SlowMist analyzed the February 2025 Bybit theft, where attackers stole more than $1.46 billion in ETH and liquid staking assets from a cold wallet workflow. The report cites ZachXBT attribution to Lazarus Group and links the incident to North Korea-linked techniques seen in the BingX, Phemex, WazirX, and Radiant Capital cases. The attacker replaced Safe multisig logic with a malicious implementation contract, used DELEGATECALL to inject hostile logic into storage slot 0, and executed sweepETH and sweepERC20 functions to move roughly 400,000 ETH and stETH. SlowMist also tracked rapid dispersion of funds through dozens of 10,000 ETH wallets, swaps through Uniswap and ParaSwap, BTC bridging via Chainflip, and partial recovery of 15,000 cmETH after mETH Protocol suspended withdrawals.