Two weeks ago at the DeFi Security Summit, Trail of Bits’ Josselin Feist (@Montyly) was asked if we’d see a billion-dollar exploit in 2025. His response: “If it happens, it won’t be a smart contract, it’ll be an operational security issue.”
Today, that prediction was validated.
The Attack
On February 21, 2025, cryptocurrency exchange Bybit suffered the largest cryptocurrency theft in history when attackers stole approximately $1.5B from their multisig cold storage wallet. At this time, it appears the attackers compromised multiple signers’ devices, manipulated what signers saw in their wallet interface, and collected the required signatures while the signers believed they were conducting routine transactions.
This hack is one of many that represent a dramatic shift in how centralized exchanges are compromised. For years, the industry has focused on hardening code and improving their technical security practices, but as the ecosystem’s secure development life cycle has matured, attackers have shifted to targeting the human and operational elements of cryptocurrency exchanges and other organizations.
These attacks reveal an escalating pattern, with each compromise building on the last:
- WazirX Exchange ($230M, July 2024)
- Radiant Capital ($50M, October 2024)
- Bybit Exchange ($1.5B, February 2025)
In each case, the attackers didn’t exploit smart contract or application-level vulnerabilities. Instead, they compromised the computers used to manage those systems using sophisticated malware to manipulate what users saw versus what they actually signed.
The DPRK’s Cryptocurrency Theft Infrastructure
These hacks are not isolated incidents. According to Arkham Intelligence, famed researcher ZachXBT has provided definitive proof linking this attack to North Korea, including detailed analysis of test transactions and connected wallets used ahead of the exploit. These incidents represent the maturation of sophisticated attack capabilities developed by North Korean state-sponsored threat actors, specifically groups tracked as TraderTraitor, Jade Sleet, UNC4899, and Slow Pisces under the DPRK’s Reconnaissance General Bureau (RGB).
The attack chain typically begins with aggressive social engineering campaigns targeting multiple employees simultaneously within an organization. The RGB identifies key personnel in system administration, software development, and treasury roles, then creates detailed pretexts – often elaborate job recruitment schemes – customized to each target’s background and interests. These aren’t mass phishing campaigns; they’re meticulously crafted approaches designed to compromise specific individuals with access to critical systems.
What makes these attacks particularly concerning is their repeatability. The RGB has built a sophisticated cross-platform toolkit that can:
- Operate seamlessly across Window
12 Comments
michaelt
> attackers stole approximately $1.5B from their multisig cold storage wallet. At this time, it appears the attackers compromised multiple signers’ devices, manipulated what signers saw in their wallet interface, and collected the required signatures while the signers believed they were conducting routine transactions.
If hackers can get remote access and 'manipulate what signers saw in their wallet interface' that doesn't sound like cold storage to me.
Mistletoe
My understanding is this multisig failed because, like most security, everyone just pressed yes and didn’t communicate, investigate, or ask questions, defeating the purpose of a multisig.
chizhik-pyzhik
In a multisig interaction there are 3 ways to get hacked:
– The multisig smart contract is owned
– The computer you're signing on is owned
– The hardware wallet (ledger, trezor) you're using is owned
The multisig contract in question here (Gnosis Safe) has shown to be incredibly robust, and hardware wallets are very difficult to attack, so the current weak point is the computer.
Cryptocurrency companies need to start solving this by moving to a more locked-down, dedicated machine for signing, as well as actually verifying what is shown on the tiny hardware wallet screen instead of blindly clicking "yes".
jmyeet
The other side of this coin is all the companies and infrastructure that has popped up, which intentionally or not enables the laundering of ill-gotten cryptocurrency [1].
I have a hard time feeling sympathy here because I consider cryptocurrency to be fundamentally silly. Reversible transactions of fiat currency transactions is a feature not a bug.
I feel like securing something like this is practically impossible. There's always the risk of a bad actor who introduces malware for a small fee.
[1]: https://www.chainalysis.com/blog/2024-crypto-money-launderin…
HenryBemis
Taking a step back from this attack, it looks like the new crypto-reality is far far far immature security-wise & compliance-wise ("compliance to what??" you can ask me).
While it is nearly impossible to steal $100mn from one of the mega-banks, those <expletive> crypto bros, a bunch of failed morons (self-proven by all these hacks), manage to lose people's money. Now.. I am not defending the banking system (and its ethics/morals), but damn-it they do a f-a-r better job at IT Audit/IT Compliance/IT Sec (my bread and b utter for decades).
ohwowhi
Unsure why the title says this era has arrived as if it's something new. As an internal penetration tester, I can attest it's already a disaster. The issue is that companies live and die by the cope that social engineering is a high bar or that if a vulnerability isn't internet facing, it's not a big deal.
WJW
The online security world is so wild. In pretty much any other field of engineering, foreign nation states explicitly targeting the thing you built is just kinda out of scope. There's no skyscraper in existence that is designed to withstand sustained artillery shelling, and your car is not going to withstand a tank shell either. Neither do they have to be designed to that specification. If North Korea killed someone with a missile or even destroyed a minor building or something, there would be public outrage and swift (military) repercussions.
But online, it's the wild wild west. The North Koreans can throw anything they want at your systems and the main response you get is "lol get good noob, should have built more secure systems" despite the opposing side literally having quite literally hundreds of people specifically trained to take on organisations like yours.
Not saying the Bybit people couldn't have been more careful of whatever, but let's appreciate how wild the online environment actually is sometimes.
herodotus
Genuine question because I know almost nothing about crypto: who actually lost money in this attack? Lots of individuals?
konaraddi
This post is light on the details of how the hack occurred. Given it talks about their toolkit, am I right to understand that people were tricked into downloading and running malicious software?
garyrob
". At this time, it appears the attackers compromised multiple signers’ devices, manipulated what signers saw in their wallet interface, and collected the required signatures while the signers believed they were conducting routine transactions."
Does anyone know how many signers there were/are?
zsdsystems
I really do not understand why they do not separate these into multiple separate wallets
dang
Recent and related: Bybit loses $1.5B in hack – https://news.ycombinator.com/item?id=43130143