Bybit had multi-signature security. Hardware signing. Three experienced reviewers. Lazarus Group ignored every layer and went straight for the interface between the key and the human who held it.
On 21 February 2025, three senior Bybit employees approved what appeared to be a routine transaction. The Safe{Wallet} interface showed exactly what they expected: the right address, the familiar approval flow. One by one, they signed. Forty-seven seconds later, 499,395 ETH, approximately $1.46 billion, left Bybit's cold wallet and entered the control of the Lazarus Group, North Korea's premier cyber-theft unit. It was the largest single cryptocurrency theft in history. By the time any monitoring tool issued an alert, the transaction had settled on-chain. Irreversible. The blockchain recorded it as valid, because, by every cryptographic measure, it was.
The attacker did not breach Bybit's network. They compromised Safe{Wallet}'s deployment pipeline, the infrastructure serving the web interface to Bybit's signing team. The poison was in the JavaScript that loaded in Bybit's signers' browsers, not in the smart contract itself, which had been audited and was correct.
Lazarus did not attack Bybit directly. They attacked Safe{Wallet}'s build infrastructure. Specifically, they compromised the workstation of a developer maintaining Safe's JavaScript frontend. By the date of the attack, Lazarus had persistent access to the infrastructure serving the Safe{Wallet} web interface to Bybit's signing team. The injected payload was scoped specifically to Bybit's cold wallet address, deliberately narrow, to avoid the ecosystem-wide alerts that a broad compromise would have triggered.
Act IIThe signers saw everything expected: correct destination, expected amount, routine approval UI. In the actual calldata prepared for their signatures, a delegatecall substituted a malicious contract Lazarus had pre-deployed days earlier. This call replaced the entire implementation logic of Bybit's Safe wallet with attacker-controlled code. In a single atomic operation, what appeared to be a routine approval was, in reality, a silent ownership transfer. The moment the third signature landed, the wallet no longer belonged to Bybit.
Milliseconds after the implementation swap confirmed, a second transaction was already staged. All 499,395 ETH swept in a single call to the staging address 0x47666Fab..., which immediately distributed funds across 53 fresh wallets. The entire operation, from the first signature to the last disbursement, took under 90 seconds.
"Every tool in the industry saw the Bybit drain. Every tool said the same thing: already settled. The blockchain had spoken. They were too late."
Praveen Giri, Founder · QuantChainAnalysis0x47666Fab…. Block #21888239. Status: Success. $1.46 billion transferred in a single atomic call.The drain transaction was in the Ethereum mempool for approximately 12 seconds before inclusion in a block. The destination address, the full ETH amount, and the deeply anomalous pattern of a complete cold wallet drain following an implementation change with zero precedent across 847 historical transactions, all visible to any observer. That 12-second window was the only moment where intervention was technically possible.
| Stakeholder | Impact | Status (2026) |
|---|---|---|
| Bybit customers (~40M) | Temporary exposure; withdrawal freezes | Made whole, CEO pledge honoured in full |
| Bybit as entity | $1.46B direct loss from company reserves | Operational; reserves rebuilt over months |
| Safe{Wallet} ecosystem | Complete loss of institutional trust | Rebuilt after independent audit |
| DPRK regime | $1.46B unrestricted capital received | Linked to ballistic missile programme financing |
The North Korean dimension deserves emphasis. Lazarus Group does not steal for personal enrichment; the cryptocurrency programme funds the DPRK state's weapons development. The $1.46 billion from Bybit represents approximately 32% of all known DPRK cryptocurrency theft since 2017, directly linked to ballistic missile and nuclear programme financing according to the UN Panel of Experts.
The drain transaction carried a pattern no routine Bybit transaction had ever produced: a complete cold wallet balance sweep to an unrecognised address, immediately following an implementation contract replacement with zero historical precedent across 847 analysed transactions. Both signals were visible in the mempool before either was mined.
QCA's pre-mempool gating operates at precisely this layer, between a signed transaction and its broadcast to the validator network. Patent pending DE 10 2026 001 732.7.