Elygius Fund
Contact Us
The Largest Theft In History - How $1.5 Billion Vanished From ByBit Exchange
Incident ReportFebruary 24, 2025

The Largest Theft In History - How $1.5 Billion Vanished From ByBit Exchange

On February 21, 2025, Bybit — one of the largest cryptocurrency exchanges in the world by trading volume — lost approximately $1.5 billion in Ethereum tokens in a single coordinated attack. It is the largest cryptocurrency theft ever recorded, surpassing every prior exchange breach and every prior DeFi exploit by a significant margin. To contextualize the scale: North Korea, the actor later confirmed responsible, stole an estimated $800 million across all of 2024. The Bybit attack exceeded that figure nearly twofold in a single operation.

Attribution and the Lazarus Group

Within days of the breach, blockchain intelligence firm TRM Labs had linked the wallets involved to previous North Korean operations, identifying clear overlaps with addresses used in prior state-sponsored thefts. On February 26, 2025, the FBI formally attributed the attack to North Korea's Lazarus Group — the same unit responsible for the Ronin Bridge hack, the WazirX breach, the Atomic Wallet drain, and the 2016 Bangladesh Bank heist in which North Korean actors attempted to steal $1 billion through the SWIFT interbank network. Since 2017, TRM estimates North Korea has stolen over $5 billion in cryptocurrency across its operations.

The attack followed Lazarus Group's established playbook: a combination of social engineering, supply chain compromise, and private key theft targeting centralized exchange infrastructure. The specific entry point was not publicly disclosed in full technical detail, but the pattern was consistent with prior operations in which attackers gained access to signing infrastructure through compromised internal tooling or personnel.

The Laundering Operation

What distinguished the Bybit attack from prior North Korean operations was not only the scale of the theft but the speed and sophistication of what followed it. Within 48 hours, at least $160 million had been moved through illicit channels. By February 23, TRM estimated that figure had exceeded $200 million. By February 26 — five days after the attack — over $400 million had already been laundered.

The laundering strategy departed from the methods North Korea had relied on in earlier operations. Historically, Lazarus Group routed stolen funds through cryptocurrency mixers — Sinbad, YoMix, Wasabi Wallet — before converting to fiat through over-the-counter networks. The scale of the Bybit theft made traditional mixing impractical. Instead, the attackers deployed a high-frequency, multi-layered approach: funds moved through chains of intermediary wallets, were converted across multiple cryptocurrencies, routed through decentralized exchanges, and bridged across chains including BNB Chain and Solana before being consolidated into Bitcoin. Most of the converted Bitcoin then sat largely stationary — consistent with preparation for large-scale OTC liquidation rather than immediate spending.

TRM's North Korea specialist described this as an escalation of the regime's flood the zone technique — overwhelming compliance teams, blockchain analysts, and law enforcement with transaction volume and velocity that exceeds the capacity of conventional anti-money laundering infrastructure to process in real time.

The Response

Bybit launched a 10% bounty program on any successfully frozen or recovered assets, mobilizing both professional blockchain investigators and independent researchers. TRM Labs coordinated with law enforcement, national security organizations, and industry partners to trace and freeze funds where possible. The speed of the laundering operation made recovery difficult — the gap between theft and fund movement was narrow enough that by the time the scale of the attack was fully understood, a significant portion of the assets had already passed through multiple obfuscation layers.

What This Represents

North Korea's cryptocurrency theft program did not begin with exchanges. It began with counterfeiting U.S. dollars, narcotics trafficking, and weapons sales — criminal enterprises developed across decades of sanctions and economic isolation. The 2016 SWIFT attack marked the first time a nation-state conducted cyber-enabled financial crime at institutional scale. The shift to cryptocurrency followed naturally: the ecosystem was high-value, technically complex, and insufficiently secured against a state-level adversary with a specific mandate to generate hard currency for the regime.

The Bybit attack is the current apex of that trajectory. A single operation generating $1.5 billion — more than North Korea's total cryptocurrency theft across all of 2024 — executed, laundered at pace, and executed against one of the industry's most prominent centralized exchanges. The sophistication of the laundering operation in particular reflects an adversary that has not only refined its theft capabilities but has built financial infrastructure capable of processing the proceeds faster than the industry can respond.

Back to Latest
Elygius Fund

Registered in the Cayman Islands. c/o Maples Corporate Services Limited, PO Box 309, Ugland House, Grand Cayman, KY1-1104.

Authorised and regulated by FCA, No. 308751. Licensed Surplus Lines Broker, FL, No. 0927624. Registered Insurance Intermediary, authorised under section 34, paragraph 1 of the German Trade Regulation Act, No. D-53ZN-NBJZM-71.

Featured In

ZeppelinTrezorCoinCoverZeppelinTrezorCoinCover

© 2026 Elygius Fund || All rights reserved.