A recent attack on Bybit, a major cryptocurrency exchange, has resulted in the theft of over $1.5 billion worth of Ethereum (ETH) from one of its cold wallets. The incident is considered the largest single crypto heist in history.
Bybit stated that the attack occurred when an ETH multisig cold wallet executed a transfer to its warm wallet, but was manipulated through a sophisticated attack that masked the signing interface and altered the underlying smart contract logic. As a result, the attackers gained control of the affected ETH cold wallet and transferred its holdings to an unidentified address.
The Lazarus Group has been attributed to the hack by multiple sources, including Elliptic and TRM Labs. The group is a notorious North Korean threat actor known for orchestrating dozens of cryptocurrency heists to generate illicit revenue.
Bybit’s CEO Ben Zhou emphasized that all other cold wallets are secure and reported the case to the appropriate authorities. However, the company has faced criticism over its handling of the incident, with some experts pointing out that multisig cold wallets are not secure if signers can be deceived or compromised.
The attack highlights the growing sophistication of supply chain and user interface manipulation attacks. According to Google-owned Mandiant, cryptocurrency heists are on the rise due to the lucrative nature of their rewards, challenges associated with attribution, and opportunities presented by nascent familiarity with cryptocurrency and Web3 technologies among many organizations.
In a related update, Bybit said it detected unauthorized activity within one of its Ethereum cold wallets during a planned routine transfer process. The attack was successful in transferring over 400,000 ETH worth more than $1.5 billion to an unidentified address.
The incident marks a new phase in attack methods, featuring advanced techniques for manipulating user interfaces. Experts warn that multisig cold wallets are vulnerable if signers can be deceived or compromised, emphasizing the growing sophistication of supply chain and user interface manipulation attacks.
Source: https://thehackernews.com/2025/02/bybit-confirms-record-breaking-146.html