$1.5B Bybit Hack: How Lazarus Pulled Off the Heist

Published April 13, 2026 · by ALGERIATECH Editorial

⚡ Key Takeaways

North Korea’s Lazarus Group stole 401,347 ETH (approximately $1.5 billion) from Bybit on February 21, 2025, in the largest cryptocurrency theft in history. The attackers compromised a Safe{Wallet} developer’s machine and injected malicious JavaScript that hijacked a routine cold-to-warm wallet transfer. North Korea stole $2.02 billion in crypto total in 2025, representing 60% of all cryptocurrency theft globally.

Bottom Line: The Bybit heist proves that supply chain attacks targeting developer machines and third-party software platforms now pose a greater threat than protocol-level exploits, making developer access controls and code deployment auditing essential for any organization handling digital assets.

Read Full Analysis ↓

🧭 Decision Radar

Relevance for Algeria
Medium
▾

Algeria’s cryptocurrency adoption is limited due to regulatory restrictions, but the supply chain attack methodology is directly relevant to any organization using third-party software platforms for financial operations.

Infrastructure Ready?
No
▾

Algeria lacks dedicated cryptocurrency exchange infrastructure, but the broader lesson about developer machine compromise applies to all software supply chains including banking and fintech systems.

Skills Available?
Limited
▾

Blockchain forensics and supply chain security expertise are scarce in Algeria. However, general application security practices applicable to preventing similar attacks are available in the IT security community.

Action Timeline
Monitor only
▾

The direct cryptocurrency theft vector is less relevant to Algeria, but organizations should continuously audit third-party software dependencies and developer access controls.

Key Stakeholders
CISOs, financial regulators, fintech developers

Decision Type
Educational
▾

This case study provides critical lessons on supply chain security and developer machine hygiene that apply beyond cryptocurrency to any industry relying on third-party software platforms.

Quick Take: While Algeria’s crypto market is minimal, the Bybit heist’s supply chain attack methodology is a warning for any Algerian organization using third-party financial software. IT leaders should audit developer machine security, implement hardware-based transaction verification for high-value transfers, and treat third-party code deployments as a tier-one attack surface.

A Single Developer Machine, $1.5 Billion Gone

On February 21, 2025, cryptocurrency exchange Bybit lost approximately 401,347 ETH — roughly $1.5 billion — in what the FBI confirmed as the largest cryptocurrency theft in history. Five days later, the Bureau officially attributed the attack to North Korea’s TraderTraitor group, a component of the broader Lazarus Group operation that has been funding Pyongyang’s nuclear and ballistic missile programs through cybercrime for over a decade.

The heist did not exploit a flaw in blockchain protocols or smart contract logic. Instead, Lazarus compromised the development environment of Safe{Wallet}, the smart contract wallet platform Bybit used to manage its cold storage. The attackers gained access to a developer’s device through social engineering, then pivoted into the company’s network and code deployment systems.

Anatomy of a Supply Chain Heist

The technical analysis by NCC Group reveals a methodical operation spanning approximately 17 days from initial compromise to fund extraction.

On February 19, 2025, at 15:29:25 UTC, the attackers replaced a benign JavaScript file on `app.safe.global` with malicious code specifically designed to target Bybit’s Ethereum multisig cold wallet. The injected code was surgical — it would only activate during the next Bybit transaction, lying dormant for any other user of the Safe{Wallet} platform.

When Bybit initiated a routine transfer from its cold wallet to its warm wallet on February 21 at 14:13:35 UTC, the malicious code intercepted the transaction. Instead of executing the legitimate transfer, it redirected 401,347 ETH to an attacker-controlled wallet. The entire theft completed in a single transaction.

Blockchain investigator @ZachXBT independently confirmed the Lazarus attribution before the FBI’s official announcement, tracing the funds through patterns consistent with previous North Korean operations.

Laundering at Speed

Within weeks of the theft, Lazarus had laundered the majority of the stolen assets through a sophisticated network designed to obscure the money trail. According to TRM Labs, the attackers dispersed the stolen Ethereum across thousands of blockchain addresses, converted portions to Bitcoin and other virtual assets, and routed funds through crypto mixers, cross-chain bridges, and underground OTC brokers.

The FBI issued an alert urging exchanges, bridges, and blockchain analytics firms to block transactions from addresses associated with the theft. Despite these efforts, the speed and sophistication of the laundering operation outpaced most intervention attempts.

North Korea’s Crypto War Machine

The Bybit heist did not occur in isolation. According to NBC News, North Korean hackers stole at least $2.02 billion in cryptocurrency throughout 2025 — a 51% increase over the previous year. The Bybit hack alone accounted for roughly three-quarters of that total. Chainalysis reported that total cryptocurrency theft across all actors reached $3.4 billion in 2025, meaning North Korea was responsible for approximately 60% of all crypto stolen globally.

The United Nations and private researchers have long documented how Pyongyang uses cryptocurrency theft to circumvent international sanctions and fund its weapons of mass destruction programs. The Wilson Center notes that the scale of the Bybit heist alone exceeds the annual GDP of many small nations, making state-sponsored cryptocurrency theft one of North Korea’s most significant revenue streams.

Lessons for the Industry

The Bybit hack crystallizes several uncomfortable truths for the cryptocurrency industry. First, the weakest link was not the blockchain or the smart contract — it was a developer’s laptop. Supply chain attacks targeting the human layer of infrastructure have become the dominant threat vector, surpassing protocol-level exploits.

Second, multi-signature wallets provide security against private key theft but offer no defense when the signing interface itself is compromised. Bybit’s cold wallet required multiple approvals, but the malicious code manipulated what signers saw, making the fraudulent transaction appear legitimate.

Third, the speed of laundering has outpaced the industry’s ability to freeze stolen funds. Despite coordinated efforts by exchanges and analytics firms, the majority of the $1.5 billion was effectively laundered within weeks.

Follow AlgeriaTech on LinkedIn for professional tech analysis Follow on LinkedIn

Follow @AlgeriaTechNews on X for daily tech insights Follow on X

Frequently Asked Questions

How did Lazarus Group compromise Bybit’s cold wallet despite multi-signature protection?

Lazarus did not attack the wallet’s cryptographic protections. Instead, they compromised a developer’s machine at Safe{Wallet}, the platform Bybit used to manage its cold storage, and injected malicious JavaScript that manipulated the signing interface. When Bybit employees approved what appeared to be a routine transfer, the modified code redirected 401,347 ETH to attacker-controlled addresses.

How much cryptocurrency has North Korea stolen in total?

North Korean hackers stole at least $2.02 billion in cryptocurrency in 2025 alone, a 51% increase year-over-year. The Bybit hack accounted for approximately three-quarters of that total. The stolen funds are used to circumvent international sanctions and finance nuclear weapons and ballistic missile programs.

What can organizations do to protect against supply chain attacks like the Bybit heist?

Organizations should enforce strict device management policies for developers with access to critical infrastructure, implement hardware-based transaction verification that cannot be overridden by compromised software, audit third-party code deployments independently, and maintain real-time monitoring for unauthorized changes to production code. The core lesson is that human and software supply chains are now the primary attack surface, not protocols.