The cryptocurrency exchange Bybit was reported to have been hacked last night (February 21), resulting in the loss of approximately $1.47 billion worth of ETH and stETH, instantly igniting panic within the community. It is understood that this “Bybit hack incident” is the largest hack in the history of cryptocurrency. As for the details of the incident and its implications for users and the market, Dongqu has compiled a series of summaries below for readers to quickly understand.
(Previous context: Three Arrows’ Zhu Su: The “ETH panic short narrative” following the Bybit hack may drive Ethereum prices to new highs)
(Background information: Internal issues at Bybit? Security experts suggest that North Korean hackers, Lazarus, may have infiltrated the computers of exchange employees to gain access to wallet multi-signature permissions)
Last night after 11 PM, multiple on-chain analysts and researchers tweeted warnings that Bybit’s cold wallet was experiencing abnormal transfers of large amounts of ETH and stETH to unknown hot wallets, valued at approximately $1.47 billion, which instantly ignited the community. At 11:44 PM yesterday, Bybit CEO Ben Zhou also confirmed the hack through a post.
Ben Zhou stated that the hackers forged multi-signatures to gain control of specific ETH cold wallets signed by Bybit and transferred all the ETH from those cold wallets to unknown addresses. He reassured users that all other cold wallets are secure and that withdrawals from the exchange remain normal. Furthermore, Ben Zhou also indicated that even if the losses from this hack cannot be recovered, all customer assets still have 1:1 reserve support, and Bybit can bear this loss.
Complete reading》Breaking News》Bybit exchange hacked! $1.47 billion worth of ETH transferred out, officials say: Withdrawals remain normal.
Bybit ETH multisig cold wallet just made a transfer to our warm wallet about 1 hr ago. It appears that this specific transaction was musked, all the signers saw the musked UI which showed the correct address and the URL was from @safe. However, the signing message was to change…
— Ben Zhou (@benbybit) February 21, 2025
CZ suggests Bybit suspend withdrawals, facing backlash from the community
Ben Zhou’s confirmation directly triggered market panic, leading to a surge in user withdrawals from Bybit. Due to the hack involving $1.47 billion worth of ETH, it may leave Bybit unable to cover such a massive gap in the short term, potentially leading to even more serious funding issues (such as halting withdrawals and locking related assets…). Some users in the community speculated that if not handled properly, it could ultimately turn into a repeat of the FTX situation.
Binance founder Zhao Changpeng (CZ) also provided his personal advice:
This is not an easy situation to handle. It may be advisable to temporarily suspend all withdrawals as a standard safety precaution. If needed, I can offer assistance. Good luck!
However, regarding CZ’s suggestion to suspend all withdrawals, the community unanimously felt that he was proposing a bad idea, criticizing that his advice might lead to an even larger user run on the exchange. In response, the trading news and algorithmic trading account “Formula News” provided the following three pieces of advice to Bybit’s CEO:
Do not stop user withdrawals, as this will accelerate a bank run. You can slow down the process, but absolutely do not stop, to avoid causing panic.
Show the public Bybit’s balance sheet, indicating that you have sufficient funds to cover the losses caused by the hack.
When needed, contact large companies like Tether for help (rather than the CEOs of competing exchanges). $1.5 billion is not a significant issue during this cycle; handle it well and save us all.
Complete reading》Binance CZ: “Hacked for $1.5 billion is serious; I advise Bybit to suspend withdrawals,” I can help if needed.
Funding gap reaches 500,000 ETH; how should Bybit cover it?
Additionally, according to Arkham data, the hackers sold the stolen assets for approximately $1.34 billion worth of ETH (499,395 coins) and $42 million worth of cmETH (15,000 coins), dispersing the funds across 53 addresses. Although the hackers hold a significant amount of ETH, they cannot quickly liquidate it to the market, which has relieved market investors.
However, facing a funding gap of 500,000 ETH, how should Bybit cover it? In a live stream early this morning, Bybit’s CEO stated:
We will not purchase ETH to cover the gap. We are currently obtaining bridge loans (short-term loans used to assist physical transitions) through partners to compensate for the stolen losses, and we have already secured nearly 80% of the stolen liquidity (ETH).
However, community KOL Fengwuxiang tweeted skepticism, suggesting that only Binance or a consortium of institutions could lend such a massive amount of ETH to Bybit. Considering Bybit’s prior reputation issues, Fengwuxiang believes institutions may not be willing to help:
Bybit claims to borrow ETH rather than buy ETH. But in the end, it still needs to be repaid, and Bybit’s annual profit is less than $1.5 billion.
Who else could lend 400,000 ETH (approximately the amount stolen is around 500,000 coins)? Besides Binance (BN), it’s likely that a consortium of institutions would need to step in. Yes, relying on just one institution cannot save the situation; several institutions would need to take action together.
But given Bybit’s previous issuance of Bit, which significantly harmed investors, and the promised contractual revenue that ultimately went unfulfilled, I personally believe Bybit does not have a good reputation among institutions. Now, Binance has the highest spot trading volume, and the rising Bybit is second. So do you think anyone will step in to help?
According to SosoValue statistics and on-chain security team TenArmor’s latest monitoring data, Bybit has seen a total inflow of more than $4 billion within the past 12 hours, enough to cover the $1.47 billion stolen loss. This influx also includes large ETH transfers from Bitget, MEXC, and related institutions and individuals.
Complete reading》Bybit to “borrow 500,000 ETH” to weather the storm? KOL: Besides a consortium of institutions, only Binance is left.
Who is the culprit behind the hack, and what was the method of attack?
As for the true identity of the hackers, on-chain detective ZackXBT confirmed in a series of submitted evidence that the mastermind behind this incident is the North Korean hacker organization “LAZARUS GROUP.”
Additionally, regarding the method of attack in this hacking incident, SlowMist security expert Yu Xian also tweeted that the attackers first deployed a malicious contract on February 19, and on February 21, they used three owners of Bybit Safe multisig wallets to sign and replace the Safe contract with the malicious contract, ultimately using the malicious contract to operate and steal funds from Bybit’s wallets.
The cold wallet team OneKey added that the hackers likely confirmed that Bybit’s three multisig computers had been compromised and met the conditions for attack. They replaced the signature content during the daily transfer signing by the multisig staff.
Complete reading》Bybit internal issues? Security experts suggest that North Korean hackers Lazarus may have infiltrated the computers of exchange employees to obtain wallet multi-signature permissions.
Details of the Bybit Safe multisig hack:
The malicious implementation contract was deployed on UTC 2025-02-19 7:15:23
0xbDd077f651EBe7f7b3cE16fe5F2b025BE2969516
The attacker utilized three owners to sign a transaction that replaced the Safe implementation contract with a malicious contract on UTC 2025-02-21 14:13:35… https://t.co/kGcwJO01f0
— Cos (Yu Xian) ️ (@evilcos) February 21, 2025
The hacker has surpassed Vitalik and the Ethereum Foundation to become the “14th largest” Ethereum holder
It is worth mentioning that, according to Coinbase executive Conor Grogan’s tweet, the amount of ETH stolen by the Bybit hackers (nearly 500,000 coins) has made them the 14th largest ETH holder globally:
The Bybit hacker (most likely North Korean) is now the 14th largest ETH holder in the world. They hold approximately 0.42% of the total supply of ETH (with a total supply of about 120 million coins), more than Fidelity and Vitalik, and even over twice what the Ethereum Foundation holds.
According to Arkham data, Ethereum founder Vitalik Buterin holds approximately 240,000 ETH, valued at around $643 million; Fidelity’s custodial wallet holds 334,000 ETH, valued at approximately $843 million; and the Ethereum Foundation’s wallet holds 223,000 ETH, valued at approximately $596 million. Interestingly, the Ethereum Foundation holds less ETH than Vitalik.
Complete reading》Bybit internal issues? Security experts suggest that North Korean hackers Lazarus may have infiltrated the computers of exchange employees to obtain wallet multi-signature permissions.
The Bybit hacker (most likely N.K.) is now the 14th largest ETH holder in the world. They hold roughly 0.42% of total supply, more than Fidelity, Vitalik, and 2x + what the Ethereum Foundation holds. pic.twitter.com/ZMGY2Bx1B3
— Conor (@jconorgrogan) February 21, 2025
