Meme Coins and Non-KYC Exchanges Played A Large Role in Bybit Hack

Cryptocurrency exchange Bybit was hacked for nearly $1.5 billion on February 21, 2025, by the Lazarus Group, a hacking operation based in North Korea.

Dubbed the largest exchange hack in crypto history by security platform Blockaid, the incident involved sophisticated manipulation of wallet infrastructure.

Following the incident, Bybit CEO Ben Zhou vowed to take action against those responsible.

How The Bybit Hack Occurred

Niv Yehezkel, head of security product engineering at blockchain analysis firm Chainalysis, told Cryptonews that the hack occurred during what appeared to be a routine transfer from Bybit’s Ethereum cold wallet to a hot wallet.

“Bybit unknowingly signed a malicious transaction, allowing attackers to move approximately 401,000 ETH – valued at nearly $1.5 billion at the time of the exploit – to addresses under their control,” Yehezkel said.

Yehezkel explained that the sophisticated North Korean hackers gained access to a Bybit SafeWallet developer’s computer to control the SafeWallet user interface that was specifically used for Bybit transactions.

The hackers then added malicious JavaScript to the frontend code.

This made it appear that Bybit was signing a legitimate transaction, when in fact it was a malicious one.

“The stolen assets were then moved through a complex web of intermediary addresses,” Yehezkel said. “This dispersion is a common tactic used to obfuscate the trail and hinder tracking efforts by blockchain analysts.”

The hacker also swapped substantial portions of the stolen Ethereum (ETH) for tokens including Bitcoin (BTC) and MakerDAO’s DAI stablecoin.

The Role of Bulletproof Exchangers

According to Yehezkel, decentralized exchanges (DEXs), cross-chain bridges, and non-KYC (know your customer) instant swap services were used to move assets across networks.

Jeremiah O’Connor, CTO and co-founder of blockchain security platformTrugard, told Cryptonews that tactics such as these have become a real challenge for the crypto industry to navigate.

He explained that the instant exchanger exch[.]cx laundered an estimated $120 million in connection with the Bybit hack, then converted the funds into Bitcoin.

“These platforms are often used as cash-out points for all sorts of cybercriminal activities, and in many cases, they’re essentially just fronts for money laundering, further enabling attackers to fly under the radar,” O’Connor said.

O’Connor added that despite direct requests from Bybit to block this activity, exch[.]cx has refused to take action.

As a result, the exchange continues to earn hundreds of thousands of dollars per day in fees for exchanging stolen funds.

O’Connor describes exch[.]cx as a “bulletproof exchanger.” He noted that these exchanges provide instant services with little to no KYC or anti-money laundering (AML) controls.

According to O’Connor, bulletproof exchangers are key in helping attackers obscure stolen assets, while bypassing regulatory frameworks.

He added that the crypto industry’s ability to track and prevent such activity is seriously compromised by the existence of these platforms.

And while there has been considerable work to tackle this, O’Connor believes that these exchanges remain a major blind spot for combating money laundering.

“Bulletproof exchangers need to be held accountable, and the industry must take a much firmer stance against these types of illicit cash out points,” he remarked.

Bybit Hackers Used Meme Coin Laundering

The Lazarus Group also laundered stolen funds using meme coins on Solana’s Pump.fun platform.

O’Connor explained that the Lazarus Group used the platform to create and trade meme coins, effectively washing the stolen money.

For example, one of the tokens the hackers launched was dubbed “QinShihuang,” and saw over $26 million in trading volume.

“What’s even more alarming is that this comes right after one of the biggest meme coin frauds yet – the $LIBRA token, which was promoted by Argentine President Javier Milei,” O’Connor noted. “These events are a stark reminder that meme coins aren’t just harmless internet fun anymore.”

Meme coins are increasingly linked to serious financial crimes, and their destructive nature has started to come to light.

The United States Congress is reportedly set to consider legislation that would ban the issuance of meme coins, like President Donald Trump’s Official Trump (TRUMP) token.

California Representative Sam Liccardo told ABC News on February 27 that House Democrats are preparing to introduce the Modern Emoluments and Malfeasance Enforcement (MEME) Act, which would prohibit public officials from profiting from digital assets.

Collaborative Security Measures

Unfortunately, Yehezkel believes that more attacks like the one seen on Bybit are likely to happen in the future.

“Given that North Korea-affiliated hackers stole approximately $1.34 billion across 47 incidents in 2024 – this is a marked increase from $660.5 million across 20 incidents in 2023,” he said. “This Bybit hack alone led to almost $160 million more stolen than all funds stolen by North Korea throughout 2024, which means DPRK-orchestrated attacks do appear to be on a continued rise.”

Given these escalating threats, industry experts believe that heightened security measures have become increasingly necessary.

William Chan, chief advisor at digital asset trading platform Hotcoin Global, told Cryptonews that the Bybit heist shattered the myth of cold storage invincibility.

He noted that this requires a shift from isolated defenses to ecosystem-wide collaboration.

For example, Chan explained that in order to combat sophisticated attacks such as these Hotcoin enables biometric KYC and AML systems. The exchange also incorporates on-chain behavior analysis to counter state-sponsored infiltration.

“Users should enable hardware wallets, multi-factor authentication, and avoid holding large balances on exchanges,” Chan added.

To promote security transparency, Chan noted that Hotcoin is open-sourcing its geographically distributed cold wallet architecture and AI threat detection models.

He hopes this will result in verifiable security standards and shared risk mechanisms.

Shahar Madar, vice president of security and trust products at enterprise-security platform Fireblocks, told Cryptonews that he believes the Bybit attack proves that crypto exchanges need to shift from piecemeal security to solutions that provide complete transaction approval clarity.

This would allow for enterprise-level security enforced at every checkpoint.

“This could include mechanisms for trusted code execution and system integrity, as well as distributed multi-party computation (MPC) wallet infrastructure over alternative multi-sig solutions,” Madar said.

He added that it’s equally important for crypto exchanges to provide verification at multiple levels.

“Internal and external audits, certifications, and regular security checks are absolutely essential for any provider an exchange operates with,” he said.

Beyond highlighting sophisticated hacking techniques, the Bybit incident also serves as a stark warning of the risks tied to crypto’s rapid expansion.

With billions in losses now common, can the industry continue advocating decentralization and minimal oversight without indirectly aiding those who exploit it?

The response to this challenge could shape not only the future of security in the sector but also whether the broader financial world can adopt crypto without inheriting its risks.

Frequently Asked Questions (FAQs)

The post Meme Coins and Non-KYC Exchanges Played A Large Role in Bybit Hack appeared first on Cryptonews.