$1.5 Billion ByBit Crypto Heist and The Threat Actors Behind Escalating Geopolitical Cyberattacks

In one of the most significant cryptocurrency thefts to date, ByBit, a leading crypto exchange known for handling billions in digital transactions, became the target of a massive cyberattack. The breach occurred during what should have been a routine transfer of funds from a secure offline cold wallet to a more accessible warm wallet, resulting in the theft of $1.5 billion in digital assets.

Armis Labs reviewed and analyzed the tactics, techniques, and procedures (TTPs) employed by the threat actors suspected of this heist. The analysis includes insight into the techniques used by these criminals and an overview on emerging trends, adversary behaviors, and evolving TTPs.

The Heist

On February 21, 2025, hackers made off with an estimated $1.46 billion worth of cryptoassets from Bybit, a cryptocurrency exchange based in Dubai. Early investigations indicate that the attackers used malware to deceive the platform into authorizing fraudulent transactions, allowing the funds to be transferred to their accounts.

Threat Actor Details:

• TTPs: Attackers manipulated transaction processes, diverting funds to an unknown address.
• Attribution: Blockchain analytics suggest North Korea’s Lazarus Group was behind the attack. The Lazarus group is responsible for some of the largest cyber attacks worldwide
• Impact: This incident surpasses previous high-profile crypto heists (e.g., the $69 million Phemex theft in January 2025), indicating an escalation in crypto-targeted attacks.
• Timeline: Likely executed over the weekend (February 22-23), and surfaced in CTI circles by Monday, February 24.

This attack highlights vulnerabilities in cold-to-warm wallet transfers, reinforcing the need for stronger security controls. The scale of the heist suggests meticulous planning, rather than a quick “smash-and-grab” operation.

Escalating Geopolitical Cyberattacks

Lazarus operates with strong financial incentives, aiming to strengthen North Korea’s struggling economy. Backed and encouraged by the government, these North Korean cybercriminals face no legal consequences at home. In fact, they benefit from state support. As a result, it is highly likely that the Lazarus group will remain active for the foreseeable future.

Armis Labs analysts have reported a significant surge in cyberattacks driven by geopolitical motives, highlighting increased activity from Russian and Chinese threat actors. These attacks are believed to target critical infrastructure, government networks, and private organizations, aiming to disrupt operations, steal sensitive information, or gain strategic advantages. The rise in such cyber activity underscores the growing complexities of global tensions being played out in the digital sphere, raising concerns about cybersecurity preparedness and the need for proactive defense mechanisms.

Details:

• Russian Activity:
  • Kazakh diplomats targeted (likely phishing or credential theft).
  • Pro-Russian groups hit Italian government websites (DDoS or defacement).
  • Cyberattacks on Ukraine surged by 70% week-over-week.
• Chinese Activity:
  • Attacks on Taiwan doubled to 2.4 million daily incidents.
• Timeline: Data aggregated over the weekend (February 22-23).

These incidents highlight the digital extension of geopolitical conflicts. The surge in activity suggests coordinated campaigns leveraging automated tools and botnets to disrupt targets.

Recent Geopolitical Cyberattacks:

1. Vorwerk Thermomix Forum Breach: 3.3 Million Records Exposed: The Vorwerk Thermomix recipe forum (Rezeptwelt.de) was breached, exposing 3.3 million user records.

• • • TTPs: A third-party service provider was compromised, leaking user names, addresses, birth dates, phone numbers, emails, and cooking preferences.
    • Scope: Affected users span multiple countries, including Czech Republic, Spain, France, Italy, Poland, Portugal, and Australia.
    • Timeline: Reported February 24; breach timing unclear.

  This breach highlights third-party risks. Attackers collect seemingly minor data (e.g., cooking preferences) that can be leveraged for targeted phishing and scams.

2. CarMoney Cyberattack: Russian Microfinance Firm Targeted by Ukrainian Hacktivists: Russian microfinance firm CarMoney confirmed a cyberattack on February 24, with pro-Ukraine hacktivists claiming responsibility.

• • • TTPs: Attackers sent mass spam messages to customers, falsely claiming CarMoney was shutting down and writing off debts, forcing a system-wide shutdown.
    • Motive: Disruption over financial gain, tied to the Ukraine-Russia conflict.
    • Timeline: Confirmed February 24; attack likely occurred over the weekend.

  This incident blends hacktivism with psychological operations, using misinformation to disrupt financial stability.

3. Ghost Ransomware Group Exploiting Known Vulnerabilities: Ghost ransomware group has been actively targeting known vulnerabilities in unpatched systems.

• • • TTPs: Exploiting vulnerabilities like CVE-2024-8963 (Ivanti CSA admin bypass) listed in Armis Early Warning.
    • Impact: Double-extortion tactics used post-exfiltration.
    • Timeline: Escalated over the weekend (February 21-23), with fresh CTI chatter by February

  The rapid exploitation of vulnerabilities within days of patch releases underscores the importance of timely updates.

4. FatalRAT Attacks in APAC Region: FatalRAT malware is being deployed in the Asia-Pacific (APAC) region, attributed to Chinese state-sponsored actors.

• • • TTPs: DLL sideloading to deploy FatalRAT, alongside Gh0st RAT and Simay RAT.
    • Targets: Likely government and corporate networks.
    • Timeline: Report surfaced early February 24

  The use of multiple RATs and sideloading techniques suggests sophisticated state-sponsored cyber-espionage activity.

5. Russian State Actors Exploiting Signal’s Link Device Feature: Russian state-sponsored hackers are exploiting Signal’s “link device” feature to intercept encrypted communications.

• • • TTPs: Social engineering tricks users into linking malicious devices.
    • Impact: Enables interception of encrypted messages.
    • Timeline: Reported February 22.

  This exploit represents a shift in espionage tactics, blending technical abuse with human manipulation.

Takeaways

• Crypto Under Siege: The ByBit heist underscores a growing trend of large-scale, state-sponsored crypto thefts.
• Geopolitical Cyber Escalation: Russian and Chinese cyber activities continue to spike, closely mirroring real-world conflicts.
• Supply Chain Risks Persist: Third-party breaches (Vorwerk, Insight Partners) highlight persistent supply chain vulnerabilities.
• Hacktivism Resurgence: The CarMoney attack signals a growing trend of disruptive cyber operations beyond financial gain.
• Rapid Exploitation: Ghost ransomware’s swift exploitation of newly patched vulnerabilities reinforces the need for immediate updates.

Mitigation and Response

1. Asset inventory with full details and context on every asset.
2. Continuous monitoring and threat detection to stay ahead of risks. Keep systems under constant surveillance to quickly detect and respond to potential risks or attacks.
3. Multi-detection engine (anomaly and policy) to identify unusual activity. Spot irregular behavior or data patterns that could indicate potential security threats or system issues.
4. Continuous monitoring and threat detection to stay ahead of risks. Keep systems under constant surveillance to quickly detect and respond to potential risks or attacks.
5. Effective patch management to prioritize risk and take the right actions; consolidate visibility, contextualize priorities, automate ownership assignment, and operationalize the remediation lifecycle.
6. AI-based early warning intelligence to prepare for the vulnerabilities that matter and emerging threats. Receive proactive alerts about new and evolving risks to strengthen defenses before attacks materialize.

The evolving landscape of cyber threats demands constant vigilance and proactive measures from governments, organizations and individuals alike. With an increasing blend of technical sophistication and human targeting tactics, cybersecurity must remain a top priority.