Event Summary
In February 2025, the North Korea-linked APT group Lazarus launched a highly sophisticated supply chain attack against the prominent cryptocurrency exchange Bybit, successfully stealing over 400,000 ETH and stETH—valued at approximately $1.5 billion. This incident marks the largest single security breach in the global cryptocurrency sector to date. The attack exposed critical vulnerabilities in software supply chains and human operational processes, even within multi-signature cold wallets, which are widely regarded as the industry’s gold standard for security.
Lazarus compromised the development environment of Safe{Wallet}, the smart contract wallet used by Bybit. The attackers initially gained control of a developer’s device through social engineering, subsequently accessing the company’s network and code deployment systems. During a routine update on February 19, the attackers injected malicious JavaScript files, distributing them via the official domain app.safe.global. The malicious script altered the wallet’s user interface and transaction logic: when Bybit operators initiated standard transfers from cold to hot wallets, the interface appeared normal, but the recipient address was secretly replaced with one controlled by the attackers. This deception tricked operators into unknowingly authorizing the malicious transactions.
Insight
Notably, this attack highlights a significant tactical upgrade by state-sponsored APT groups: their focus has shifted from targeting exchange systems directly to exploiting the underlying infrastructure those systems rely on. Their methods have evolved from brute-force attacks to the precise manipulation of “human-machine trust relationships.” Despite Bybit’s implementation of multi-signature protocols, the malicious code at the interface layer obscured the true details of the transactions. As a result, the final confirmation actions performed by reviewers on hardware wallets effectively became “blind signatures” for the fraudulent transactions.
This incident serves as a stark warning to the entire digital asset industry: while pursuing technical robustness, it is imperative to establish a “zero-trust” defense framework that spans the entire chain—from software development and distribution to operational execution. Additionally, cross-verification mechanisms independent of interface displays must be implemented for critical operations to counter the increasingly sophisticated supply chain and interaction-layer attacks.
