Key Takeaways
Bybit has fully restored its withdrawal system after a significant hack.
The exchange will release a detailed incident report and new security measures soon.
Bybit has fully restored its withdrawal system after some delays following a historic hack that targeted its Ethereum cold wallet. The exchange is now processing all withdrawal requests without delays or amount restrictions, according to a statement from Ben Zhou, the company’s CEO.
“12 [hours after] the worst hack in history. ALL [withdrawals] have been processed. Our [withdrawal] system is now fully back to normal pace, you can withdraw any amount and experience no delays. Thanks for your patience and we are sorry that this has happened,” Zhou wrote on X on Friday night. Bybit will release a comprehensive incident report and security measures in the coming days, Zhou stated, noting that he ensures the crypto community remains informed of any new updates.
“Thanks to all the clients, friends and partners who have helped and supported us during this excruciating 12 [hours],” Zhou added. “The real work has just now started.”
Over $1.4 billion in ETH drained
On Feb. 21, blockchain sleuth ZachXBT flagged suspicious crypto transfers originating from Bybit. Initial analysis indicated the unauthorized withdrawal of approximately 400,000 ETH, 90,000 stETH, 15,000 cmETH, and 8,000 mETH, with estimated losses totaling $1.4 billion. The funds were transferred to an address beginning ‘0x4766.’ The actor then used decentralized exchanges (DEXs) to convert stETH and cmETH to ETH. On-chain data also revealed that a transfer of 90 USDT was conducted by the actor, now identified as the Bybit exploiter, before the big fund drain, suggesting a preliminary test transaction.
Bybit confirmed the breach shortly after its discovery. In an X post, CEO Zhou stated that an ETH multisig cold wallet was compromised, but reassured users that other cold wallets remained secure. According to him, Bybit executed a transaction from their ETH cold wallet to a warm wallet around one hour prior to the incident. The transaction unfortunately was manipulated, wherein the user interface presented to the signers was falsified. The signers were presented with a UI that displayed the correct destination address and utilized a legitimate URL associated with Safe. However, the signing message associated with the transaction was maliciously altered. This altered message instructed the smart contract logic of the ETH cold wallet to be modified, thereby granting the attacker unauthorized control, Bybit CEO explained.
On their official X page, Bybit also issued a statement clarifying the issue. The team said they were collaborating with leading blockchain security specialists and industry experts to determine the incident’s root cause and recover the stolen funds.
Bybit detected unauthorized activity involving one of our ETH cold wallets. The incident occurred when our ETH multisig cold wallet executed a transfer to our warm wallet. Unfortunately, this transaction was manipulated through a sophisticated attack that masked the signing…
— Bybit (@Bybit_Official) February 21, 2025
Less than two hours after the hack, Arkham Intelligence reported that the Bybit exploiter transferred around $1.3 billion to 53 addresses.
WE’VE COMPILED A LIST OF BYBIT HACKER WALLETS
The Bybit Hacker currently holds $1.37B of ETH and has used 53 wallets so far.
Wallet list below:
— Arkham (@arkham) February 21, 2025
Bybit is solvent: Ben Zhou
Despite massive losses, Zhou asserted that “Bybit is solvent.”
Bybit is solvent even if this hack loss is not recovered, all of clients’ assets are 1 to 1 backed, we can cover the loss.
— Ben Zhou (@benbybit) February 21, 2025
BitMEX Research did a quick calculation using Bybit’s public reserve data. The team concluded that the exchange has enough reserves to cover its obligations to its users, despite the large amount of stolen funds.
Based on a very quick back of the envelope calculation, of the numbers in the latest @Bybit_Official published “Reserve Ratios”, the company still looks solvent, despite the massive loss over $1bn.
https://t.co/JMWu5Luayl
https://t.co/879ZZ18raH
— BitMEX Research (@BitMEXResearch) February 21, 2025
Zhou also conducted a live stream on X to address ongoing concerns surrounding users’ funds. During the stream, he said that Bybit secured a bridge loan equivalent to 80% of the stolen funds from undisclosed partners. The exchange does not plan to repurchase the stolen ETH on the open market to avoid causing a sudden price surge, Zhou explained, noting that Bybit would use its reserve funds to cover all losses if necessary, guaranteeing the protection of user assets. Zhou added that the hacker would face difficulties selling the stolen ETH, as most major trading platforms have limited liquidity and can implement transaction-blocking measures.
Crypto industry unites to aid Bybit
Industry figures and members of the crypto community have rallied behind Bybit, pledging their aid in the aftermath of the security breach. Changpeng ‘CZ’ Zhao, the former Chief Executive Officer of Binance, and Justin Sun, the founder of the Tron blockchain, have indicated their intent to offer support.
OKX and KuCoin also issued statements showing their assistance to Bybit.
According to on-chain data, Binance and Bitget deposited over 50,000 ETH into Bybit’s cold wallets on Friday afternoon in support of Bybit. Arkham also announced a bounty of 50,000 ARKM for anyone who could identify the Bybit hacker.
“Our systems have blacklisted hackers’ wallets. We will block any transactions flowing in from illicit addresses to the exchange once it has been monitored. Our team of security, and researchers, are currently tracking these activities. If we make any significant findings, we will share an analysis of this incident and what the industry can do to avoid similar issues,” Bitget CEO Gracy Chen shared in a statement. Bitget transferred approximately 40,000 ETH to Bybit.
“These are Bitget’s own funds, which we have sent for the goodwill of the crypto space. All Bitget’s users’ funds are securely stored on our platform and users can check the Proof of Reserve accordingly,” Chen stated.
On Feb. 22, a whale transferred 20,000 ETH worth around $53 million to Bybit’s cold wallet, Lookonchain reported.
Lazarus Group allegedly involved
Arkham identified North Korea’s Lazarus Group as the hackers behind the attack, citing evidence provided by ZachXBT. The blockchain investigator reportedly submitted “definitive proof” to Arkham. Arkham also shared ZachXBT’s findings with the Bybit team to support their ongoing investigation.
ZachXBT said he found proof linking the Bybit hack to the $70 million Phemex hack in January, which was allegedly conducted by the Lazarus Group.
Latest updates
According to the latest updates from ZachXBT and Bybit CEO, the Bybit attackers (the Lazarus Group) started transferring 5,000 ETH stolen from Bybit to a new address in the early hours of Saturday. The group is reportedly attempting to launder the funds using the eXch mixer and bridge the funds to Bitcoin through Chainflip. Bybit CEO Ben has appealed to Chainflip to help prevent further asset movement. In response, Chainflip said they took immediate steps to address the situation. However, Chainflip emphasized that as a decentralized protocol, they lack the ability to completely block, freeze, or redirect funds.
