In February 2025, the cryptocurrency world witnessed one of the most devastating breaches to date the Bybit hack, resulting in the theft of approximately 401,346 ETH, valued at over $1.5 billion. This incident didn’t just shake the confidence of investors; it exposed critical gaps in crypto infrastructure and emphasised the growing need for continuous monitoring, both internally and across the dark web.
What Happened?
The attackers exploited vulnerabilities in Bybit’s multi-signature wallet system, made possible by compromised infrastructure at Safe{Wallet}, a third-party wallet provider. After testing the exploit with a small 90 USDT transaction, the hackers moved swiftly, draining massive amounts of Ethereum and staked derivatives such as stETH, cmETH, and mETH.
The breach sent shockwaves through the crypto markets, with Bitcoin dropping below $90,000 for the first time in a month. The urgency of the situation forced Bybit CEO Ben Zhou to secure emergency liquidity from Galaxy Digital, FalconX, and Wintermute to restore exchange reserves within 72 hours.
Attribution: North Korean State Hackers
The FBI attributed the attack to North Korea’s Lazarus Group (APT38), a state-backed cybercrime organisation notorious for targeting crypto platforms to fund North Korea’s isolated regime. This attribution aligns with Lazarus Group’s history of large-scale theft and use of sophisticated cyber tactics.
The Role of the Dark Web in Modern Attacks
Incidents like this don’t just unfold on-chain; they leave traces in underground forums, ransomware leaks, and illicit marketplaces. Attackers often discuss tactics, share exploit code, or seek buyers for stolen assets via the dark web.
In Bybit’s case, the size and coordination of the attack reflect months of planning, likely informed by dark web reconnaissance and intelligence-gathering. This highlights a growing risk: if organisations aren’t actively monitoring the dark web, they’re leaving a blind spot open for attackers.
Lessons Learned: Proactive Security Is No Longer Optional
The Bybit hack underscores three critical lessons for crypto companies and financial platforms alike:
- Third-party security must be verified continuously. Trust in wallet providers or vendors without regular audits and monitoring is a liability.
- Cyber threat actors collaborate and share intel—often through dark web networks. Monitoring these spaces helps identify early warning signs.
- Rapid incident response is essential. Bybit was able to mobilise emergency support—but the brand and market damage was already done.
The Case for Dark Web Monitoring with Oko
At Rivanorth, we believe that dark web visibility is a crucial layer in modern security. Our solution, Oko, scans the dark web for compromised data, emerging threats, and mentions of your organisation in criminal ecosystems.
Had dark web monitoring been in place pre-incident, early indicators—like mentions of Bybit or related wallet vulnerabilities might have given analysts a chance to investigate and act sooner.
Oko empowers security teams to:
- Detect leaked credentials, infrastructure details, and threat actor chatter.
- Understand industry-specific risks before they escalate.
- Take actionable steps to prevent exploitation, not just respond to it.
Conclusion
The Bybit hack serves as a sobering reminder that no platform is too large or too secure to be targeted. As the dark web continues to evolve into a central marketplace for cybercrime, businesses must evolve too.
Dark web monitoring isn’t just for after a breach, it’s about staying ahead of one.
Want to know if your organisation is already exposed? Start your security journey today, contact us
Join Our Newsletter