The Bybit Hack Explained
๐ 8 min read
Quick Answer
In February 2026, attackers drained roughly $1.5 billion from the crypto exchange Bybit in a matter of minutes โ the single largest theft in crypto history. The most chilling part: Bybitโs own staff approved it, believing they were signing a routine transfer. Here is exactly how it happened.
โ ๏ธ In one line
Imagine signing a cheque for $100 while the paper secretly says $1.5 billion to a stranger. That is essentially what happened โ the screen showed one thing, the transaction did another.
The deception
Attackers (North Koreaโs Lazarus Group) compromised the infrastructure behind the Safe{Wallet} interface Bybit used. They injected malicious code so that when Bybitโs multi-signature signers reviewed a transfer, the screen showed legitimate details โ while the transaction actually being signed sent funds to wallets controlled by the attackers.
The approval
Three of Bybitโs multi-sig signers approved what looked like a routine internal transfer. The smart contract dutifully executed the tampered instructions, moving ~$1.5B in Ethereum and staked tokens out of the exchange in one sweep.
The laundering
Within days, the bulk of the stolen Ether was converted to Bitcoin, largely via the cross-chain protocol THORChain โ which processed an unprecedented surge in volume. For North Korea, this "ETH in, BTC out" route is a reliable, high-capacity exit ramp.
The lesson
The signers did everything they were "supposed" to โ the failure was that they trusted what their screens showed. It is a stark reminder that even sophisticated, multi-signature setups fail if the device or interface showing the transaction is compromised. Verify on a separate, trusted device.
๐ Key takeaway
Bybit lost $1.5B because attackers made the signing screen lie โ the signers approved a transfer they couldnโt actually see. Even multi-sig fails if the interface is compromised; independent verification is everything.
What it means for you
Bybit is one of Asiaโs most-used exchanges, so the hack hit regional traders directly. The takeaway for users: an exchangeโs security is out of your hands โ the only balance truly under your control is the one in your own wallet.
Frequently asked questions
Did Bybit users lose their money?โผ
Bybit covered customer losses and remained solvent, but the event showed how a single exchange breach can threaten billions. It is the clearest argument yet for self-custody of long-term holdings.
How was it traced to North Korea?โผ
The FBI publicly attributed the hack to North Koreaโs Lazarus Group (TraderTraitor), based on on-chain analysis and the laundering patterns matching prior North Korean operations.
Could this happen to any exchange?โผ
The specific technique exploited a particular signing workflow, but the broader risk โ compromised interfaces and infrastructure โ applies industry-wide. It is why "verify on a hardware device" matters.