In the Bybit hack on Feb. 21, 2025, attackers stole crypto assets worth $1.4 billion. As institutional investors increasingly seek to engage with crypto and tokenized assets, understanding cyber resilience in this space is critical.
Chart 1
What Happened
Crypto exchange Bybit suffered the largest heist in crypto history. On Feb. 21, 2025, the attackers--allegedly the North Korean state-sponsored Lazarus group--stole approximately $1.4 billion in crypto assets from the exchange's wallet. Previously, the largest crypto hacks targeted vulnerabilities in smart contract codes or cross-chain bridges (applications that transfer tokens from one blockchain to another.) This hack follows a more recent trend that targets the people and equipment operating wallets through conventional off-chain cyberattacks, rather than the on-chain setup itself. The transfers sending funds to the attackers were all approved by senior Bybit staff who acted as signers.
Why It Matters
Not your keys, not your crypto. Hackers stole assets from a wallet that belonged to Bybit and on which customer assets were commingled--which explains the large asset balance on a single wallet. This commingled setup supports centralized exchanges' order book trading model and is convenient for customers as they do not need to manage their own keys. However, it exposes customers to the exchange's bankruptcy risk and operational risk. Investors holding digital assets can mitigate these risk exposures by using non-custodial wallets. In this case, a wallet provider creates the technical setup, but the investor maintains ownership of the assets and the keys. The provider may be an exchange or a more specialized entity. Multi-signature transaction approval can also reduce cyber vulnerability, although this was in place at Bybit.
Cyber resilience is key to prevent or reduce the effects of attacks on tokenized transactions. Common approaches to reducing the likelihood of a successful attack include:
- Whitelisting wallets before they can interact with a transaction's smart contract;
- Using a modular smart contract design that uses different contracts for different steps in the transaction. This limits the effects of an attack or an interruption on one of the contracts; and
- Splitting smart contract administration rights across multiple roles and entities, again to limit the effect of an attack by taking control of one role in the setup.
Additionally, tokenization applications in financial markets often include the ability for a token issuer to freeze or cancel tokens in the event of loss or theft. They also place an obligation on issuers to maintain back-up books and records that can help restore token ownership in such events.
Crypto thieves require off-ramps to cash out. To use stolen assets, an attacker must convert these to fiat currency, which requires a centralized exchange. On-chain analytics enable market participants and law enforcement to monitor the movement of stolen assets. As regulatory frameworks mature globally, compliant exchanges will monitor these stolen assets and will not convert them. Illicit exchanges that will support this activity remain but are becoming scarce.
What's Next
The stolen ether (ETH) does not allow hackers to compromise Ethereum's proof-of-stake consensus model. ETH holders can participate in validating transactions on the Ethereum network by staking their ETH--that is, locking it in a smart contract--and running dedicated software on a computer they operate. Ethereum is designed as a decentralized system that does not depend on individual participants' integrity. A validator would need to control more than one-third of staked ETH to represent a material risk to the network, and over two-thirds to have effective control, while its stake would be slashed (reduced through a penalty enforced in the staking smart contract) for dishonest behavior. Even if the Bybit attacker staked the entire haul through a validator that it controls, this would represent only approximately 1.5% of total staked ETH.
Related Research
- What Can You Trust in a Trustless System: Public Blockchains for Financial Applications, Oct. 11, 2023
- How DeFi's Operational Risks Could Influence Credit Quality, June 7, 2023
This report does not constitute a rating action.
| Primary Credit Analyst: | Andrew O'Neill, CFA, London + 44 20 7176 3578; andrew.oneill@spglobal.com |
| Secondary Contact: | Lapo Guadagnuolo, London + 44 20 7176 3507; lapo.guadagnuolo@spglobal.com |
No content (including ratings, credit-related analyses and data, valuations, model, software, or other application or output therefrom) or any part thereof (Content) may be modified, reverse engineered, reproduced, or distributed in any form by any means, or stored in a database or retrieval system, without the prior written permission of Standard & Poor’s Financial Services LLC or its affiliates (collectively, S&P). The Content shall not be used for any unlawful or unauthorized purposes. S&P and any third-party providers, as well as their directors, officers, shareholders, employees, or agents (collectively S&P Parties) do not guarantee the accuracy, completeness, timeliness, or availability of the Content. S&P Parties are not responsible for any errors or omissions (negligent or otherwise), regardless of the cause, for the results obtained from the use of the Content, or for the security or maintenance of any data input by the user. The Content is provided on an “as is” basis. S&P PARTIES DISCLAIM ANY AND ALL EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, ANY WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR USE, FREEDOM FROM BUGS, SOFTWARE ERRORS OR DEFECTS, THAT THE CONTENT’S FUNCTIONING WILL BE UNINTERRUPTED, OR THAT THE CONTENT WILL OPERATE WITH ANY SOFTWARE OR HARDWARE CONFIGURATION. In no event shall S&P Parties be liable to any party for any direct, indirect, incidental, exemplary, compensatory, punitive, special or consequential damages, costs, expenses, legal fees, or losses (including, without limitation, lost income or lost profits and opportunity costs or losses caused by negligence) in connection with any use of the Content even if advised of the possibility of such damages.
Credit-related and other analyses, including ratings, and statements in the Content are statements of opinion as of the date they are expressed and not statements of fact. S&P’s opinions, analyses, and rating acknowledgment decisions (described below) are not recommendations to purchase, hold, or sell any securities or to make any investment decisions, and do not address the suitability of any security. S&P assumes no obligation to update the Content following publication in any form or format. The Content should not be relied on and is not a substitute for the skill, judgment, and experience of the user, its management, employees, advisors, and/or clients when making investment and other business decisions. S&P does not act as a fiduciary or an investment advisor except where registered as such. While S&P has obtained information from sources it believes to be reliable, S&P does not perform an audit and undertakes no duty of due diligence or independent verification of any information it receives. Rating-related publications may be published for a variety of reasons that are not necessarily dependent on action by rating committees, including, but not limited to, the publication of a periodic update on a credit rating and related analyses.
To the extent that regulatory authorities allow a rating agency to acknowledge in one jurisdiction a rating issued in another jurisdiction for certain regulatory purposes, S&P reserves the right to assign, withdraw, or suspend such acknowledgement at any time and in its sole discretion. S&P Parties disclaim any duty whatsoever arising out of the assignment, withdrawal, or suspension of an acknowledgment as well as any liability for any damage alleged to have been suffered on account thereof.
S&P keeps certain activities of its business units separate from each other in order to preserve the independence and objectivity of their respective activities. As a result, certain business units of S&P may have information that is not available to other S&P business units. S&P has established policies and procedures to maintain the confidentiality of certain nonpublic information received in connection with each analytical process.
S&P may receive compensation for its ratings and certain analyses, normally from issuers or underwriters of securities or from obligors. S&P reserves the right to disseminate its opinions and analyses. S&P's public ratings and analyses are made available on its Web sites, www.spglobal.com/ratings (free of charge), and www.ratingsdirect.com (subscription), and may be distributed through other means, including via S&P publications and third-party redistributors. Additional information about our ratings fees is available at www.spglobal.com/usratingsfees.