February 21, 2025. 12:30 PM Coordinated Universal Time.

Inside the operations center of Bybit — a cryptocurrency exchange headquartered in Dubai, handling tens of billions of dollars in daily trading volume — a scheduled transfer begins.

Four hundred one thousand three hundred forty-seven Ethereum tokens. Approximately one point five billion dollars at that moment. The transfer is routine: from Bybit's multisignature cold wallet, held offline for security, to a warm wallet used for operational liquidity.

Three senior Bybit employees are required to authorize the transaction. They open the Safe{Wallet} interface on their workstations. They review the destination address. They review the transaction details. Everything matches the expected operation.

They sign.

One minute later, four hundred one thousand Ethereum tokens are gone.

Not transferred to the warm wallet. Transferred to an address controlled by North Korea.

No passwords were stolen. No private keys were extracted. No credentials were phished. Bybit's own infrastructure was not compromised. The three signers did exactly what their procedures instructed them to do. What they saw on their screens, they approved.

What they saw on their screens was a lie.

This is the largest single cryptocurrency theft ever recorded. It is, by Guinness World Records classification, the largest bank heist in history — exceeding even the one billion dollars Saddam Hussein extracted from Iraq's central bank in 2003.

It was executed by changing a single file on a website.

The attack did not target Bybit directly.

Bybit's infrastructure — servers, employee workstations, signing hardware, internal networks — was never penetrated. Every subsequent forensic investigation, conducted by independent firms Sygnia and Verichains, confirmed the same finding. Bybit was not hacked.

The company that was hacked was Safe — formerly Gnosis Safe — the most widely used multisignature wallet platform in the Ethereum ecosystem. Safe maintains the web interface at app.safe.global through which most institutional Ethereum holders manage multi-party authorization of large transactions.

Safe's engineering team numbers approximately thirty people. Among them, a small group of system administrators have permissions to modify the live production codebase and the deployed web interface.

Approximately thirty days before February 21, one of those system administrators is targeted.

The vector is consistent with the playbook of the North Korean unit internally tracked by the Federal Bureau of Investigation as TraderTraitor. The unit is a subcomponent of the broader Lazarus Group, operating out of the Third Bureau of North Korea's Reconnaissance General Bureau.

The specific technique is not publicly disclosed by Safe or by investigators. Most likely: a highly targeted social engineering approach, routing through a LinkedIn contact, a developer forum, or a technical collaboration pretext. The administrator downloads what appears to be a legitimate technical artifact. The artifact contains malware.

The malware steals AWS session tokens. Not long-lived credentials — the temporary authentication tokens that Safe's developers use during their normal workday to access Amazon Web Services, where Safe's web interface is hosted.

With those tokens, the attackers gain access to Safe's AWS account.

They do not extract data. They do not deploy ransomware. They do not attempt lateral movement through the infrastructure.

They modify one JavaScript file.

The file served from Safe's Amazon S3 storage bucket is the frontend JavaScript that renders the transaction approval interface in Bybit's signers' browsers.

The modified version contains what forensic investigators later describe as conditional malicious logic.

For the vast majority of Safe users — ordinary holders, other exchanges, decentralized finance projects — the modified JavaScript behaves identically to the legitimate version. The interface renders normally. Transactions process as expected. Nothing looks wrong.

The malicious code executes only when specific conditions are met.

Those conditions are engineered precisely for Bybit.

The code checks: is this session authenticated against one of three specific wallet addresses? Is the transaction being proposed a transfer from Bybit's Ethereum cold wallet? If both conditions are true — proceed.

If both conditions are true, the malicious JavaScript intercepts the transaction data just before it is displayed to the signers. It substitutes the transaction logic. What the signers see on their screen — destination address, amount, operation type — remains visually identical to the legitimate intended transfer.

What they are actually signing is a `delegatecall` to a contract controlled by North Korea.

In Ethereum, `delegatecall` is a primitive that allows one smart contract to execute code in the context of another — with full access to the caller's storage and funds. When a signer approves a transaction that includes a `delegatecall`, they are not merely transferring funds. They are granting the called contract full control over the calling wallet.

By approving what they believe is a routine transfer, the three Bybit signers grant a North Korean-controlled contract total ownership of their cold wallet.

The attacker then drains it.

Four hundred one thousand three hundred forty-seven Ethereum tokens. One point five billion dollars.

All three signers had multifactor authentication enabled on their accounts. All three had active hardware security keys. None of that mattered. The deception happened at the layer above authentication — at the layer where the signer's own eyes interpret what the signer is being asked to approve.

Two minutes after the transaction lands on the Ethereum mainnet, the malicious JavaScript on Safe's website is deleted.

The modified file is replaced with the legitimate version. Any subsequent visitor to app.safe.global receives clean code. The evidence is gone from the live environment.

But Safe's infrastructure is not the only place the file was served. Wayback Machine archives — the public archive of the web maintained by the Internet Archive — had captured the malicious version during its active deployment window. When investigators reconstruct the attack, the archived file becomes central forensic evidence. The attackers had not anticipated that the public web archive was quietly making copies of their exploit.

Bybit's detection systems flag the anomaly within minutes. CEO Ben Zhou publicly confirms the theft within hours. Blockchain analysis firms begin tracing the stolen Ethereum in real time.

The laundering operation has already started.

North Korea's cryptocurrency laundering methodology is mature.

Within the first forty-eight hours after the theft, blockchain analysts estimate that approximately one hundred sixty million dollars in Ethereum is successfully laundered through decentralized exchanges and cross-chain bridges. The assets are converted, fragmented, mixed through privacy protocols, and reconstituted across thousands of blockchain addresses.

The preferred conversion target is Bitcoin.

Bitcoin's transaction model uses Unspent Transaction Outputs — a structure that treats every transaction as a discrete unit, analogous to physical cash. Tracing a specific dollar value through Bitcoin requires following individual UTXOs across many addresses, an exponentially more complex forensic task than tracing an Ethereum account.

North Korea's laundering unit, designated by the FBI as TraderTraitor, converts most of the stolen Ethereum to Bitcoin within the first week.

The FBI issues a public service announcement on February 26, 2025 — five days after the attack — formally attributing the theft to North Korea. The bureau releases fifty-one Ethereum addresses identified as part of the laundering infrastructure. It calls on exchanges, decentralized finance platforms, and blockchain intelligence firms to block transactions derived from those addresses.

The attribution is rapid by the standards of nation-state cyberattack investigations. It is enabled by pattern matching.

The addresses used to move Bybit's stolen funds overlap, at specific points, with addresses used in prior cryptocurrency thefts — the 2024 Phemex theft, the 2024 BingX theft, the 2023 Poloniex theft. Blockchain intelligence firms Elliptic and TRM Labs, along with independent investigator ZachXBT, establish the overlaps within days.

The same operators are running the same laundering infrastructure across repeated heists. The infrastructure is the signature.

Context for the scale.

According to multiple blockchain intelligence firms, the Lazarus Group and its subcomponents have stolen, over a multi-year period, an estimated three point four to over six billion dollars in cryptocurrency. In 2024 alone, North Korean-linked theft accounted for over two billion dollars.

Bybit's one point five billion dollars, taken in a single operation, exceeds the next-largest single heist — the 2024 theft of three hundred eight million dollars from Japan's DMM Bitcoin exchange — by a factor of five.

The funds flow, through laundering networks, into accounts controlled by the Democratic People's Republic of Korea government. Treasury Department designations have established repeatedly that these accounts finance North Korea's weapons programs, including ballistic missile development and its nuclear program.

Bybit, for its part, survives. The company is solvent. Within hours of the theft, CEO Ben Zhou arranges bridge loans and strategic inflows from other institutional holders to replenish reserves. Customer funds remain protected. No user lost deposited assets.

The exchange launches a recovery bounty program, offering up to ten percent of any funds recovered to those who help trace or seize them.

The vast majority of the stolen Ethereum has not been recovered.

The unresolved elements of this case file are structural.

Bybit did nothing wrong by the standards of cryptocurrency custody best practices. It used cold storage for its reserves. It used multisignature authorization for transfers. It used a reputable third-party interface provider. It used hardware security keys for its signers. Every defensive control the industry recommends, Bybit implemented.

The attack bypassed all of them by compromising a layer outside Bybit's control.

Safe, the interface provider, serves thousands of institutional clients. Any of those clients could have been the target. Bybit was selected because the attackers had, through their initial reconnaissance, identified its cold wallet addresses and transaction patterns in advance. The conditional JavaScript was engineered around those specific data points.

The underlying architectural weakness is general, not specific.

Any web interface used for signing cryptocurrency transactions is, by definition, a potential point of display manipulation. If the interface can be subtly modified — through compromise of its hosting infrastructure, its content delivery network, its source code repository, or its deployment pipeline — a signer cannot, in most implementations, independently verify what they are actually signing.

Hardware wallets with independent transaction display are a partial mitigation. But many hardware wallets do not decode complex transaction structures like `delegatecall` in human-readable form. They show a raw hash. A user staring at a sixty-four-character hexadecimal string cannot verify its meaning by inspection.

The user has to trust the interface.

North Korea demonstrated, on February 21, 2025, the cost of that trust.

Fragment Zero will track the case file.

The stolen funds continue to fragment across the global blockchain. Portions remain static in addresses that have been tagged and sanctioned. Portions continue to move. The FBI's fifty-one identified addresses have grown to several hundred, across multiple chains.

The developer at Safe whose machine was compromised has not been publicly named. The specific social engineering vector used to reach him has not been publicly detailed.

The Lazarus Group continues to operate. In the months following the Bybit theft, smaller but still substantial thefts — measured in tens of millions of dollars — have been attributed to the same infrastructure.

The deeper question is not whether cryptocurrency can be stolen.

The deeper question is how much financial infrastructure now relies on a small number of open-source interface projects — maintained by small teams, updated through live deployment pipelines, consumed through web browsers — that sit between billions of dollars in assets and the humans authorizing them.

In this case, the number of people who could have prevented the largest theft in history was one. And he clicked on something.