Bybit, one of the world's largest cryptocurrency derivatives exchanges, confirmed that attackers successfully stole approximately $47 million in digital assets from its hot wallet infrastructure. The attack exploited weaknesses in the exchange's multi-signature wallet implementation.
How the Attack Unfolded
Blockchain analytics firm Chainalysis was engaged to trace the stolen funds. Attackers gained access to private key material for two of the three signers required to authorize transactions from Bybit's main hot wallet. With two-of-three keys compromised, attackers authorized withdrawal transactions directly, draining the wallet in 23 transactions over approximately 90 minutes before the security team detected the anomaly.
Stolen Assets
The $47 million loss consists of:
Attack Vector: Supply Chain Compromise
Forensic analysis revealed that two of Bybit's three hot wallet signing servers had been compromised three weeks prior via a supply chain attack on a third-party hardware security module (HSM) management software update. The malicious update included a backdoor that silently exfiltrated private key fragments when the signing software authorized legitimate transactions.
Funds Movement
The stolen funds were immediately moved through rapid swaps across decentralized exchanges (DEXs) and bridged across multiple blockchains using cross-chain bridges to obscure the trail. Chainalysis flagged destination wallets across Ethereum, BNB Chain, and Polygon.
Attribution
The attack methodology bears strong similarities to techniques used by the Lazarus Group (APT38), the North Korean state-sponsored threat actor responsible for an estimated $3+ billion in cryptocurrency theft. Formal attribution is pending.
Customer Impact
Bybit stated that customer funds are protected by its $2 billion proof-of-reserves fund and that all withdrawals remain operational. The exchange has engaged law enforcement in the UAE, US, and South Korea.