An investigation confirmed that the Lazarus Group was responsible for the cyberattack on crypto exchange Bybit, exploiting a vulnerability in Safe{Wallet}. The FBI joined the investigation.
Bybit CEO Ben Zhou shared official reports on the attack, which occurred on February 21, 2025. Cybersecurity experts from Sygnia and Verichains revealed that hackers compromised the Safe{Wallet} infrastructure by injecting malicious JavaScript code into the wallet’s AWS S3 storage. This code remained dormant until detecting Bybit’s contract address, at which point it altered transaction data in real time, modifying recipients and the logic of signed transactions.
Law enforcement agencies, including the FBI and Interpol, along with blockchain analytics firms, are now involved in the case. The FBI confirmed that the attack was executed by TraderTraitor, a hacking group linked to the Lazarus Group and North Korean authorities.
Safe{Wallet} representatives stated that its smart contracts weren’t compromised. They reported that hackers gained server access via malware on a developer’s computer. The Safe{Wallet} team patched the vulnerability and will soon release a full incident report.
Former Binance CEO Changpeng Zhao criticized Safe{Wallet}’s statement, accusing the team of downplaying the issue. Martin Köppelmann, CEO of Gnosis, which contributes to Safe{Wallet} development, responded with a detailed explanation and announced new security measures already in progress.
Nansen analysts tracked the movement of stolen funds, revealing that hackers split the assets into 42 large wallets before distributing them across thousands of smaller ones. The stolen funds are being laundered through DEXs, cross-chain bridges, and crypto mixers. According to Bybit’s official reports, by the end of February 2025, approximately $335 million were laundered, while $900 million remains in hackers’ wallets.
Max Krupyshev, CEO of CoinsPaid, commented on the situation for CP Media, emphasizing that any system handling large sums becomes a target. The key factor, he noted, is how quickly the project team responds to the hack, supports users, and implements solutions to prevent future breaches. “Bybit demonstrated a responsible approach. First, the exchange quickly reacted and didn’t halt withdrawals, which is crucial for user trust. Secondly, Bybit’s CEO communicates openly with the market, which is a critical factor in crisis situations,” Max said.
On February 21, 2025, Bybit suffered one of the largest cryptocurrency exchange hacks in history, with over $1.4 billion in assets stolen.
