The Biggest Heist Ever Pulled – Part 1

by | Aug 8, 2025 | Blockchain

Biggest Heist

There is something compelling about heists. Americans find a good heist to be entertaining. The Sting was a buddy heist movie that won seven Oscars. Ocean’s 11 was good, and it made a bunch of money, but it wasn’t Heat, and it wasn’t The Sting. Baby Driver was better. The thing about those heists is that they didn’t actually happen.

The biggest heist ever pulled just happened on the 21st of February 2025. North Korean hackers from the vaunted Lazarus Group managed to steal more than $1.4 billion in ETH.  Lazarus executed a $1.46 billion dollar cryptocurrency theft on a centralized cryptocurrency exchange platform called Bybit. The group of state-sponsored hackers already held the record for the world’s largest heist with a 2024 theft of $1.3 billion. It is well known that North Korea uses stolen cryptocurrency to fund its government and military operations. “The Kim regime has found cybercrime as one of its ways to boost the economy” (NCC Group 2022).

The Lazarus Group Stole over 400,000 ETH

ETHLazarus stole over 400,000 ETH during what was thought to be a routine transfer between two Bybit wallets. Within two days, $270 million had already been laundered by the Lazarus group. Within five days, $400 million had been laundered. This is a testament to the speed at which stolen assets can be moved on the blockchain. $1.46 billion is an alarmingly large number; it is equal to approximately 60% of all global cryptocurrency theft in 2024. Of course, this news is deeply disturbing to those cautious investors who are beginning to enter the digital finance (DeFi) space.

Who is the Lazarus Group?

Lazarus is a North Korean government-sponsored hacking group that was formed in 2009. Since its creation, the Lazarus group has conducted many heists. Here are some of the group’s most notorious hacks:

  • 2014 Sony Pictures hack: Leaked unreleased films and confidential data. This was seen as retaliation against film “The Interview.”
  • 2016 Bangladesh Bank Heist: $81M was stolen via banking fraud
  • 2017 WannaCry Ransomware Attack: Encrypted user files, demanded $300-600M ransom in BTC. Rangy attack spanned 200,000 computers over 150 countries
  • 2022 Harmony Horizon Hack: Theft of $100 million of virtual currency from Harmony’s Horizon bridge

Four Important Technical Details About the Feb 21, 2025, Bybit Hack

ByBit HackHere are four details that we do know about the ByBit hack, as details continue to emerge.

1 – Gaining Access: We know that it was a SafeUI development machine that was hacked. This gave them access to the Amazon Web Services S3 bucket. We know that once they had access to Amazon, they injected malicious JavaScript that targeted ByBit. The malicious code was then pushed to the bucket and distributed.

2 – The Code Was Targeted: We know that the injected code would only become malicious if the transaction contained the ByBit wallet address.

3 – The Code Was Disguised: We know that SafeWallet wallets are “multi-sig.” This means that the wallets require approval from multiple authorized individuals executing a transaction on-chain. Because of this, the malicious transaction had to be disguised so that it would appear routine to the SafeWallet developers.

4 – We know that every authorized signer already had the malicious code on their device. Each signer had to authorize the transaction independently of the other to execute. This suggests that the transaction couldn’t have been openly malicious and been approved. The injected code would only become malicious if the transaction contained the ByBit wallet address.

Some Remaining Questions:

How did Lazarus hack Safe Wallet’s SafeUI development machine?

There are many possibilities, including social engineering. Social engineering is a scamming technique used in social media, phishing emails, or fake online platforms. It involves the use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes.” (Oxford Dictionary via Google) We don’t know how they hacked the development machine.

How did Lazarus disguise the code to trick every signer into approving the transaction?

Lazarus

Cybersecurity firm Sygnia was engaged to investigate the crime. They “found this code on all the multi-sig hosts used to initiate and sign the compromised transaction.” (The Block) It is possible that Lazarus disguised the code to trick signers into approving the transaction by using address poisoning. Address poisoning is a common tactic used by scammers. It uses a piece of customized on-chain infrastructure to steal. A malicious wallet is created with an address that closely mimics a legitimate one. The purpose is to trick someone into sending their crypto to this malicious wallet without them realizing the address is different. Chainalysis has an excellent piece on address poisoning. We don’t know how every signer was fooled by the same trick.

TheBlock and CoinTelegraph wrote excellent pieces on the hack.

 

Sources:

  1. https://www.the-independent.com/tech/biggest-heist-history-bybit-hack-north-korea-lazarus-b2704993.html
  2. https://fortune.com/2025/02/26/north-korea-hackers-crypto-heist-bybit-dubai-ether/
  3. https://www.nccgroup.com/es/the-lazarus-group-north-korean-scourge-for-plus10-years/#:~:text=The%20regime%20has%20found%20cybercrime,:%20%C2%A3%205%2C9%20million.
  4. https://cointelegraph.com/news/bybit-hack-forensics-show-safe-wallet-compromise-led-to-stolen-funds
  5. https://languages.oup.com/google-dictionary-en
  6. https://www.sygnia.co/
  7. https://www.theblock.co/post/343530/lazarus-appears-to-compromise-safe-developer-machine-in-lead-up-to-1-5-billion-bybit-hack-report
  8. https://www.chainalysis.com/blog/address-poisoning-scam/
  9. https://www.theblock.co/post/343530/lazarus-appears-to-compromise-safe-developer-machine-in-lead-up-to-1-5-billion-bybit-hack-report
  10. https://cointelegraph.com/learn/articles/how-the-bybit-hack-happened