One year after the largest crypto theft in history, just $42 million of the $1.5 billion stolen by North Korea's Lazarus Group has been frozen.
February 21 marked one year since North Korea's Lazarus Group drained 401,347 ETH, worth $1.5 billion, from Bybit's cold wallet in the single largest crypto heist ever recorded.
On February 21, 2025, attackers injected malicious JavaScript into the Safe{Wallet} front-end interface through a compromised developer machine. The code altered transaction logic only when Bybit initiated a transfer from its Ethereum cold wallet, routing the funds to attacker-controlled addresses. The FBI officially attributed the attack to TraderTraitor, a subunit of North Korea's RGB 3rd Bureau.
Bybit restored full withdrawal functionality within 72 hours and implemented over 50 security upgrades. The exchange launched the LazarusBounty program, offering $140 million in rewards (10% of recovered funds) to anyone who could help trace or freeze the stolen assets. By the end of 2025, Bybit had grown from 50 million to 80 million registered users despite the incident.
One year on, the recovery numbers tell a sobering story. According to Bybit CEO Ben Zhou, only 3.54% of the stolen funds, roughly $42 million, have been frozen. Another 88.87% remains traceable but unfrozen, while 7.59% has disappeared into dark web mixing services. Bybit has paid out over $4 million in bounties, a fraction of the $140 million pool.
The hack dwarfed all previous crypto thefts combined in scale, surpassing the $611 million Poly Network exploit of 2021 by nearly 2.5 times. It also accelerated industry-wide conversations about supply chain security, particularly around front-end code integrity and multi-signature wallet implementations. The incident prompted several exchanges to adopt hardware-level transaction verification systems in the months that followed.
Chainalysis data shows that North Korea-linked groups were responsible for $2.02 billion in total crypto theft during 2025, with the Bybit hack accounting for 76% of all service compromises that year. As attackers continue to convert the remaining traceable funds through increasingly complex laundering routes, the effectiveness of cross-exchange coordination and blockchain analytics tools faces its biggest test yet.
Bybit's LazarusBounty program remains active. The exchange has urged other platforms to refuse deposits from flagged addresses and continues to work with law enforcement across multiple jurisdictions.
The Bybit hack reshaped how the crypto industry thinks about exchange security and state-sponsored threats. While the vast majority of funds remain unrecovered, the incident spurred meaningful improvements in cold wallet architecture and cross-industry cooperation. The situation continues to develop as tracing efforts push forward.
The largest US bank is assessing spot and derivatives trading services as regulatory clarity enables traditional finance to deepen crypto involvement.
Bitcoin's 50-day moving average crossed below the 200-day average on the 3-day chart for the first time since 2022, as oil prices surged over 35% amid Strait of Hormuz disruptions.
BTC stages dramatic 11% recovery after nearly breaching $60K, while market sentiment remains at extreme fear levels.
Disclaimer: News content is for informational purposes only and should not be considered financial advice. Market conditions can change rapidly. Always conduct your own research.
