Ocean’s Eleven, but make it crypto. Bybit hit by a billion-dollar heist, showing that blockchain still requires a little BIT of a cognitive distance.

On February 21, 2025, the Bybit exchange was struck by a billion-dollar heist that underscored a critical point in blockchain security: despite its robust cryptographic foundations, blockchain technology is still vulnerable to sophisticated attacks.

This breach highlights a cognitive distance — a gap in understanding — between the perceived invulnerability of decentralized systems and the real-world complexities of securing them against increasingly advanced threat tactics. The heist was a stark reminder that, while blockchain is often hailed as secure, it still requires a nuanced understanding of human and technical factors, making the systems susceptible to attacks that exploit these complexities.

The connection between the Bybit and Phemex hacks has been established through on-chain analysis, specifically identifying the overlap address 0x33d057af74779925c4b2e720a820387cb89f8f65, which was involved in both incidents.

Rather than exploiting traditional smart contract vulnerabilities, the attackers — suspected to be North Korea’s Lazarus Group — launched a highly refined social engineering campaign. North Korea-affiliated cyber adversaries have garnered infamy for their highly advanced and unyielding operational methodologies, frequently leveraging a multifaceted arsenal of state-sponsored cyber warfare tactics. These include the deployment of bespoke malware strains, intricate social engineering campaigns, and large-scale cryptocurrency exfiltration schemes, all strategically orchestrated to facilitate illicit financial flows, sustain clandestine economic operations, and systematically evade the constraints imposed by international sanctions regimes.

The Lazarus Group used advanced UI manipulation techniques to deceive authorized users, ultimately breaching the exchange’s multisig infrastructure. This evolution in attack methodology signals a paradigm shift in the nature of cyber threats targeting cryptocurrency exchanges, pushing the boundaries of what was once thought to be secure.

The significance of this breach becomes more apparent when we compare it to previous crypto-related thefts:

• Bybit (2025): $1.38 billion

• Phemex (2025): $69 million

• WazirX (2024): $235 million

• FTX (2022): $415 million

• KuCoin (2020): $280 million

• Coinbene (2019): $105 million

• Coincheck (2018): $532 million

• QuadrigaCX (2018): $190 million

• Bitfinex (2016): 120,000 BTC

• Mt. Gox (2011): 647,000 BTC

In the aftermath, Bybit moved swiftly to mitigate the damage, acquiring 446,870 ETH worth $1.23 billion through loans, large deposits, and Ether purchases. This response is emblematic of how the crypto market often operates under pressure to restore confidence, while simultaneously highlighting the need for enhanced security measures.

Changpeng Zhao, former CEO of Binance.

Blockchain, often seen as inherently secure due to its decentralized and cryptographic structure, is still vulnerable to attacks that exploit both technical flaws and the cognitive distance in user interactions with the technology. The Bybit breach serves as a reminder that security is not just about cryptography or decentralization but also about the human elements involved in managing these systems. The cognitive distance between the perceived safety of a decentralized system and the reality of attack vectors that manipulate human behavior remains a significant challenge.

The attack’s complexity — spanning UI spoofing, smart contract manipulation, and bypassing multisig protections — necessitates a multi-layered approach to security. As this breach clearly demonstrates, the crypto sector must reconcile the cognitive distance between the perceived and real-world security of blockchain systems, particularly as new, more sophisticated attack methodologies emerge.

Bybit, like many cryptocurrency exchanges, operates in an environment exposed to multifaceted risks. Its architecture, which incorporates high-frequency trading, custodial asset management, and smart contract-based financial instruments, creates potential attack surfaces vulnerable to both external cyber threats and internal security lapses. The cognitive distance between trust in blockchain technology and the sophistication of evolving attack techniques underscores the urgent need for comprehensive, human-aware security mechanisms in the crypto space.

The resurgence of cryptocurrency theft in 2024 underscores the escalating complexity of the threat landscape, necessitating a more adaptive and strategic approach to security. Although the scale of illicit asset exfiltration has yet to reach the unprecedented peaks observed in 2021 and 2022, the emerging attack patterns and evolving exploit methodologies reveal critical vulnerabilities within existing defense mechanisms. This resurgence highlights the urgency for the industry to fortify its security infrastructure, proactively addressing both the technical and procedural gaps that adversaries continue to exploit.

Mitigating these challenges demands a concerted effort across both the public and private sectors, fostering a collaborative security paradigm. Implementing real-time threat intelligence sharing, enhancing advanced forensic tracing capabilities, deploying proactive security automation, and integrating specialized training programs are essential measures to empower stakeholders. These strategies collectively enhance the industry’s ability to detect, neutralize, and preemptively counteract cyber threats, ensuring greater resilience against sophisticated adversarial tactics.

Simultaneously, the ongoing evolution of regulatory frameworks is poised to heighten scrutiny over platform security and custodial asset protection, compelling market participants to adhere to increasingly stringent compliance standards. As industry best practices undergo continuous refinement, organizations must not only implement robust preventative mechanisms but also ensure stringent accountability measures to maintain institutional integrity. Strengthening cross-sector alliances, deepening engagement with law enforcement agencies, and equipping security teams with cutting-edge investigative resources will be paramount in fostering an agile and responsive security ecosystem.

Beyond safeguarding individual assets, these initiatives serve a broader objective: cultivating trust and stability within the digital economy. As the cryptocurrency space matures, the reinforcement of its foundational security infrastructure will be instrumental in sustaining long-term market confidence and mitigating systemic risks associated with financial cybercrime.

Halt and catch fire (tea time). Chainling analysis worth reaching for:

Total Stolen Funds in 2024

• $2.2 billion in cryptocurrency stolen, a 21.07% increase from 2023.

• 303 individual hacking incidents, up from 282 in 2023.

• Fifth consecutive year with over $1 billion stolen (2018, 2021–2023, 2024).

Mid-Year Shift in Trends

• By July 2024, $1.58 billion had been stolen, an 84.4% increase over the same period in 2023.

• Post-July, the upward trend slowed, with stolen amounts stabilizing, suggesting a potential change in hacking intensity.

Victim Platform Types

• Decentralized Finance (DeFi) accounted for the largest share of stolen funds in Q1 2024.

• Centralized services (e.g., exchanges) became the primary targets in Q2 and Q3.

Major hacks

• DMM Bitcoin (May 2024): $305 million stolen, one of the largest crypto exploits ever.

• WazirX (July 2024): $234.9 million stolen.

• DMM Bitcoin shut down in December 2024, transferring assets to SBI VC Trade by March 2025.

Private Key Compromises

• 43.8% of stolen crypto traced to private key breaches, the largest single cause.

• Centralized services’ reliance on private keys makes them vulnerable; their compromise has a devastating impact due to the volume of managed funds.

• Hackers laundered funds via decentralized exchanges (DEXs), mining services, and mixing services to obscure trails.

North Korea’s Role

• North Korea-linked hackers stole $1.34 billion across 47 incidents, a 102.88% increase from $660.5 million across 20 incidents in 2023.

• Accounted for 61% of total stolen funds and 20% of incidents in 2024.

• Funds reportedly used to finance weapons programs, bypassing international sanctions.

• Larger hacks (over $50 million) were more frequent in 2024, indicating improved efficiency.

Geopolitical Influence

• Hacking slowed after a June 2024 summit between Russia’s Vladimir Putin and North Korea’s Kim Jong Un.

• Possible correlation: North Korea may have received alternative funding from Russia, reducing reliance on crypto theft.

Laundering Techniques

• After private key breaches, attackers used Bitcoin CoinJoin Mixing Service, bridging services, and Huione Guarantee (a Cambodian marketplace tied to cybercrime) to launder funds.

• Huione Guarantee processed a portion of the DMM Bitcoin hack proceeds.

• Security Implications

• Shift from DeFi to centralized services highlights the need for better private key security.

• Emerging predictive technologies and real-time threat detection are seen as critical to preventing future hacks.

Ocean’s Eleven, but make it crypto. Bybit hit by a billion-dollar heist, showing that blockchain still requires a little BIT of a cognitive distance.

On February 21, 2025, the Bybit exchange was struck by a billion-dollar heist that underscored a critical point in blockchain security: despite its robust cryptographic foundations, blockchain technology is still vulnerable to sophisticated attacks.

This breach highlights a cognitive distance — a gap in understanding — between the perceived invulnerability of decentralized systems and the real-world complexities of securing them against increasingly advanced threat tactics. The heist was a stark reminder that, while blockchain is often hailed as secure, it still requires a nuanced understanding of human and technical factors, making the systems susceptible to attacks that exploit these complexities.

The connection between the Bybit and Phemex hacks has been established through on-chain analysis, specifically identifying the overlap address 0x33d057af74779925c4b2e720a820387cb89f8f65, which was involved in both incidents.

Rather than exploiting traditional smart contract vulnerabilities, the attackers — suspected to be North Korea’s Lazarus Group — launched a highly refined social engineering campaign. North Korea-affiliated cyber adversaries have garnered infamy for their highly advanced and unyielding operational methodologies, frequently leveraging a multifaceted arsenal of state-sponsored cyber warfare tactics. These include the deployment of bespoke malware strains, intricate social engineering campaigns, and large-scale cryptocurrency exfiltration schemes, all strategically orchestrated to facilitate illicit financial flows, sustain clandestine economic operations, and systematically evade the constraints imposed by international sanctions regimes.

The Lazarus Group used advanced UI manipulation techniques to deceive authorized users, ultimately breaching the exchange’s multisig infrastructure. This evolution in attack methodology signals a paradigm shift in the nature of cyber threats targeting cryptocurrency exchanges, pushing the boundaries of what was once thought to be secure.

The significance of this breach becomes more apparent when we compare it to previous crypto-related thefts:

• Bybit (2025): $1.38 billion

• Phemex (2025): $69 million

• WazirX (2024): $235 million

• FTX (2022): $415 million

• KuCoin (2020): $280 million

• Coinbene (2019): $105 million

• Coincheck (2018): $532 million

• QuadrigaCX (2018): $190 million

• Bitfinex (2016): 120,000 BTC

• Mt. Gox (2011): 647,000 BTC

In the aftermath, Bybit moved swiftly to mitigate the damage, acquiring 446,870 ETH worth $1.23 billion through loans, large deposits, and Ether purchases. This response is emblematic of how the crypto market often operates under pressure to restore confidence, while simultaneously highlighting the need for enhanced security measures.

Changpeng Zhao, former CEO of Binance.

Blockchain, often seen as inherently secure due to its decentralized and cryptographic structure, is still vulnerable to attacks that exploit both technical flaws and the cognitive distance in user interactions with the technology. The Bybit breach serves as a reminder that security is not just about cryptography or decentralization but also about the human elements involved in managing these systems. The cognitive distance between the perceived safety of a decentralized system and the reality of attack vectors that manipulate human behavior remains a significant challenge.

The attack’s complexity — spanning UI spoofing, smart contract manipulation, and bypassing multisig protections — necessitates a multi-layered approach to security. As this breach clearly demonstrates, the crypto sector must reconcile the cognitive distance between the perceived and real-world security of blockchain systems, particularly as new, more sophisticated attack methodologies emerge.

Bybit, like many cryptocurrency exchanges, operates in an environment exposed to multifaceted risks. Its architecture, which incorporates high-frequency trading, custodial asset management, and smart contract-based financial instruments, creates potential attack surfaces vulnerable to both external cyber threats and internal security lapses. The cognitive distance between trust in blockchain technology and the sophistication of evolving attack techniques underscores the urgent need for comprehensive, human-aware security mechanisms in the crypto space.

The resurgence of cryptocurrency theft in 2024 underscores the escalating complexity of the threat landscape, necessitating a more adaptive and strategic approach to security. Although the scale of illicit asset exfiltration has yet to reach the unprecedented peaks observed in 2021 and 2022, the emerging attack patterns and evolving exploit methodologies reveal critical vulnerabilities within existing defense mechanisms. This resurgence highlights the urgency for the industry to fortify its security infrastructure, proactively addressing both the technical and procedural gaps that adversaries continue to exploit.

Mitigating these challenges demands a concerted effort across both the public and private sectors, fostering a collaborative security paradigm. Implementing real-time threat intelligence sharing, enhancing advanced forensic tracing capabilities, deploying proactive security automation, and integrating specialized training programs are essential measures to empower stakeholders. These strategies collectively enhance the industry’s ability to detect, neutralize, and preemptively counteract cyber threats, ensuring greater resilience against sophisticated adversarial tactics.

Simultaneously, the ongoing evolution of regulatory frameworks is poised to heighten scrutiny over platform security and custodial asset protection, compelling market participants to adhere to increasingly stringent compliance standards. As industry best practices undergo continuous refinement, organizations must not only implement robust preventative mechanisms but also ensure stringent accountability measures to maintain institutional integrity. Strengthening cross-sector alliances, deepening engagement with law enforcement agencies, and equipping security teams with cutting-edge investigative resources will be paramount in fostering an agile and responsive security ecosystem.

Beyond safeguarding individual assets, these initiatives serve a broader objective: cultivating trust and stability within the digital economy. As the cryptocurrency space matures, the reinforcement of its foundational security infrastructure will be instrumental in sustaining long-term market confidence and mitigating systemic risks associated with financial cybercrime.

Halt and catch fire (tea time). Chainling analysis worth reaching for:

Total Stolen Funds in 2024

• $2.2 billion in cryptocurrency stolen, a 21.07% increase from 2023.

• 303 individual hacking incidents, up from 282 in 2023.

• Fifth consecutive year with over $1 billion stolen (2018, 2021–2023, 2024).

Mid-Year Shift in Trends

• By July 2024, $1.58 billion had been stolen, an 84.4% increase over the same period in 2023.

• Post-July, the upward trend slowed, with stolen amounts stabilizing, suggesting a potential change in hacking intensity.

Victim Platform Types

• Decentralized Finance (DeFi) accounted for the largest share of stolen funds in Q1 2024.

• Centralized services (e.g., exchanges) became the primary targets in Q2 and Q3.

Major hacks

• DMM Bitcoin (May 2024): $305 million stolen, one of the largest crypto exploits ever.

• WazirX (July 2024): $234.9 million stolen.

• DMM Bitcoin shut down in December 2024, transferring assets to SBI VC Trade by March 2025.

Private Key Compromises

• 43.8% of stolen crypto traced to private key breaches, the largest single cause.

• Centralized services’ reliance on private keys makes them vulnerable; their compromise has a devastating impact due to the volume of managed funds.

• Hackers laundered funds via decentralized exchanges (DEXs), mining services, and mixing services to obscure trails.

North Korea’s Role

• North Korea-linked hackers stole $1.34 billion across 47 incidents, a 102.88% increase from $660.5 million across 20 incidents in 2023.

• Accounted for 61% of total stolen funds and 20% of incidents in 2024.

• Funds reportedly used to finance weapons programs, bypassing international sanctions.

• Larger hacks (over $50 million) were more frequent in 2024, indicating improved efficiency.

Geopolitical Influence

• Hacking slowed after a June 2024 summit between Russia’s Vladimir Putin and North Korea’s Kim Jong Un.

• Possible correlation: North Korea may have received alternative funding from Russia, reducing reliance on crypto theft.

Laundering Techniques

• After private key breaches, attackers used Bitcoin CoinJoin Mixing Service, bridging services, and Huione Guarantee (a Cambodian marketplace tied to cybercrime) to launder funds.

• Huione Guarantee processed a portion of the DMM Bitcoin hack proceeds.

• Security Implications

• Shift from DeFi to centralized services highlights the need for better private key security.

• Emerging predictive technologies and real-time threat detection are seen as critical to preventing future hacks.