What Did We Learn from the World’s Largest Hack?

What Did We Learn from the $1.5 billion Bybit hack as individuals and as an ecosystem? Research insights from an ethnographic investigation and forthcoming book on decentralised security.

Introduction: Security as Governance in a Decentralised World

The record-breaking Bybit exploit, which saw an unprecedented volume of assets exfiltrated from one of the world’s leading crypto derivatives platforms, marked a critical inflection point for digital security. While headline narratives focused on the magnitude of financial loss, this event—like others before it—was not just a failure of code. It was a social event, deeply embedded in a web of incentives, trust relations, opaque responsibilities, and infrastructural coordination failures. Drawing on ethnographic fieldwork with blockchain security actors, this insight piece examines the deeper significance of the Bybit hack. It situates the incident within broader shifts in decentralised security as a governance frontier and reflects on the cultural, infrastructural, and institutional dimensions of digital security as a key to industry effectiveness and legitimacy.

The Largest Hack Ever

 “People keep calling this the ‘largest crypto hack ever’ but I think it might be the largest hack ever….period?” stated Taylor Monahan (Security, Metamask / Incident Response, SEAL911, @Tayvano) on Twitter. Previous records included the Ronin Bridge hack of $620 million in 2022 (attributed to the Democratic People’s Republic of Korea (DPRK)) and the Polynetwork hack of $611 million in 2020 (not attributed to the DPRK).

 Suspicious outflows from Bybit exchange of $1.46 billion were first reported on February 21, 2025, by white hat ZachXBT in his Telegram channel, “Investigations by ZachXBT.” Crypto-famous for his cat and mouse tracing of North Korean hacker activity, ZachXBT later confirmed that the activity was Lazarus Group, allegedly run by the DPRK, by connecting hacked funds to a wallet address from a previous hack by the DPRK.

Bybit CEO and the company confirmed the hack and reported it to law enforcement authorities (Bybit, 2025a). The race then began to trace and blacklist attacker addresses as the FBI released a public service announcement for RPC node operators, exchanges, cross chain bridges, and DeFi services to block transactions (IC3, 2025), as Lazarus Group follows a pattern of trading funds into ETH, swapping ETH for BTC, and offloading Bitcoin via exchanges and OTC (“over the counter”) desks across Asia. 

Bybit is among the largest cryptocurrency exchanges globally, based in Dubai and sporting around $4 billion of 24-hour trading volume. As some would say, too big to fail. And in some ways, it didn’t. Despite the monolithic hack, Bybit had enough liquidity to pay back loans to users who wanted to withdraw funds from the exchange. In other words, unlike previous, high-profile centralised exchange hacks where the exchange declared bankruptcy and the users were left with nothing, users in this hack wouldn’t know any differently if they hadn’t seen the news. Despite this, the implications of the hack are devastating to the reputation and legitimacy of blockchain as an industry.

1. The Same Vulnerabilities

The Bybit exploit confirmed a well-known lesson in cybersecurity—that security breaches are not always about code. Unlike software-code-based smart contract exploits that have traditionally plagued Decentralised Finance (DeFi) protocols, the origin of this “kill chain” was social engineering. Social engineering refers to a range of malicious activities that exploit human psychology to deceive and manipulate individuals into divulging confidential information or performing actions that compromise system access so that someone can undermine system security. It is an enduring problem in cybersecurity, and one that can’t be solved by smart contract audits or team training sessions. If an attacker is persistent enough, they will nearly always win. I’ve written about vulnerability mapping methods in my work on resilience in decentralised technologies.¹ Each project should strive to be more resilient than the next to avoid becoming a target for hackers, while also collaborating to prevent cascading failures across the ecosystem.²

In the case of Bybit, Lazarus Group used a persistent and sophisticated phishing attack³ targeted against a developer who worked at SAFE (the multi-signature wallet company) to compromise their device with malware disguised as fake trading software. The attacker was then able to infiltrate the developer’s Amazon Web Services cloud computing environment and covertly insert a malicious Safe Wallet front end to specifically target Bybit.

Security responders pointed out that the tactics resemble previous attacks, including DMM Bitcoin ($305 million USD in cryptocurrency tokens in May 2024), WarZix ($230 million in July 2023), and Radiant ($50 million in October). Yet, these attacks continue to occur.

2. The Blockchain White Hat Hacker

In the wake of the exploit, a flurry of off-chain, human-led action followed. Ethnographic accounts from inside incident response chats show that blockchain white hat hackers played a decisive role in damage control. White hat hackers and their allies across security stakeholders, protocols, and exchanges coordinated to trace flows, alert exchanges, and freeze suspicious funds. Coalitions like the Security Alliance operate with community legitimacy, invoking a form of “emergency governance.”

These actions point to a growing norm of ethical vigilantism to defend cypherpunk ideals of decentralised infrastructure for individual liberty, not exploitation at the expense of others. The Bybit incident illustrates how informal norms, rather than formal rules, often shape security responses, creating a patchwork regime of informal networks and reactive governance.

3. Insecurity is a Constitutive Feature, Not a Bug

The Bybit hack reinforces a broader insight from ethnographic work on resilience and security in blockchain communities: decentralised digital infrastructure is insecure by default. Unlike traditional systems that aspire toward “achieving” security, blockchain ecosystems operate with the understanding that risk is endemic and persistent. In fact, many in the ecosystem see insecurity as a necessary condition of innovation, experimentation, and permissionless participation.

From this view, the significance of the Bybit hack is not its size but its systemic reverberations. It accelerated conversations around shared security standards, incentivised new forms of white hat response (i.e., bounty mechanisms to align incentives towards constructive behaviour), and encouraged the evolution of threat-sharing channels and protocol-level risk mitigation tools and processes. In short, according to SEAL911 Lead pcaversaccio, to participate in this industry requires a mindset of “total f*ing paranoia.”

4. Collective Threats Require Collective Approaches

 As blockchain explorers updated in real time, thousands of onlookers—some concerned, some opportunistic—began tracing the flow of funds. Money laundering at this scale is a highly coordinated effort by hundreds (if not thousands) of individuals across blockchain infrastructures and physical “Over The Counter” (OTC) money trading desks. For years, security responders have been urging people and platforms to take more responsibility for tracing and slowing down the DPRK’s actions.

 Yet, in this incident, Twitter debates spiraled into whether or not addresses should be censored on “permissionless” blockchain infrastructure, while certain platforms earned millions of dollars in transaction fees.

Tayvano shared on X:

“In 10 days flat, DPRK has bridged all ~500,000 ETH (~$1.3 billion USD) stolen from Bybit to Bitcoin. Kim Jong Un sends his deepest gratitude to @THORChain, @asgardex, and @exchcx. Without their faux-cypherpunk grandstanding + blatant lies, this would have never been possible.” (Tay, 2025d).⁴

Meanwhile, in war rooms elsewhere on the internet, security responders like the Security Alliance (SEAL) “911” volunteers were coordinating with exchanges, protocols, and bounty hunter platforms to have funds frozen and bounties paid to slow the laundering of funds and reward contributors for white hat efforts.

Conclusion: Governing Through Crisis

Ultimately, the Bybit hack was not just a security failure—it was a stress test for the evolving governance of decentralised infrastructure. It exposed the limits of current security practices (which have since been reported to have been updated) and the fragility of cross-protocol responses. Yet, it also showcased the strength of emergent, collective responses grounded in social networks, shared norms, and the will to protect the ideology and infrastructure of decentralised technologies.

For policymakers, technologists, and communities building digital infrastructure, the key lesson is this: security must be treated as an ongoing, collective process of coordination—not a static state to be achieved. The Bybit exploit reminds us that the future of digital security lies not in perfect code but in imperfect, yet adaptable systems characterised by code, crisis, and community.

This research insight draws on over two years of ethnographic fieldwork in decentralised technology communities. I would like to thank the Security Alliance (SEAL) for allowing me to participate in wargames and observe incident responses, as well as numerous individuals for interviews and feedback.

Nabben’s book, titled “Decentralised Digital Security: Code, Crisis, Community,” will be available Open Access in 2026.

¹Nabben, K. (2024). “DAO Vulnerability Mapping: A Theoretical and Empirical Tool”. In Decentralized Autonomous Organizations by Kerckhoven, S.V. and Chohan, U.W. (Eds.). (Routledge: London). ISBN: 9781003449607.
²Cascade effects describe how a localised failure spreads through an interconnected system, amplifying damage and potentially compromising the stability of the broader ecosystem.
³Fraudulent emails or messages that trick users into revealing passwords, credit card numbers, or downloading malware.

⁴Tay (@tayvano_). (2025d). ‘In 10 days flat, DPRK has bridged all ~500,000 ETH…’ X, March 4. https://x.com/tayvano_/status/1896761187603497289.