korea's state-sponsored hacking apparatus, run under its Reconnaissance General Bureau. Blamed for the Sony hack, the Bangladesh Bank SWIFT heist, WannaCry, and — since ~2017 — many of the largest crypto thefts ever. Chainalysis puts DPRK's cumulative crypto haul near $6.75B, used to fund the regime's weapons programs.
- TraderTraitorAttributed actorOrganizations & groupsA North Korea-linked threat cluster (part of the Lazarus umbrella) that the FBI blames for several of the largest exchange thefts, including Bybit ($1.5B), DMM Bitcoin ($305M), and the Ronin/Axie bridge. It favors social-engineering of employees and supply-chain compromises.
Sources (3)
See also
- Loci (LOCIcoin)TokensA 2017–2018 ICO for 'LOCIcoin' tied to the InnVenn IP-search platform. The SEC charged Loci and CEO John Wise with fraud for raising $7.6M on false claims about revenue, headcount, and user base; Wise also misused investor funds. Settled with a $7.6M penalty and an officer/director bar.
- Blockchain Terminal (BCT)TokensA 2017–2018 ICO (BCT tokens, ~$30M) for a 'Blockchain Terminal' — a Bloomberg-style crypto trading terminal. The SEC and DOJ said convicted ex-hedge-funder Boaz Manor secretly ran it under a fake identity ('Shaun MacDonald'), using associate Edith Pardo as a front, and lied about the product's adoption.
- Crowd Machine (CMCT)Tokens
This page was last updated on Jun 8, 2026. View revision history.