In an April 2026 public disclosure, cryptocurrency exchange Bybit revealed that it detected and stopped a second attack targeting roughly $1 billion in digital assets in the weeks after losing $1.5 billion to hackers in February 2025. The company linked the blocked attempt to the same adversaries behind the original breach, North Korea’s Lazarus Group, though no law enforcement agency or independent blockchain analyst has publicly confirmed that connection. The disclosure, made by the company without accompanying documentation or third-party verification, is the sole public source for the claimed blocked attempt.
If accurate, the claim would make the thwarted heist one of the largest ever stopped in the crypto industry. Combined with the original theft, the two incidents point to a sustained campaign against one of the world’s busiest exchanges and raise hard questions about how quickly any platform can rebuild its defenses after a state-sponsored intrusion.
The original $1.5 billion breach
On February 21, 2025, Bybit CEO Ben Zhou confirmed that attackers had hijacked a routine transfer between the exchange’s own wallets, redirecting approximately $1.5 billion in Ethereum-based tokens, including stETH and mETH, to an address outside the company’s control. Zhou said the transfer had been “manipulated” during what should have been a standard internal operation.
Independent blockchain investigators moved fast. The pseudonymous analyst ZachXBT and the analytics firm Arkham confirmed the scale of the outflow within hours by tracing transactions on Ethereum’s public ledger. Their findings matched the figure Bybit’s leadership disclosed.
The FBI followed within days, issuing a public service announcement naming the Lazarus Group, also tracked under the campaign label TraderTraitor, as the responsible party. According to the bureau, the stolen tokens were rapidly converted into Bitcoin and scattered across thousands of wallet addresses, a laundering playbook Lazarus has refined over years of operations targeting crypto platforms. The speed of the attribution was unusual; federal investigators typically take months to publicly name state-backed actors in crypto cases.
The $1.5 billion figure dwarfed every previous single-event crypto theft, surpassing the $620 million Ronin Bridge hack of 2022, which U.S. authorities also attributed to Lazarus. British press coverage called it the “biggest digital heist ever,” a label that still holds as of May 2026. Blockchain research firm Chainalysis has estimated that Lazarus-linked operations have stolen billions of dollars in cryptocurrency across multiple incidents over the past several years, making the group the most prolific state-sponsored threat in the sector.
Bybit’s response and solvency claims
Bybit moved to reassure users almost immediately. The exchange stated that client funds remained fully backed and that it could absorb the loss without affecting customer balances. Withdrawals, which were briefly delayed in the hours after the breach, resumed within a day. Multiple outlets reported that Bybit secured emergency bridge loans and replacement Ethereum from industry partners to shore up its reserves.
The exchange also launched a public bounty program, offering rewards to anyone who could help trace or freeze the stolen funds. That step, along with a broader call for outside cybersecurity help, signaled both the severity of the attack and the limits of Bybit’s internal capabilities at the time.
No independent, public proof-of-reserves audit has confirmed Bybit’s solvency claims. The exchange’s assurances are broadly consistent with its continued operations, but outside observers have had to take them largely on trust. Whether Bybit has engaged a third-party auditor or committed to a formal review has not been publicly disclosed.
The blocked $1 billion attempt
According to Bybit’s April 2026 disclosure, a follow-on attack targeting approximately $1 billion in assets was detected and stopped after the exchange implemented emergency security upgrades in the wake of the original breach. The company described the attempt as connected to the same adversaries but has not released detailed technical information about how the attack was structured or how its defenses caught it.
If the same operators, or affiliates working from intelligence gathered during the first intrusion, launched a second strike within weeks, it suggests the initial compromise may have given attackers deeper visibility into Bybit’s infrastructure than a single wallet exploit would normally provide. It also indicates the attackers believed residual weaknesses remained exploitable despite the public fallout and Bybit’s announced upgrades.
That pattern fits Lazarus Group’s known behavior. The group has a documented history of probing compromised targets for lingering access, sometimes returning weeks or months after an initial breach. The logic is straightforward: if one vulnerability yielded $1.5 billion, adjacent weaknesses might yield more before defenses are fully rebuilt.
If Bybit’s account holds up, the blocked attempt would represent one of the more significant defensive wins against a North Korean hacking operation in the crypto sector. But that remains a significant “if.”
What remains unverified
The blocked $1 billion attempt sits in a different category than the original hack. The February breach left a massive, publicly visible trail on Ethereum’s blockchain. A blocked attempt, by contrast, may leave little or no on-chain footprint, especially if it was caught at the level of internal authorization before any funds moved. That makes independent confirmation inherently harder.
As of May 2026, no FBI or U.S. government statement has publicly linked the blocked attempt to Lazarus or any other specific actor. The bureau’s attribution covered only the $1.5 billion theft. Blockchain analysts like ZachXBT and Arkham, who were instrumental in confirming the original breach, have not published analysis of the second incident. Without that independent layer, the $1 billion figure and the defensive success narrative rest entirely on Bybit’s own disclosure.
An exchange managing severe reputational damage has clear incentives to emphasize successful defenses alongside acknowledged failures. That does not mean the claim is false, but readers should distinguish between what is documented and corroborated (the original theft, the FBI attribution, the on-chain trail) and what remains a single-source assertion.
Other gaps persist. The specific exploit vector behind the original breach has not been fully disclosed. Bybit described a “manipulated” transfer, but whether that involved stolen private keys, a supply-chain compromise of wallet software, social engineering of personnel, or some other method has not been made public. Without knowing the root cause, it is difficult to assess whether the post-hack upgrades addressed the actual vulnerability or merely patched a symptom.
On the recovery front, how much of the original $1.5 billion has been frozen, seized, or traced to identifiable endpoints remains unclear. Lazarus Group’s operational sophistication has historically made large-scale recovery difficult once funds are dispersed and converted across chains. No public updates on significant seizures have emerged. Bybit has said all affected users were made whole through the exchange’s reserves and emergency financing, but the stolen funds themselves appear largely unrecovered.
Regulatory and jurisdictional questions
Bybit operates out of Dubai under the oversight of the emirate’s Virtual Assets Regulatory Authority. Whether VARA or any other regulatory body will conduct an independent investigation into the breach and the claimed blocked attempt has not been announced as of May 2026. The jurisdictional complexity is considerable: assets moved on global blockchains, the exchange is based in the UAE, its users span dozens of countries, and the alleged attackers are linked to a sanctioned state. That fragmentation makes coordinated enforcement difficult and leaves users with limited clarity about who, if anyone, is holding the exchange accountable beyond its own public statements.
What this means for exchange users
The Bybit case exposes a structural tension running through the crypto industry. Centralized exchanges hold custody of user funds and serve as the primary gateway between retail investors and digital assets. When those platforms are compromised by adversaries with nation-state resources, individual users bear the immediate risk, even if the exchange ultimately covers the losses.
Bybit’s ability to detect and block a billion-dollar follow-on attack, if independently validated, would be a stronger signal of operational resilience than any solvency statement alone. It would suggest that emergency controls can be stood up fast enough to stop sophisticated adversaries in real time. But that validation has not arrived.
For the broader market, the incident reinforces what the escalating pattern of Lazarus-attributed thefts has made plain: crypto platforms remain high-value targets, the scale of individual attacks keeps growing, and the gap between what is stolen and what is recovered continues to widen. The FBI’s rapid attribution signals that U.S. law enforcement is treating these cases with growing urgency. Whether that urgency translates into meaningful deterrence or asset recovery is a question the Bybit case has not yet answered.
