Skip to main content
News

A $1.5 Billion Heist in a Single Day — The Bybit Heist and Thailand’s Cybersecurity Wake-Up Call

North Korea stole $1.5B in Ethereum from Bybit through a highly sophisticated supply chain attack, while cyberattacks in Thailand surged 125% in a year, averaging 28,000 incidents a day — a lesson every organization needs to read.

25 Mar 202611 min
CybersecurityBybitCryptoLazarus GroupSupply Chain AttackThailand

February 21, 2025 — The Day the Crypto World Shook

Imagine this: you go to bed at 2 a.m. and everything looks normal. Your wallet balance is intact, every system light is green, and the dashboard doesn’t show a single pixel out of place.

Then you wake up in the morning and $1.5 billion is gone.

This wasn’t a Netflix movie. It wasn’t the script for Ocean’s Eleven 4. It was real — and it happened to Bybit, one of the world’s largest crypto exchanges based in Dubai, on February 21, 2025.

$1,500,000,000 — a number that set a new record for the largest crypto theft in history.

And who was behind it? Not a group of teenage hackers in a basement, but a North Korean state-backed cyber operation.

Anatomy of a Heist — The Smartest Digital Robbery in History

Forget the image of masked thieves cracking open a vault. No one touched a single coin of cash in this heist. There were no guns, no getaway cars, not even an alarm blaring in the background.

Step 1 — Choosing the victim (who wasn’t really the victim)

The attackers didn’t target Bybit directly. They went after Safe{Wallet}, the platform Bybit used to manage its digital wallets. That’s the essence of a supply chain attack: you don’t need to break through the front door if you can compromise the company that makes the keys.

Step 2 — Classic social engineering

The hackers used social engineering to lure a Safe{Wallet} developer into opening a path into their work device. From there, they gradually escalated access — from a personal device to the internal network, and eventually to the company’s code deployment system.

Every step was quiet, patient, and precise — like surgery.

Step 3 — Injecting poison into the main artery

Once they reached the deployment system, the hackers inserted malicious JavaScript into code served through Safe{Wallet}’s official domain itself — app.safe.global. Not a fake website. Not a suspicious link. The real site, compromised from the inside.

Step 4 — Screen-level illusion

This was the most brilliant part. Bybit’s UI displayed the transaction exactly as expected — correct recipient address, correct amount, everything looked legitimate. But behind the scenes, the malicious code had already swapped the real recipient address with the attackers’ wallet.

Bybit staff approved the transaction with their own eyes. Everything looked right — except the destination.

A total of 401,347 ETH flowed out of Bybit into wallets controlled by North Korea.

All of it happened in a single day.

Lazarus Group — The State-Backed Hacking Unit

The name Lazarus Group is nothing new in cybersecurity circles. They are a cyber operations unit under North Korea’s intelligence agency, the Reconnaissance General Bureau, and they have been active since 2009.

Their most notorious operations include:

  • 2014 — Breaching Sony Pictures so severely the company nearly collapsed, with unreleased films and internal data leaked
  • 2016 — Stealing $81 million from the Bangladesh central bank through the SWIFT system
  • 2017 — Launching WannaCry ransomware, crippling hospitals and organizations around the world
  • 2022 — Stealing $625 million from Ronin Bridge (Axie Infinity)
  • 2025 — The $1.5 billion Bybit heist — a new record that eclipsed them all

Why does North Korea steal crypto? The answer is simple: to fund its nuclear weapons program under the weight of United Nations sanctions. Crypto is one of the hardest channels to monitor and shut down.

The key point is that Lazarus Group didn’t rely on some unimaginable, futuristic exploit. They used social engineering + supply chain attack — two methods that no firewall or antivirus in the world can stop 100%, because the real weak point is people, not machines.

Bybit’s Recovery — 447,000 ETH in 72 Hours

What’s just as remarkable as the theft itself is the recovery.

Once Bybit realized a massive amount of ETH had been stolen, CEO Ben Zhou immediately announced that customers would not bear the loss. The company secured emergency support from major industry partners:

  • Galaxy Digital provided a loan of 100,000 ETH
  • FalconX added liquidity support
  • Wintermute acted as an OTC partner to source ETH at market prices

Within 72 hours, Bybit had restored its ETH reserves to around 447,000 ETH — enough to guarantee that all customers could withdraw funds normally. No user lost their balance.

But make no mistake — the stolen $1.5 billion had not been recovered. Bybit simply filled the hole using its own funds and borrowed capital. That’s the staggering cost of a breached supply chain.

What About Thailand? — The Numbers Are Alarming

If you’ve read this far and thought, “That’s Bybit, that’s crypto — it has nothing to do with us,” think again.

Thailand cybersecurity figures for 2024 tell a very different story:

  • 732,620 incidents — the number of detected cyberattacks in Thailand, up 125.91% from 324,295 in 2023
  • 10,267,403 incidents — the number of web threats detected by Kaspersky among users in Thailand, averaging 28,130 attacks per day, every day, weekends included
  • From Q2/2023 to Q2/2025, cyber incidents rose from 64,609 to 223,700 — an increase of nearly 3.5x

Who’s being hit hardest?

No. 1 — Education (26%): universities and schools with aging systems, limited budgets, and too few IT staff

No. 2 — Government (20%): public agencies still running on decades-old infrastructure

No. 3 — Finance (17%): banks and financial institutions targeted because “that’s where the money is”

And the situation is getting worse. During July–August 2025, the frequency of cyberattacks involving Thailand and Cambodia surged by 241% amid escalating geopolitical tensions in the region.

Thailand is positioning itself as a data center hub, with market value projected to reach $1.5 billion by 2030. But we have to ask — are we building a larger house while forgetting to lock the door?

What Every Thai Organization Must Do — Today, Not Tomorrow

The Bybit heist teaches one very clear lesson: you do not have to be the target — you only have to be in the target’s supply chain.

1. Stop thinking, “No one cares about our company”

Lazarus Group didn’t breach Bybit directly. They compromised a single developer at a third-party provider. If your business is part of a supply chain — whether you’re a software vendor, component manufacturer, or even an accounting firm — you could become an entry point without ever realizing it.

2. Zero Trust is not just a buzzword

“Trust no one until they are verified.” This principle has to be applied in practice at every level — from system access and transaction approvals to code deployment. What Bybit lacked was independent verification that what appeared on screen matched what was actually happening behind the scenes.

3. Invest in people, not just tools

Social engineering works because people aren’t prepared, not because the technology is weak. Employee cybersecurity awareness training, phishing simulations, and a culture of “question first, click later” cost far less than the damage of a successful breach.

4. Audit your supply chain seriously

How secure is the vendor software your organization relies on? Does the vendor conduct security audits? Do they have an incident response plan? If you can’t answer those questions, you are exposed to risks you can’t even see.

5. Prepare for cyber crisis response

Bybit survived because it had relationships with partners ready to step in within 72 hours. Does your organization already have a cyber crisis response plan? Do you know who to call first? Do you have backups that have actually been tested?

Key Takeaways

The Bybit heist is not just a crypto story — it is a wake-up call for every organization in the world.

A supply chain attack does not care whether you are a small company or a large enterprise. It does not care what industry you are in. If you are connected to digital systems, you can become a target.

Thailand is already facing a 125% annual increase in cyberattacks, averaging nearly 30,000 incidents per day. And those numbers will only rise as the country adopts more technology.

The question is not, “Will we be attacked?” The real question is: “When it happens, how prepared are we?”

The Enersys team has experience building cyber defense systems — from risk assessments and secure architecture design to incident response planning. If your organization isn’t confident it is secure enough, talk to us before it’s too late.

Contact the Enersys team

References

ลิงก์ที่เกี่ยวข้อง

Genesis AI Platform

ลองใช้ AI Platform สำหรับองค์กร

AI Readiness Assessment

องค์กรคุณพร้อมสำหรับ AI แค่ไหน?

อ่านบทความเพิ่มเติม

ติดตามข่าวสาร AI และ Tech

Back to Insights

Related Articles

AIS x Thai SME Council Launches ProStart — Digital + AI Bundle with 200% Tax Deduction Thai SMEs Shouldn’t Miss

AIS has partnered with the Thai SME Council to launch ProStart, an AI + Digital package for SMEs with a 200% tax deduction worth up to ฿300,000 — a golden opportunity available only until the end of 2027.

Asia’s AI Law Wave in 2026 — Vietnam, South Korea, China, and ASEAN Move Full Speed Ahead

Vietnam became the first ASEAN country to enforce an AI law in March 2026, South Korea followed with its AI Basic Act in January 2026, China is rolling out more than 30 AI and data standards, while Thailand is gathering public feedback on AI guidelines.

ASEAN QR Payment: How PromptPay Is Connecting Cross-Border Payments Across the Region

PromptPay is now connected across 8 ASEAN countries, and Project Nexus is set to go live — the new era of cross-border payments has already begun.

"Empowering Innovation,
Transforming Futures."

ติดต่อเราเพื่อทำให้โปรเจกต์ของคุณเป็นจริง