The $1.4B Bybit Hack: Inside the Largest Crypto Heist in History

Source: The Block

How North Korea’s Elite Hackers Broke People, Not Code

On a quiet February morning in 2024, cryptocurrency exchange Bybit lost $1.46 billion in what would become the largest crypto hack in history. But here’s the twist: the attackers never broke Bybit’s code. Instead, they broke something far more vulnerable — its people.

The Numbers That Shocked the World

| Source: Arkham Intelligence

The hacker’s wallet showing a staggering $1.37B in stolen assets

When the dust settled, the damage was clear:

499,395 ETH stolen (0.42% of all Ethereum)$1.46 billion total loss4 critical transactionsLess than 24 hours to execute

But numbers only tell half the story.

Inside North Korea’s Cyber Army

Source: State Media

Rare glimpse: North Korean military personnel at cyber operations facility

The attack wasn’t random. It was orchestrated by the Lazarus Group, North Korea’s elite hacking unit. These aren’t ordinary cybercriminals — they’re state-sponsored operators with military precision.

Critical Vulnerability Analysis

ISafeWallet Interface Manipulation

Let me explain the code sections:

//solidity
interface ISafeWallet {
function executeTransaction(
address to,
uint256 value,
bytes calldata data,
Enum.Operation operation,
uint256 safeTxGas,
uint256 baseGas,
uint256 gasPrice,
address gasToken,
address refundReceiver,
bytes memory signatures
) external payable returns (bool);
}

This is Bybit’s multisig wallet interface that the Lazarus Group exploited. Here’s what each part means in the attack:

to: Where funds would be sent - hackers manipulated this to show legitimate addresses in UI while actually sending to their walletsvalue: Amount of cryptocurrency - they made large transfers look like routine amountssignatures: Multiple approvals needed - they socially engineered all required signersdata: Transaction data - they showed fake data in UI while executing malicious transfers

Multisig Implementation Vulnerability

The original vulnerable code that contributed to the hack:

//solidity
contract MultisigWallet {
function executeTransaction(
address destination,
uint256 value,
bytes memory data,
uint8 operation
) public {
require(isValidSignature(msg.sender));
if (operation == 1) {
// Vulnerable delegatecall implementation
(bool success,) = destination.delegatecall(data);
require(success);
}
}

This code is vulnerable because:

It uses delegatecall without proper validationThe operation type check (operation == 1) is too simplisticThere’s no verification of the destination addressThe data parameter is executed without scrutiny

Following the Money |Post-Attack Analysis

Fund Movement Pattern

Funds were routed through Chainflip.io for BTC conversionTarget BTC address: bc1qlu4a33zjspefa3tnq566xszcr0fvwz05ewhqfqMultiple transactions were used to distribute the stolen funds

Impact Assessment

Over 350,000 withdrawal requests processed99.994% of withdrawals completed within 12 hours2.95B USDT moved to warm wallet as preventive measureSource: Arkham Intelligence

The complex web of transactions post-hack

The attack’s brilliance lies in its simplicity. The hackers didn’t need to break encryption or find zero-day exploits. They simply made Bybit’s own multisig signers approve the transactions.

The four critical transactions that drained the wallet:

// Key transactions involved in the attack
0x4f5f7ba657bf518d383828183087978b452b99da6cde0c9b94739b8d72a8c5ef
0x1e71b458812c91ce7c49922d9e966ba99cda1a1f017c8dfabb31f560a67ddfcc
0x3ff650d457ce3edba4a05b07d60360bb571f496b0ff506abf77cacbbce04e6b2
0xdc505d2661f8bc9429a4bed354c2ccfefb15013477efd7e6f578c0e37340446a

A History of Patience

Source: Chainalysis

North Korea’s unlaundered cryptocurrency holdings by hack

What’s fascinating isn’t just how much they stole — it’s how long they hold their stolen funds. The graph shows balances as old as six years, proving this isn’t about quick profits. It’s about long-term strategy.

The New Rules of Crypto Security

Source: PixOnChain

Five critical rules for cryptocurrency protection

The hack forced the industry to rethink security. Here’s the technical implementation every exchange should consider:

Transaction Monitor interface:

//typescript
interface TransactionMonitor {
validateTransaction(tx: Transaction): Promise<ValidationResult>;
checkThresholds(amount: BigNumber): Promise<ThresholdCheck>;
verifySignatures(sigs: Signature[]): Promise<SignatureVerification>;
}

This represents the security systems that failed to detect the attack:

validateTransaction: Should have caught the mismatch between displayed and actual transactionscheckThresholds: Should have flagged unusually large transfersverifySignatures: Verified the signatures were real but couldn't detect the signers were manipulated

The Art of the Hack

Source: Security Research

The four stages of social engineering that led to the breach

The attack followed a precise choreography:

SecureMultisig contract:

//solidity
contract SecureMultisig {
struct TransactionDetails {
address destination;
uint256 value;
bytes data;
uint8 operation;
bytes32 dataHash;
}

function verifyTransaction(TransactionDetails memory txn)
internal view returns (bool) {
require(txn.dataHash == keccak256(abi.encodePacked(
txn.destination,
txn.value,
txn.data,
txn.operation
)), "Invalid transaction hash");

return true;
}
}

This shows how the verification system was bypassed:

TransactionDetails: Structure storing transaction info - hackers showed fake details to signersverifyTransaction: Security check function - passed because signatures were real, even though signers were deceiveddataHash: Transaction verification hash - matched because UI manipulation happened before hash generation

Key improvements in this code:

Maintains a whitelist of approved destinationsVerifies transaction data integrity using hashingImplements structured transaction detailsSeparates verification logic from execution

The Faces Behind the Code

Source: FBI

FBI Wanted poster for key Lazarus Group operatives

Meet the architects: Kim Il, Jon Chang Hyok, and Park Jin Hyok. These aren’t just hackers — they’re military-trained operatives wanted by the FBI for:

Wire fraud conspiracyBank fraudComputer intrusion

What This Means for the Future

The Bybit hack isn’t just another crypto heist — it’s a wake-up call. The future of cryptocurrency security isn’t just about better code. It’s about understanding that your strongest security system is only as good as the humans operating it.

Key Takeaways:

Cold storage isn’t enough if humans can be manipulatedUI verification can be spoofedSocial engineering beats technical securityEven the best multisig systems can failAssume you’re always a target

Looking Ahead

As cryptocurrency exchanges strengthen their defenses, one thing becomes clear: the next big hack won’t come through a technical vulnerability. It will come through the same channel this one did — human psychology.

The question isn’t whether your code is secure. It’s whether your people are.

Follow me for more deep dives into cryptocurrency security and technical analysis.

This analysis is based on current information and will be updated as new details emerge.

---

The $1.4B Bybit Hack: Inside the Largest Crypto Heist in History was originally published in The Capital on Medium, where people are continuing the conversation by highlighting and responding to this story.