Bybit, the second-largest cryptocurrency exchange globally by trading volume, disclosed on the 21st of February a substantial security incident in which approximately $1.5 billion of customer cryptocurrency holdings (predominantly Ethereum and Ethereum-compatible tokens) were stolen from one of the exchange's cold-wallet operations (Bybit incident statement and updates through February-March). The threat-actor attribution has firmed up to Lazarus Group / North Korean state intelligence on the basis of converging analysis from multiple security-research firms and on-chain-analysis providers (Chainalysis, Elliptic, TRM Labs).
The technical content. The exchange's cold-wallet operations include a multi-signature signing process where, by design, transaction proposals from the cold-wallet require signature from multiple approvers operating on segregated infrastructure. The operators, on the documented attack chain, compromised the user-interface layer that the approvers use to review and sign transaction proposals — specifically, the Safe (formerly Gnosis Safe) multisig-wallet web interface that Bybit uses for its cold-wallet operations. The compromise modified the displayed transaction details that the approvers saw, while the actual signed transaction was the operator-controlled malicious transaction that transferred customer funds to operator-controlled addresses. The approvers signed what they believed to be routine transactions but were actually signing the heist-related transactions.
The Safe-frontend compromise mechanism is operationally significant. The Safe team's subsequent post-incident analysis (Safe Wallet preliminary post-incident summary) indicates that the compromise was achieved through compromise of a Safe developer's machine, with the operator subsequently injecting malicious code into the Safe-hosted frontend that selectively activated against specific high-value-target users including Bybit's cold-wallet approvers. The supply-chain-of-supply-chains pattern is consistent with the 3CX case from March 2023 and with the broader supply-chain-attack progression that has been continuous since SolarWinds.
The Lazarus Group attribution and DPRK economic-collection-as-state-policy is the broader strategic context. The cumulative DPRK-attributed cryptocurrency-theft total over recent years is, on Chainalysis estimates, in the multi-billion-dollar range and represents a substantial fraction of DPRK state revenue against the international sanctions regime. The Bybit theft of $1.5 billion in a single operation is the largest single such operation on the public-disclosure record and demonstrates the sustained operational capability of the Lazarus cluster.
For the customer-portfolio briefings. None of the customer-portfolio organisations operate cryptocurrency-exchange businesses. The customer-portfolio populations with substantive cryptocurrency-holding exposure (treasury-management functions, executive-personal-holdings, certain investment-related operations) are limited but the broader strategic conversation about state-actor cryptocurrency targeting is operationally relevant for the customer-organisation threat-modelling.
The wider strategic point about the supply-chain-of-supply-chains attack pattern continues to develop. The post-3CX (2023), post-XZ-Utils (2024), post-Bybit/Safe (2025) sequence demonstrates that the pattern is operationally sustainable across multiple state-actor clusters and against multiple categories of upstream-vendor target. The customer-organisation defensive disciplines that respond to this — comprehensive vendor-trust-verification including upstream-developer-machine-security verification, build-system-integrity-and-frontend-integrity monitoring, downstream-effect monitoring against unusual frontend behaviour — are operationally challenging and will be sustained customer-portfolio programme themes through 2025 and beyond.
I will return to this. The Bybit situation will continue to produce subsequent technical-and-policy detail through 2025.