Risk register · entry
Q-F · FraudBybit hack
A wallet-UI supply-chain attack redirected the largest crypto theft ever.
The fifth quadrant, where the thing was never real. The tell is that the story is too clean.
Why this room
The mechanism started as a simple, single-payoff deception aimed at fooling Bybit's signers (Fraud), but the actual payoff came from a pre-built, reusable compromise of shared custody infrastructure with fat-tail blast radius across any Safe{Wallet} client, the hallmark of an Engineered risk rather than an opportunistic scam.
The record
- 401,347 ETH stolen, ~$1.5 billion at time of hack (February 21, 2025)certain
- Attack attributed by FBI to North Korea's Lazarus Group / TraderTraitor / APT38certain
- Malicious JavaScript injected into Safe{Wallet}'s app on February 19, 2025, activated only for Bybit's walletlikely
- Transaction parameter switched from operation 0 (call) to operation 1 (delegatecall) to hijack the proxy's logic addresslikely
- FBI published 51 Ethereum addresses tied to the stolen fundscertain
- Bybit secured bridge-loan/emergency funding covering roughly 80% of stolen ETH within about 72 hourslikely
- At least $500 million withdrawn by customers in the days following the hacklikely
- By March 2025, about 86% of stolen ETH laundered into Bitcoin across 35,000+ wallets, largely via THORChainuncertain
- North Korea-linked actors stole a reported $1.34 billion across 47 incidents in 2024, for comparisonlikely
- Specific bridge-loan lenders (Galaxy Digital, FalconX, Wintermute, Binance) named in some secondary reporting but not confirmed in directly fetched primary sourceuncertain
Sources
The book
This entry is one of 111 in the register. The full story, and what it cost the people who lived it, is in Risky Business by Claudia Zeisberger, David Munro and Joanna Reijgersberg-Siew.
Join the waiting list