Bybit: $1.5 billion stolen — what the largest crypto hack reveals about Web3 actor exposure

On 21 February 2025, the Lazarus Group — a cyber-offensive unit attached to the North Korean regime — stole $1.5 billion in Ethereum from the Bybit exchange. In volume, it is the largest hack in the history of crypto-assets. In method, it is a surgical operation that reveals as much about the ecosystem's vulnerabilities as about what a determined state actor can accomplish when the target is sufficiently exposed.

For an economic intelligence firm specialising in digital exposure audits, this incident is not merely a crypto news item. It is a textbook case that condenses the full range of vulnerabilities we observe daily among Web3 actors: underestimated attack surface, identity/asset correlation visible on-chain, and the near-systematic absence of prior offensive audit.

Anatomy of the attack: an invisible compromise

The attack on Bybit did not involve brute force or exploitation of a smart contract flaw. The Lazarus Group targeted Bybit's multisignature wallet management interface, operated via Gnosis Safe (now Safe). The vector: a compromise of the front-end infrastructure used by authorised signatories.

Concretely, the attackers manipulated the signing interface so that the signatories — believing they were validating a legitimate transaction — actually signed a modified transaction redirecting the entirety of the cold wallet funds to addresses controlled by Lazarus. The malicious transaction was executed in minutes. All 401,346 ETH left Bybit's wallet in a single operation.

It was not the blockchain that was compromised. It was the human layer — the interface between the signatory and the protocol. The most dangerous vulnerability is the one the user cannot see.

Several elements deserve emphasis. First, the level of preparation behind the attack. Lazarus must have compromised Safe's infrastructure or a component of the deployment chain, implying extensive prior reconnaissance — likely over several weeks. Second, the fact that cold signing — supposed to be the last line of security — was bypassed not through a cryptographic attack, but through display manipulation. Finally, the speed of execution indicates complete automation of the exfiltration process, with pre-configured receiving addresses and dispersion scripts ready to deploy.

OSINT traceability: the blockchain as an investigation field

One of the most remarkable aspects of this incident was the reaction of the crypto OSINT community. Within hours, leading on-chain analysts had identified, traced and publicly documented the fund movements.

ZachXBT, a respected independent investigator in the ecosystem, was among the first to publish a mapping of the wallets involved, correlating receiving addresses with patterns already observed in operations attributed to Lazarus. Arkham Intelligence, a blockchain traceability platform, deployed a public dashboard enabling real-time tracking of stolen fund dispersion across hundreds of intermediary addresses.

Reports from Chainalysis and Elliptic confirmed the attribution to the Lazarus Group based on several converging indicators:

• Reuse of splitting patterns characteristic of previous North Korean operations (Ronin Bridge, Harmony Horizon)
• Use of Tornado Cash as a mixing layer, despite OFAC sanctions on the protocol
• Cross-chain conversion via decentralised bridges (notably THORChain) to disperse funds between Ethereum, Bitcoin and other networks
• Routing through intermediary wallets linked to previous Lazarus operations, identified through cluster analysis

The blockchain is a public ledger. Every transaction is traceable, every wallet is observable. What makes laundering difficult is not the absence of data — it is their volume and the speed at which funds are dispersed.

The reality, however, is nuanced. Despite theoretical traceability, a significant portion of the funds was effectively obscured within days. Mixing techniques, chain-hopping and the use of decentralised services without KYC make effective fund recovery extremely complex. Attribution is possible; restitution is far less so.

What this reveals about Web3 actor exposure

Beyond the technical aspects, the Bybit hack highlights a structural problem we observe in our audit engagements: the informational exposure of crypto ecosystem actors is massively underestimated.

In Web3, wealth is visible. A wallet whose address is known exposes its balance, transaction history, interactions with DeFi protocols, and NFT holdings. When an actor — founder, CTO, investor — can be correlated to an on-chain address, their entire crypto wealth becomes public information.

The correlation vectors are numerous and often trivial:

• ENS domains linked to real identities (name.eth registered from a primary wallet)
• Transactions to centralised platforms with KYC, creating a wallet/identity link
• Social media posts mentioning addresses or transactions
• Participation in airdrops or governance votes from identifiable wallets
• Public crypto donations from addresses linked to a known profile

For a motivated attacker — whether a state group like Lazarus, a criminal network, or simply an actor seeking leverage — this correlation transforms an abstract target into a complete profile: estimated wealth, transaction patterns, professional interactions, and sometimes physical location.

In our offensive audits on crypto profiles, we systematically find that CTOs and founders of Web3 projects present a considerable attack surface. Their civil identity is public (LinkedIn, conferences, interviews), their wallets are often identifiable through cross-referencing, and their on-chain wealth — sometimes considerable — constitutes a direct targeting signal for malicious actors.

Lessons for crypto holders and executives

The Bybit hack is not an isolated incident. It is the logical culmination of a trend: crypto ecosystem actors hold considerable assets while operating in an environment where the separation between identity and wealth is structurally fragile. The lessons are concrete.

Basic digital hygiene. The first line of defence remains strict separation of contexts. A wallet used for routine operations should never be linked, even indirectly, to a long-term storage wallet. ENS domains, governance vote participation, dApp interactions — every on-chain operation is a potential correlation point.

Identity separation. For executives and founders, the question is not whether their identity is public — it is. The question is whether that public identity can be correlated to specific wallets. This correlation must be actively prevented through the use of dedicated wallets, transaction relays, and strict operational discipline.

Offensive audit as a prerequisite. Before an attacker does it, it is imperative to know your own exposure. An offensive audit — conducted in attacker posture — identifies what a malicious third party can reconstruct: wallets linked to identity, estimable wealth, social engineering vectors, personal data exploitable for targeted phishing. This type of audit is no longer a luxury for high-exposure profiles: it is an operational prerequisite.

In the crypto ecosystem, your wealth is your attack surface. If a third party can correlate your identity to your wallets, they know your exposure better than you do.

Operational security of signing procedures. The Bybit case shows that even a cold wallet multisig can be compromised if the signing interface is manipulated. Organisations holding significant volumes of crypto-assets must implement independent verification procedures: destination address verification on a separate channel, double-checking transaction parameters on a distinct device, and systematic transaction simulation before signing.

Implications for economic intelligence: the blockchain as an OSINT source

For economic intelligence practitioners, the blockchain ecosystem opens a considerable field of investigation. The blockchain is, by nature, an open ledger. Every transaction is timestamped, immutable, and publicly consultable. For an OSINT analyst, it is an information source of unparalleled richness — provided the right tools and methodology are available.

Financial flow traceability. In due diligences involving crypto ecosystem actors, on-chain analysis enables verification of the consistency between an actor's declarations and the reality of their operations. Actual volumes, counterparties, interactions with high-risk protocols (mixers, non-compliant platforms) — everything is observable for those who know how to read the blockchain.

Crypto due diligence. Investment funds, family offices and financial institutions dealing with counterparties holding crypto wealth need an additional layer of analysis. On-chain analysis does not replace traditional due diligence: it complements it by adding a dimension that conventional accounting documents cannot capture.

Network identification. Wallet cluster analysis enables identification of connections between actors that official documents do not reveal. Two legally distinct entities sharing common funding wallets, recurring flows between seemingly unrelated addresses, transaction patterns revealing undisclosed business relationships — on-chain analysis is a natural complement to stakeholder mapping.

The blockchain does not lie. It hides nothing. But it only speaks to those who know how to read it. Economic intelligence applied to the crypto ecosystem is a competence that is no longer optional.

The Bybit affair is a brutal reminder. Crypto-assets are not a dematerialised space without consequences. Behind every wallet, there is a person, an organisation, a set of assets. And behind every hack, there is an attacker who knew how to read that exposure better than the target itself. For ecosystem actors — platforms, founders, holders — the question is no longer whether this reading will be attempted. The question is whether it has already been done.

← Back to insights