Three years ago, I wrote about the LinkedIn job offer that cost $625 million — the Ronin Bridge hack, where North Korea’s Lazarus Group used a fake job offer to compromise a Sky Mavis engineer, move laterally through the company’s network, obtain five of nine validator keys, and drain the bridge of $625 million. I noted at the time that the attack did not exploit a smart contract vulnerability. It exploited a human one.
On February 21, 2025, Lazarus did it again. The target was Bybit, the world’s second-largest cryptocurrency exchange by trading volume. The haul was $1.5 billion in Ethereum — roughly two and a half times the Ronin theft, making it the largest cryptocurrency hack in history. And the attack vector was, once again, not a smart contract exploit. It was social engineering, followed by supply chain compromise, followed by UI manipulation.
The FBI attributed the attack to Lazarus within five days, designating the operation “TraderTraitor.” The speed of attribution reflects both the maturity of blockchain forensics and the distinctive operational fingerprint that Lazarus Group has developed over a decade of increasingly sophisticated crypto theft.
I have written at length about how the Lazarus Group operates — the full pipeline from reconnaissance to cash-out. The Bybit hack did not change that pipeline. It refined it. And the refinements are worth understanding in detail, because they tell us something important about where the crypto industry’s security model fails and why it keeps failing in the same way.
How the attack worked
The Ronin Bridge attack in 2022 was a direct intrusion: Lazarus compromised a Sky Mavis employee, penetrated the company’s internal network, and obtained private keys stored on the company’s infrastructure. The attack surface was the target company itself.
The Bybit attack was more sophisticated. Lazarus did not attack Bybit directly. They attacked Safe{Wallet}, a third-party multi-signature wallet platform that Bybit used to manage its cold storage. The attack was a supply chain compromise — the type of attack that cybersecurity professionals have been warning about for years and that the crypto industry has been slow to address.
The sequence, reconstructed by the Wilson Center and NCC Group’s technical analysis, unfolded as follows.
Earlier in February 2025, a developer working on Safe{Wallet}’s infrastructure fell victim to a social engineering attack. The exact vector has not been fully disclosed, but the outcome was that the developer’s workstation was compromised and malware was installed. From the compromised workstation, the Lazarus operators stole AWS session tokens — the temporary credentials that allow a user to access their employer’s cloud infrastructure. By hijacking active tokens, the attackers bypassed multi-factor authentication controls entirely. MFA protects the login. It does not protect an already-authenticated session.
Once inside Safe{Wallet}’s AWS environment, the attackers did something remarkably targeted: they modified the JavaScript code that renders the user interface for Safe{Wallet} clients. But they did not modify it for all clients. They modified it specifically for Bybit’s transactions, leaving the interface functional and unaltered for every other user.
When Bybit employees went to approve a routine transfer from the exchange’s cold wallet to its warm wallet — a standard operational procedure — the UI displayed what appeared to be a legitimate transaction with the correct destination address. The signers reviewed the transaction, confirmed it looked correct, and approved it. In reality, the underlying smart contract logic had been altered by the malicious JavaScript to redirect the funds to addresses controlled by Lazarus Group. The signers authorised the theft without knowing they were doing so.
Approximately 401,347 ETH — worth roughly $1.5 billion — was transferred to addresses controlled by the attackers in what appeared to Bybit’s systems as a legitimate, properly authorised transaction. The discrepancy was not detected until the funds failed to arrive at the intended warm wallet destination.
What changed from Ronin — and what didn’t
The tactical evolution from Ronin to Bybit is significant, and I want to map it precisely because it illustrates how a state-sponsored adversary adapts.
In the Ronin attack, Lazarus compromised the target company directly. The social engineering was aimed at a Sky Mavis employee. The private keys were on Sky Mavis’s infrastructure. The attack surface was a single organisation. The lesson was obvious: protect your keys, protect your employees, protect your internal network.
In the Bybit attack, Lazarus attacked the supply chain. They compromised a third-party infrastructure provider — not Bybit, but a vendor that Bybit depended on. The social engineering was aimed at a Safe{Wallet} developer, not a Bybit employee. The malicious code was injected into Safe{Wallet}’s production environment, not Bybit’s. Bybit’s own infrastructure was never compromised. Its own employees were never socially engineered. Its own security controls were never breached — in the conventional sense.
This is a qualitative escalation. The Ronin attack could have been prevented by better security at Sky Mavis. The Bybit attack could not have been prevented by better security at Bybit alone — not without independently auditing and verifying the code served by a third-party platform in real time.
What did not change is the fundamental attack pattern. Social engineering to gain initial access. Lateral movement to reach the valuable target. Exploitation of trust relationships to authorise the theft. And the underlying structural vulnerability: the gap between multi-signature security’s theoretical model and its practical implementation.
Multi-sig is supposed to distribute trust. Three-of-five means you need to compromise three independent parties. But if all three signers are reviewing the same compromised user interface — an interface served by a single third-party vendor — the multi-sig collapses. You don’t need to compromise three signers. You need to compromise the interface they all share. And that interface was controlled by one developer’s workstation at one company.
I wrote in the Ronin article that the Ronin scheme collapsed from nine-of-nine to one-of-one because of temporary key delegation. The Bybit scheme collapsed from three-of-N to one-of-one because of shared infrastructure dependency. The specific vulnerability is different. The structural failure is identical: nominal distribution of trust that, in practice, converges on a single point of failure.
The laundering phase
The post-theft laundering operation demonstrated further evolution in Lazarus’s operational pipeline.
According to TRM Labs, the attackers converted the stolen ETH to Bitcoin almost immediately — a consistent Lazarus pattern, because Bitcoin’s UTXO transaction model is harder to trace than Ethereum’s account model. The stolen assets were then dispersed across thousands of addresses on multiple blockchains using decentralised exchanges, cross-chain bridges, and mixing services.
The FBI released 51 Ethereum addresses used in the initial laundering and urged exchanges, bridge operators, DeFi services, and blockchain analytics firms to block transactions with or derived from those addresses. Despite the rapid attribution and the public identification of the laundering addresses, CSIS estimated that at least $160 million was laundered within the first 48 hours.
The speed of laundering — and the inability of the industry to freeze the assets despite knowing who stole them and where the funds were moving — highlights a tension that the crypto ecosystem has not resolved. Blockchain transparency enables attribution. But attribution without the ability to freeze or seize is intelligence without enforcement. The funds are visible, but they are still moving.
This challenge is compounded by scale. TRM Labs noted that the $1.5 billion haul was so large that traditional mixing services — the ChipMixers and Tornado Cashes of the world — were impractical for laundering the full amount. The volume overwhelmed the available infrastructure. Lazarus adapted by using a combination of DEXs, cross-chain bridges, and what TRM described as expanded underground financial networks, “particularly in China,” that have “enhanced their capacity to absorb and process illicit funds.”
This suggests that Lazarus’s laundering infrastructure is scaling alongside its theft capabilities — a development that should concern every actor in the crypto ecosystem, from exchanges to regulators to national security agencies.
The industry’s response — and its limits
Bybit’s CEO Ben Zhou responded quickly, confirming the breach, assuring customers that Bybit had sufficient reserves to cover the loss (the exchange held over $20 billion in assets under management), and launching a recovery bounty programme offering up to 10% of recovered funds.
The financial resilience is notable. Unlike FTX or Celsius, Bybit did not collapse. It processed 70% of withdrawal requests in the immediate aftermath and continued operations. For customers, the outcome was far better than it could have been.
But the industry’s collective response to the underlying vulnerability has been inadequate. The Bybit hack exploited a supply chain dependency — reliance on a third-party wallet platform — that is common across the crypto industry. Safe{Wallet} is used by thousands of organisations. Its compromise affected Bybit, but it could have affected any of them.
The response should be a fundamental reassessment of how multi-sig signing processes handle the verification gap — the gap between what the signer thinks they are approving and what the underlying transaction actually does. EIP-712 readable signatures, hardware-wallet-level transaction parsing, independent verification channels that do not share infrastructure with the signing interface, and real-time code integrity monitoring for third-party dependencies are all available techniques. Whether the industry adopts them — or waits for the next $1.5 billion lesson — remains to be seen.
What this means for the threat landscape
The Bybit hack, combined with TRM Labs’ estimate that North Korea stole approximately $800 million in 2024 alone (before Bybit), confirms that DPRK-linked crypto theft is not declining. It is accelerating. The cumulative total now exceeds $5 billion since 2017.
To put that in perspective: North Korea’s total legal exports are estimated at under $100 million per year due to comprehensive international sanctions. Crypto theft generates more revenue for the regime than all legitimate economic activity combined. This is not a side operation. It is, by volume, North Korea’s most important industry.
For the crypto industry, the implication is the one I stated in my Lazarus pipeline article — and that the Bybit hack reinforces with an exclamation mark: you are a target of a state military intelligence operation. Your security architecture needs to be calibrated accordingly. The attacker has demonstrated, repeatedly, that they can adapt to whatever defences you deploy. The question is whether your security posture can adapt as fast as the attacker’s methodology.
The evidence, three years after Ronin, is not encouraging.