The largest crypto theft in history forced a rare moment of unanimity across exchanges, custodians, wallet providers and regulators. A year in, the defensive architecture looks very different — and the attackers haven’t stopped improving either.
A year and two months after the single largest crypto theft in history, the industry that emerged on the other side of the Bybit incident is measurably safer than the one that walked into it. It is also, by every reasonable metric, still not safe enough.
| Metric | Value |
|---|---|
| Date of incident | February 21, 2025 |
| Stolen | ~401,000 ETH (~$1.5B) |
| Attacker | North Korea’s Lazarus Group (TraderTraitor) |
| Vector | Malicious JS injection into Safe wallet UI |
| Reserves replenished | Within 72 hours |
| User losses absorbed | $0 — fully reimbursed |
| Funds recovered / frozen | ~$42M (industry-wide) |
North Korean hackers compromised a developer’s laptop at Safe — the multisig wallet provider Bybit used for ETH cold-storage rotations. The attackers injected a malicious JavaScript payload into the Safe UI endpoint that Bybit’s signers used, presenting a legitimate-looking transaction on screen while the wallet actually signed a different one. In a single routine rebalancing operation, roughly 401,000 ETH moved from Bybit’s cold storage into attacker-controlled wallets.
Bybit’s CEO Ben Zhou announced publicly within two hours that the exchange would absorb the full loss and guarantee all user withdrawals. A combination of emergency loans, overnight transfers from major partners, and Bybit’s own reserves rebuilt cold-wallet balances to 1:1 backing within three days. The run on withdrawals was vicious — $4 billion in the first 24 hours — but the exchange met every one of them. That single act of competent crisis response is why Bybit still exists.
MPC-based custody signups across the industry’s largest providers have risen more than fivefold since Q4 2024. External smart-contract audit engagements are up 2.7x since the Bybit incident — and the scope of those engagements has broadened to cover CI/CD pipelines, deployment scripts, cloud configurations, and developer-device security.
“Multisig is not dead, but multisig-over-a-single-UI is. Every signer has to independently verify what they are signing, against a path the attacker cannot forge.”
— Michael Shaulov, CEO, Fireblocks“We were all running around telling people the code was fine. The code was fine. That was never the whole problem, and February 21, 2025 is when the industry finally accepted it.”
— Taylor Monahan, MetaMaskThe total funds recovered or frozen from the Bybit incident remains around $42 million — less than 3% of what was stolen. The same TraderTraitor subunit that ran Bybit has since executed the Drift and Kelp DAO heists, each with novel tradecraft and each resulting in nine-figure losses despite the visible industry-wide hardening. The Bybit-era laundering playbook — fan-out through THORChain and eXch, consolidation in Chinese OTC networks — is still the same playbook being used today.
The April 2026 losses suggest that a large part of the industry, particularly outside the centralized-exchange segment, has not yet absorbed the lesson. Bybit made the response template. Everyone else still has to choose to apply it.
The attacks described in this article exploit gaps that pre-signature transaction monitoring is built to close. Web3Firewall evaluates 100+ risk signals before a transaction reaches the blockchain — enforcing policy controls at the only moment intervention is actually possible.
Real crypto news, market data, and analysis — free to your inbox every weekday at 7am.
No spam. Unsubscribe anytime. Sent to admin@coinhubtoday.com
The definitive source for cryptocurrency news, market data, press releases, and product reviews — trusted by professionals worldwide.
CoinHub Today is an independent media organisation and does not provide investment, financial, or legal advice. All content is for educational purposes only. Cryptocurrency investments involve substantial risk. Past performance is not indicative of future results. Always consult a qualified financial adviser before investing.