Bybit Exchange Hacked for $1.4 Billion, Becoming the Biggest Attack in Crypto History
Update on the afternoon of February 22, 2025:
As of 02:36 PM on February 22, on-chain detective ZachXBT confirmed that the Lazarus Group had transferred 5,000 ETH (about $13.4 million) to a new wallet at 06:28 AM UTC, while using the eXch coin mixing protocol to hide the flow of money and conduct money laundering.
In parallel, a portion of the assets were transferred by Lazarus to the Bitcoin network via Chainflip to the address bc1qlu4a33zjspefa3tnq566xszcr0fvwz05ewhqfq.
Original article:
On the evening of February 21, 2025, when the aftermath of the LIBRA memecoin scandal had not yet subsided, the crypto community continued to be shocked by the news that Bybit - one of the world's leading cryptocurrency exchanges - was hacked and lost more than 1.4 billion USD. The hack not only set a record for the scale of damage in the cryptocurrency industry, but also became the attack incident with the largest consequences in human history.
Bybit attack developments
News about the hack began to appear at 10:20 PM on February 21, when on-chain detective ZachXBT spoke up on Telegram. He said he was tracking a suspicious amount of funds being withdrawn from Bybit's hot wallet with a total value of up to $1.46 billion. The assets were transferred to the address 0x47666Fab8bd0Ac7003bce3f5C3585383F09486E2, raising concerns about a serious security attack.
According to statistics, 401,346 ETH, along with 15,000 cmETH, 8,000 mETH and 90 USDT were transferred from the exchange with a total estimated value of up to $1.46 billion.
The 0x47 wallet then transferred the majority of the funds to the Safe wallet with the address 0xa4b2fd68593b6f34e51cb9edb66e71c1b4ab449e.
Just minutes later, ZachXBT continued to update that the 0xa4 wallet had started swapping stETH and mETH for ETH through 4 different DEXs. ZachXBT confirmed:
"My sources confirm that Bybit has been hacked."
Before withdrawing over 400,000 ETH, the hacker made a test transaction with 90 USDT, as a test step before stealing the entire huge amount of assets.
Update from Bybit CEO
In his post, Ben Zhou said that the incident happened when Bybit made a transaction to transfer ETH from a cold wallet to a warm wallet. However, this transaction was impersonated by the hacker's signing interface (musked UI), causing all multisig signers to see the correct receiving wallet address as usual, but in fact they accidentally signed an order to change the smart contract logic of the ETH cold wallet. Ben Zhou said:
"All signers saw the correct signing interface, the URL was also from the Safe wallet. But the transaction content was actually an order to modify the smart contract of the cold wallet, allowing the hacker to gain full control and withdraw all ETH to an anonymous address."
However, he reassured users that all other cold wallets are safe, warm wallets are not affected, and especially withdrawals on Bybit are still completely normal.
"Bybit has many different cold wallets, but only the ETH cold wallet was attacked. All withdrawals are still going on as usual, without any interruption."
The Bybit CEO also emphasized that the exchange has enough assets to cover all losses, even if the stolen funds cannot be recovered.
"Bybit is fully capable of covering the losses. All customer assets are guaranteed 1:1. We will update the situation as soon as there are new developments."
Based on a quick calculation from the figures in Bybit's latest 'Reserve Ratios' report, the exchange appears to have maintained its solvency, despite this huge loss.
On Bybit's side, the exchange also issued an official announcement, confirming that the exchange had been hacked. Currently, Bybit's security team is working closely with leading experts in the field of blockchain security and industry partners to investigate the incident.
Bybit also called for support from expert teams experienced in on-chain data analysis and money flow tracing to quickly identify and recover the stolen assets. The exchange pledged to continuously update the situation and take appropriate measures to ensure the interests of customers.
As of the time of writing, the hackers have transferred the stolen ETH to many new wallets. According to data from Arkham, more than $1.37 billion in ETH has been transferred to 53 different wallet addresses.
Currently, the livestream of Bybit CEO Ben Zhou has ended with important shares including:
- Bybit has raised a temporary loan (bridge loan) equivalent to 80% of the value of the lost amount, ensuring liquidity and maintaining stable operations.
- The exchange has no plans to buy back the stolen ETH on the market to avoid creating sudden price pressure for ETH.
- If necessary, Bybit will use the reserve fund to compensate for all losses, committed to protecting users' assets.
- The hacker will have difficulty selling the stolen ETH, as most major trading platforms have limited liquidity and may apply transaction blocking measures.
- Currently, Bybit has not yet determined the exact attack method, but the security team is continuing to investigate to track down the hacker.
Reactions from the crypto community
The Bybit hack immediately stirred up the crypto community, attracting the attention of KOLs, security experts, and big names in the industry, all of whom analyzed and debated this shocking incident.
Blockchain security company Slowmist exposed how hackers exploited a vulnerability in the exchange's multisig cold wallet system. Specifically, hackers used the DELEGATECALL function to take control of Bybit's cold wallet without changing the address or stealing the private key.
To make it easier to understand, imagine Bybit's cold wallet as a smart safe, only Bybit people have the unlock code. Normally, if someone wants to take money from the safe, they have to enter the correct code and be confirmed by the system.
But hackers did not try to crack the safe. Instead, they secretly changed the safe's control software, making it understand the command in their own way. Initially, the Bybit cold wallet controllers entered the unlock code as usual, but they were actually opening the safe on the hacker's command without realizing it. On the blockchain, the hacker used the DELEGATECALL function to change the "controller" of the cold wallet, stored at STORAGE[0x0] - where the wallet's operating rules are kept. By changing this part, the cold wallet thought the withdrawal request was valid, but in fact, it had been reprogrammed by the hacker to send all the funds to their wallet.
Joseph (@JosephWeb3_) quickly noticed a remarkable similarity in Ben Zhou's statement. The claim that Bybit had enough assets to cover the entire loss sounded familiar - both Do Kwon and Sam Bankman-Fried had previously boldly claimed that their assets were 1:1 secured, but the outcome was well known: LUNA and FTX both collapsed, becoming two of the most damaging hacks in crypto history.
However, Joseph does not think that Bybit will follow in their footsteps. He believes that the exchange has enough financial resources to absorb this loss, and even sees this as an opportunity to "buy the bottom" of Ethereum before the Pectra upgrade.
Former Binance CEO Changpeng Zhao (CZ) also spoke out about the Bybit hack, admitting that this was a difficult situation to handle. He suggested that Bybit should temporarily suspend all withdrawals as a standard safety measure to control risks and prevent hackers from further dissipating assets. CZ also affirmed that he is ready to support Bybit if necessary and wished the exchange team good luck in handling the incident.
On-chain data shows that Binance and Bitget have deposited more than 50,000 ETH into Bybit's cold wallet to support the exchange during this difficult time.
On-chain analytics platform Arkham Intelligence also announced a bounty to find the identity of the person behind the Bybit hack.
"We have created and funded a reward to assist in identifying the individual or organization responsible for today's $1 billion+ Bybit hack. Any information submitted will be shared directly with the Bybit team to assist in the investigation. Reward: 50,000 ARKM."
Just hours later, Arkham announced that "on-chain detective" ZachXBT had gathered enough evidence to show that the culprit behind the Bybit hack was the notorious North Korea-linked hacker group Lazarus Group and had decided to award the reward to this person, and share the evidence with the Bybit team to assist in the investigation and remediation. ZachXBT revealed that they had found evidence linking the Bybit hack to the $70 million Phemex exchange attack in January, which was also carried out by Lazarus Group.
Ethena, a DeFi project that holds a large amount of ETH on exchanges, announced that their ETH is kept separately at a third-party custodian linked to Bybit, so it is not affected by the above incident.
Statistics show that with the amount of ETH they are holding, the Bybit exchange hacker has become the 14th largest ETH owner in the world, controlling up to 0.42% of the supply, ranking above the Ethereum Foundation and founder Vitalik Buterin.
Security expert @tayvano_ provided statistics showing that North Korean hackers have only conducted 4 crypto attacks in the first two months of 2025, but quickly set a record for the highest amount of stolen funds since statistics began in 2016, with the Bybit incident contributing to 90% of the damage.
In addition, many users also poked fun at this hack with mocking tweets. One of the most viral jokes was:
"Finally got my refund from FTX. Been waiting for 2.5 years, but now I have my money back. Just deposited to Bybit, what now?"
This reference refers to the irony of users who were caught up in the FTX collapse finally getting their refunds after more than two years of waiting, only to immediately deposit them to Bybitβwhich had just been the victim of the biggest hack in history.
![[βππ§ππ£] ππππ ππ π¦π£ πΉππ₯ππ ππ - WEN ALT Season?](https://cdn.bulbapp.io/frontend/images/5e881bda-7f7a-42c8-9a03-01263004c332/1)
