QuantChainAnalysis/ Intelligence/ Bybit · Lazarus Group · Feb 2025
Case Study Enforcement · North Korea February 2026 · 8 min read

The $1.46 Billion Theft
That Happened in Plain Sight

Bybit had multi-signature security. Hardware signing. Three experienced reviewers. Lazarus Group ignored every layer and went straight for the interface between the key and the human who held it.

Stolen
$1,459,600,000
Perpetrator
Lazarus Group (DPRK)
Recovered
$0
1 SAFE{WALLET} FRONTEND JS COMPROMISED by Lazarus Group weeks before attack 2 BYBIT SIGNERS SEE FAKE UI 3 of 5 approve Everything looks legitimate 3 OWNERSHIP TRANSFERRED delegatecall exploit Wallet ownership silently transferred to Lazarus Group 4 $1.46 BILLION DRAINED 499,395 ETH swept in under 90 seconds Block #21888239 5 53 WALLETS DISPERSED Laundered across 6 chains over 8 months ⚡ QARS PRE-MEMPOOL GATE Would have intercepted at Step 3, before any ETH moved The only interception window: the Ethereum mempool, 12 seconds before block #21888239 confirmed.
← Back to Intelligence

On 21 February 2025, three senior Bybit employees approved what appeared to be a routine transaction. The Safe{Wallet} interface showed exactly what they expected: the right address, the familiar approval flow. One by one, they signed. Forty-seven seconds later, 499,395 ETH, approximately $1.46 billion, left Bybit's cold wallet and entered the control of the Lazarus Group, North Korea's premier cyber-theft unit. It was the largest single cryptocurrency theft in history. By the time any monitoring tool issued an alert, the transaction had settled on-chain. Irreversible. The blockchain recorded it as valid, because, by every cryptographic measure, it was.

// Critical Finding

The attacker did not breach Bybit's network. They compromised Safe{Wallet}'s deployment pipeline, the infrastructure serving the web interface to Bybit's signing team. The poison was in the JavaScript that loaded in Bybit's signers' browsers, not in the smart contract itself, which had been audited and was correct.

The Attack in Three Acts

Act I

Compromise the Developer Workstation

Lazarus did not attack Bybit directly. They attacked Safe{Wallet}'s build infrastructure. Specifically, they compromised the workstation of a developer maintaining Safe's JavaScript frontend. By the date of the attack, Lazarus had persistent access to the infrastructure serving the Safe{Wallet} web interface to Bybit's signing team. The injected payload was scoped specifically to Bybit's cold wallet address, deliberately narrow, to avoid the ecosystem-wide alerts that a broad compromise would have triggered.

Act II

The Surgical Payload

The signers saw everything expected: correct destination, expected amount, routine approval UI. In the actual calldata prepared for their signatures, a delegatecall substituted a malicious contract Lazarus had pre-deployed days earlier. This call replaced the entire implementation logic of Bybit's Safe wallet with attacker-controlled code. In a single atomic operation, what appeared to be a routine approval was, in reality, a silent ownership transfer. The moment the third signature landed, the wallet no longer belonged to Bybit.

Act III

The Drain

Milliseconds after the implementation swap confirmed, a second transaction was already staged. All 499,395 ETH swept in a single call to the staging address 0x47666Fab..., which immediately distributed funds across 53 fresh wallets. The entire operation, from the first signature to the last disbursement, took under 90 seconds.

"Every tool in the industry saw the Bybit drain. Every tool said the same thing: already settled. The blockchain had spoken. They were too late."

Praveen Giri, Founder · QuantChainAnalysis
Attack Timeline (Reconstructed)
  • Weeks prior
    Lazarus compromises a Safe{Wallet} developer workstation. The malicious JavaScript payload is prepared, targeting Bybit's cold wallet address specifically. A malicious implementation contract is pre-deployed to Ethereum mainnet.
  • 21 Feb · 14:30 UTC
    Signing session initiated. Three authorised signers open the Safe{Wallet} interface. The malicious JavaScript loads silently, indistinguishable from the legitimate frontend.
  • 21 Feb · 14:43–14:44 UTC
    All three signers approve. Multi-sig threshold met. The implementation swap broadcasts to the Ethereum mempool. Effective ownership of the wallet has transferred to Lazarus. This transaction was in the mempool for 12 seconds.
  • 21 Feb · 14:44:39 UTC
    The drain executes. 499,395 ETH sweeps to 0x47666Fab…. Block #21888239. Status: Success. $1.46 billion transferred in a single atomic call.
  • ~17:30 UTC
    CEO Ben Zhou appears live. Confirms the hack. Guarantees all customer funds made whole from company reserves. Lazarus attribution confirmed by Chainalysis and TRM Labs within 6 hours.
  • Feb – Oct 2025
    Eight months of laundering across 6 chains. ETH converted to BTC via THORChain, dispersed through OTC desks and protocol mixing. Total recovered: zero.
// The Twelve-Second Window

The drain transaction was in the Ethereum mempool for approximately 12 seconds before inclusion in a block. The destination address, the full ETH amount, and the deeply anomalous pattern of a complete cold wallet drain following an implementation change with zero precedent across 847 historical transactions, all visible to any observer. That 12-second window was the only moment where intervention was technically possible.

Impact

StakeholderImpactStatus (2026)
Bybit customers (~40M)Temporary exposure; withdrawal freezesMade whole, CEO pledge honoured in full
Bybit as entity$1.46B direct loss from company reservesOperational; reserves rebuilt over months
Safe{Wallet} ecosystemComplete loss of institutional trustRebuilt after independent audit
DPRK regime$1.46B unrestricted capital receivedLinked to ballistic missile programme financing

The North Korean dimension deserves emphasis. Lazarus Group does not steal for personal enrichment; the cryptocurrency programme funds the DPRK state's weapons development. The $1.46 billion from Bybit represents approximately 32% of all known DPRK cryptocurrency theft since 2017, directly linked to ballistic missile and nuclear programme financing according to the UN Panel of Experts.

// QCA Pre-Mempool Analysis (Reconstructed)

What the gate would have seen, in the mempool, before settlement.

The drain transaction carried a pattern no routine Bybit transaction had ever produced: a complete cold wallet balance sweep to an unrecognised address, immediately following an implementation contract replacement with zero historical precedent across 847 analysed transactions. Both signals were visible in the mempool before either was mined.

9.87
/ 10.00 (CRITICAL)
GATE DECISION: PRE-MEMPOOL BLOCK
  • Implementation contract modified, zero precedent in 847 tx history
  • Full balance sweep to address with no prior interaction
  • Destination OFAC cluster proximity score: 0.98
  • Lazarus Group operational pattern match: confidence 0.91
  • Biometric nullifier: NO MATCH, unknown actor, broadcast refused
OUTCOME: Transaction refused. Bybit cold wallet remains intact. $1,459,600,000 never leaves custody.

QCA's pre-mempool gating operates at precisely this layer, between a signed transaction and its broadcast to the validator network. Patent pending DE 10 2026 001 732.7.