Bybit Autopsy: $1.5B Lazarus Exploit — The Sanctions Cap Held End-to-End
What happened
On February 21, 2025, Lazarus Group drained approximately $1.5 billion from a Bybit cold wallet — the largest single-incident crypto theft in history, exceeding the previous record held by the Ronin Bridge hack. About 400,000 ETH plus stETH, cmETH, and mETH were moved in a single batch.
The attack was not a cryptographic break. Lazarus compromised the Safe{Wallet} multisig front-end infrastructure. Signers were shown a transfer interface displaying the expected destination and amount. What they actually signed was a transaction delegating control of the cold wallet contract to an attacker-controlled address. The on-chain record is a perfectly valid transaction signed by legitimate key-holders who believed they were approving something else.
Within 72 hours, the FBI, Elliptic, Chainalysis, TRM Labs, and independent investigator ZachXBT had all attributed the attack to Lazarus — the DPRK-linked threat actor responsible for more than a dozen major crypto thefts since 2017.
The primary attacker wallet
The canonical Bybit exploiter address is 0x47666Fab8bd0Ac7003bce3f5C3585383F09486E2. This is the wallet that first received the drained funds from the cold wallet. It is documented by every independent investigator, published by the FBI, and included in CredScore's Lazarus entity registry.
The verdict: sanctions-capped, High Risk, Escalate
Run through CredScore, the wallet returns sanctions-capped, High Risk, Escalate — the engine matches the Lazarus label and enforces the cap end-to-end.
This is a different story from the Drift autopsy. Drift's wallets carried no label at analysis time — CredScore escalated them on behavior alone. Here, the label is known. The story is not "did we catch it," but "can the cap be trusted to hold under adversarial pipeline conditions."
Why the sanctions cap holds under pressure
The cap is not a single check. It is re-asserted at multiple stages of the pipeline before the result is returned:
- Applied when the entity dimension is scored
- Re-applied after any tier-boundary adjustment could theoretically override it
- Enforced by a final output contract at engine exit
The output contract checks non-negotiable invariants: any wallet with a sanctions signal must have a score in the capped range and a decision posture of Escalate, no exceptions. If any invariant fails, the engine refuses to return the result and raises an error to the audit trail.
This is how a compliance engine earns the right to be used in a regulated workflow. It fails loudly on contract violations rather than silently returning a wrong answer. A compliance officer or auditor reviewing this analysis three years from now can trace the sanctions verdict to an enforced invariant, not a heuristic.
Why this matters
Sanctioned wallets need to be flagged reliably every time, even in edge cases. A screening tool that returns "high risk" on 99% of sanctioned wallets and "medium" on the remaining 1% is not fit for compliance work. Miss rate matters.
CredScore's approach — pin the sanctions cap at multiple pipeline stages and enforce it via a hard invariant at exit — makes the miss rate zero by construction. If the engine ever returned a Lazarus wallet as anything other than Escalate, the analysis would fail loudly instead of silently.
What this autopsy does not claim
Retrospective, not discovery. Lazarus was attributed to the Bybit hack within 72 hours by multiple independent investigators. CredScore did not identify the attackers. The claim is narrower and still meaningful: the engine handles a known-labeled Lazarus wallet in a defensible, reproducible way that survives regulatory audit.
One wallet documented publicly. The Lazarus laundering tree from Bybit has hundreds of intermediate wallets, most of which have no public attribution. This autopsy scores the primary exploiter address only. As additional wallets get named by investigators, they can be added and the page will cross-reference their live verdicts automatically.
Ethereum only. The stolen funds crossed to Bitcoin via THORChain within days. CredScore's engine does not yet score Bitcoin — that's roadmap. The Ethereum-side handoff is what this autopsy covers.
The primary driver on the exploiter address is self_sanctioned_address — a direct match against CredScore's Lazarus entity registry, added on February 23, 2025 (two days after the hack, once multiple independent sources had confirmed attribution).
The engine's sanctions handling has three enforcement points:
1. Entity dimension baseline — the entity score is set to the category baseline for a Lazarus label 2. In-pipeline re-assertion — the cap is re-applied after any calibration or tier-boundary adjustment that could theoretically override it 3. Output contract at engine exit — non-negotiable invariants are checked before returning; any violation raises to the audit trail instead of returning a wrong result
This redundancy exists specifically because a long risk pipeline with signal stacking has too many places where a downstream function could silently override a single check. Compliance engines cannot afford that failure mode.
Beyond the sanctions cap, the wallet also carries strong secondary evidence from the CredScore Behavioral Watermark: the fan-out pattern (funds distributed to hundreds of intermediate wallets in amounts below common screening thresholds) is a Lazarus signature the engine detects independently of any label match. If the sanctions label were ever removed — for example, if the engine's registry lagged — the behavioral pattern would still surface the wallet as high-risk on shape alone.
shared_analyses so if they get re-run later, the latest verdict surfaces on this page.