On 21st February 2025 we saw the record breaking crypto heist of $1.46 billion stolen from Dubai-based exchange Bybit. As a compliance company, Nominis has shared plenty to our website and LinkedIn community discussing our thoughts on the incident itself, the roles of crypto gangs, such as Lazarus Group, who committed the Bybit attack, and how these hacks can be prevented in future. For your convenience, we have created a succinct list of 12 lessons that we believe are critical in understanding and preventing this hack.
A wake-up call for Crypto Security
The Bybit hack was the largest exploit, costing over $1.48billion. It exposes the existing vulnerabilities that exist, even in high-profile exchanges. The breach also highlights the need or stronger access controls, real storage solutions, and adequate policy enforcement.
Cold Wallets are not always Cold
The breach occurred when attackers gained across to a cold wallet during a routine transaction to a warm wallet. If a cold wallet collects to the internet even momentarily, it ceases to be a truly cold wallet and can be left vulnerable.
MPC and Multisig are not the same
Multisignature wallets require multiple private keys to sign transactions, whereas Multi Party Computation splits a private key into multiple shares. While both enhance security, they serve different responsibilities and so cant be used interchangeably.
MPC requires additional security layers
Using MPC alone does not guarantee secure access control. A policy management platform is crucial to enforcing granular transaction approvals and real-time monitoring to prevent unauthorized access.
Transaction simulation is critical
Neither MPC nor multisig can replace the importance of transaction simulation. Running transactions through a simulation firewall helps assess their potential impact before execution, but this does not substitute full compliance measures.
Lazarus Group’s increased sophistication
Nominis research suggests Lazarus group is refining its attack methods, potentially using front -end spoofing exploits and job scams to gain unauthorised access to exchange infrastructures. The attack appears to have been meticulously planned over a long period, utilising a sophisticated front end spoofing exploit.
Employment scams in crypto attacks
Many domains linked to the Lazarus Group’s activities are associated with employment scams. These scams trick victims into downloading malware described as recruitment tasks, which harvest credentials and enable deeper infiltration into crypto platforms.
Over 10,000 wallets are involved in laundering stolen funds
Nominis identified more than 10,000 wallets connected to laundering the stolen Bybit funds. Some of these wallets had already been flagged as high-risk months before the attack, showing a strong connection to illicit activity.
Tracing Connections between old and new criminal wallets
By tracing just one #TRON wallet connected to the Bybit hack five steps backward, Nominis Vue revealed links to wallet associated with terror financing, scams and high risk exchanges, reinforcing the ongoing use of pre-existing illicit networks.
Lazarus Group’s Tactics go beyond direct theft
Lazarus Group does not exclusively steal funds, they manipulate systems, exploit weaknesses, and leverage pre-existing criminal networks. The Bybit hack revealed that some involved wallets were already flagged for illicit activities months earlier, demonstrating how these attackers integrate past and present schemes for more effective laundering.
Security and Compliance require a holistic approach
Security does not have a single solution, but rather a layer approach. Combining policy enforcement, transaction simulation, blockchain investigation and real-time threat intelligence is essential to protecting digital assets .
The crypto industry must stay proactive, not just reactive
The Bybit hack serves as a reminder that crypto security should not be exclusively about responding to attacks, it must involve continuous monitoring, intelligence sharing,and proactive defence strategies.
The speed at which Nominis identifies suspicious wallets in real time, and tracing funds back, highlights the importance of automated threat intelligence to prevent further damage.
Conclusion
The Bybit hack highlighted how cybercriminals are becoming increasingly sophisticated. This wasn’t just a simple protocol or bridge exploit—it was a meticulously planned operation executed over time. The attackers deployed multiple techniques and malware to craft a near-perfect replica of the legitimate multi-signature signing process, ultimately deceiving signers and draining funds.
This incident proves that basic security measures are no longer sufficient. Platforms need a holistic, multi-layered security approach that combines real-time threat detection, proactive monitoring, and robust defense mechanisms to ensure continuous protection against evolving threats.
2025 Bybit hack: FAQs
Q: What happened in the Bybit attack?
On 21 February 2025 Bybit, a cryptocurrency exchange, experienced a security breach leading to the theft of about 400,000 ETH - equivalent to just under $1.5 billion.
Q: Who is responsible for the Bybit attack?
Q: How did hackers execute the Bybit attack?
While we strive for accuracy in our content, we acknowledge that errors may occur. If you find any mistakes, please reach out to us at contact@nominis.io Your feedback is appreciated!