Bybit Lazarus $14.6 億 hack detailed analysis (2025-02) — largest crypto-asset outflow in history
On this page
Wiki route
This entry sits under exchanges index. Read it against DMM Bitcoin outflow incident detailed analysis(2024-05)— 4,502.9 BTC attributed to Lazarus for peer / contrast context and FSA crypto-asset exchange registration system — number system / Local Finance Bureau jurisdiction / registration requirements for the broader system / regulatory boundary.
1. Incident overview
2025-02-21, approximately $14.6 億 (about 2,200 億円) equivalent of ETH + stETH + mETH and others flowed out of Bybit’s ETH cold wallet. This is the largest crypto-asset theft in history, exceeding in nominal-conversion terms the 850,000 BTC of the Mt.Gox 2014 incident. Chainalysis + Elliptic + ZachXBT immediately attributed it via public forensics to the Lazarus Group (North Korea state-sponsored hackers) right after the incident. Bybit is a top-3 global CEX (a leader in derivatives trading volume) headquartered in Dubai, UAE.
2. Technical cause (public information)
Not a genuine cold-wallet intrusion but a man-in-the-middle attack on the signing UI (supply-chain attack):
- In the cold → hot multisig signing process, the Safe (formerly Gnosis Safe) frontend was tampered with, and the signers approved a forged destination transaction
- The attacker breached Safe’s web infrastructure and presented the forged UI only to the Bybit signers
- The signers approved on a UI displaying the legitimate destination → in reality they signed a transfer to the attacker’s wallet
- Identified as a supply-chain attack via shared infrastructure (Safe) → exposing an industry-wide risk
3. Immediate response
- 2025-02-21 Bybit CEO Ben Zhou responded with a live stream within hours of the incident being discovered (exceptional transparency)
- 30 minutes after the incident, began requesting Tether + Circle + major CEXs to freeze OFAC-related addresses
- 2025-02-22 Bybit officially announced a guarantee of full customer make-whole using its own funds + a partner bridge loan
- Trading and withdrawal operations continued without suspension → demonstrating operational continuity capability (liquidity + transparency)
- Curbed bank-run risk and limited long-term reputation damage
4. OFAC chain-level freeze precedent
The incident became a demonstration case of US chain-level economic sanction power:
- **End of 2025-02 ** OFAC added 200+ attack-related wallet addresses to the SDN list
- Major CEXs such as Tether / Circle / Coinbase / Binance executed freezes
- Within 30 minutes of the incident, froze approximately $500M of outflowed funds = the fastest chain-level response in history
- Through the cooperation of USDT / USDC issuers, proved the feasibility of instant freezing at the stablecoin layer
- However, native assets such as ETH are difficult to freeze → the bulk was laundered via mixers / cross-chain bridges
5. Strategic implications
- Bybit limited reputation damage through CEO transparency + business continuity (retained its top-3 CEX position after the incident)
- The materialization of supply-chain attack risk (shared infrastructure such as Safe) → drove the entire industry to strengthen signing-UI verification
- **End of 2026-03 ** Bybit completely terminated services for Japan residents (after 3 warnings from the FSA) → the direct causal relationship with the withdrawal from the Japan market is unclear, but it is a symbol of global regulatory pressure
- Reaffirmed Lazarus’s continuing threat (a major case on par with dmm-bitcoin-lazarus-hack-detailed-analysis)
Cross-links
- jp-foreign-exchange-bybit
- jp-vasp-incident-history
- dmm-bitcoin-lazarus-hack-detailed-analysis
- coincheck-nem-hack-detailed-analysis
- mtgox-bankruptcy-processing-timeline
- uae-vara-licensing-overview
- global-cex-top10-comparison
- chain-level-ofac-freeze-precedent
- forensic identity anchor chain
- bytecode forensic 3-tier verify
- module path confusion supply chain attack
- Global crypto-asset forensics-vendor layer — Chainalysis / Elliptic / TRM / Crystal comparison
Source: 2026-05-19 jp-crypto-exchange-research Phase 5
Discovery
Keep reading
Read next
- CEX API / SDK ecosystem comparison — developer interfaces of domestic / overseas exchanges This entry sits under exchanges index. Read it against グローバル CEX top 10 ランキング比較 (2025-2026) for peer / contrast context and FSA 暗号資産交換業登録制度 — 番号体系・財務局管轄・登録要件 for the broader system / regulat... exchanges/cex-api-sdk-ecosystem-comparison
- Bithumb(빗썸)— Korea KRW spot CEX overview This entry sits under exchanges index. Read it against 韓国 5 大 CEX 制度比較 for the Korea peer / regulatory context, Upbit for the closest peer comparison, and global CEX top 10 comparison for th... exchanges/cex-bithumb-korea
- CoinDCX — India's largest CEX / FIU-IND PMLA registered overview This entry sits under exchanges index. Read it against WazirX for the closest India peer / contrast context, global CEX top 10 comparison for the broader global benchmark, and global VASP re... exchanges/cex-coindcx-india
Links here
- AI-driven trading regulation · Japan FSA / SESC plus global FCA / SEC / ESMA comparison 2026 AI-driven trading regulation in 2026 sits on top of the existing algorithmic-trading regulatory perimeter rather than as a separate "AI trading rule." The Japan FSA + SESC (Securities and Ex... agent-economy/ai-driven-trading-regulation-japan-2026
- CEX matching engine + cold/hot wallet internal architecture This entry sits under exchanges index. Read it against 国内 VASP コールド保管 95% + 分別管理制度 for peer / contrast context and FSA 暗号資産交換業登録制度 — 番号体系・財務局管轄・登録要件 for the broader system / regulatory bound... exchanges/cex-matching-engine-wallet-architecture
- WazirX — India CEX / 2024-07 Liminal hack ~$235M loss overview This entry sits under exchanges index. Read it against CoinDCX for the closest India peer / contrast context, Bybit Lazarus hack for parallel North Korean attribution pattern, and グローバル CEX... exchanges/cex-wazirx-india
- Coincheck NEM 580 億円 outflow incident detailed analysis (2018-01) This entry sits under exchanges index. Read it against DMM Bitcoin 流出事件 詳細分析 (2024-05) — Lazarus 帰属 4,502.9 BTC for peer / contrast context and FSA 暗号資産交換業登録制度 — 番号体系・財務局管轄・登録要件 for the broa... exchanges/coincheck-nem-hack-detailed-analysis
- Cross-chain bridges and CEX deposit/withdrawal routes — Wormhole / LayerZero / Axelar / Hyperlane / CCIP comparison This entry sits under exchanges index. Read it against グローバル CEX top 10 ランキング比較 (2025-2026) for peer / contrast context and FSA 暗号資産交換業登録制度 — 番号体系・財務局管轄・登録要件 for the broader system / regulat... exchanges/cross-chain-bridge-cex-deposit-withdrawal