Inside the Bybit hack: A timeline of events and consequences
Largest crypto exchange hack: Bybit's $1.4 billion cold wallet breach
February 21, 2025 – a day the crypto community will not forget. One of the largest cryptocurrency exchanges, Bybit, fell victim to a daring cyberattack, resulting in the theft of 401,346 ETH (approximately $1.4 billion). This hack became the largest in crypto history, surpassing even the infamous Mt. Gox breach.
How did it happen?
Bybit uses various types of wallets for fund storage: hot wallets for operational transactions and cold wallets for long-term storage. Periodically, the exchange's team rebalances assets between them. On February 21, 2025, such a routine operation took place, but this time, all funds from Bybit’s cold wallet were illicitly withdrawn.
Loading...
This address utilized a multisignature (multisig) system, meaning multiple keyholders had to sign off on transactions. To enhance security, these keys were distributed among different individuals, and the wallet was managed via the Safe interface. Gnosis Safe (now Safe) is a widely used multisig wallet designed for the secure storage and management of crypto assets.
For a transaction to be successfully executed from this wallet, at least three out of six signers were required to approve it. As per standard procedure, three participants signed the transfer transaction through the Safe website interface and confirmed it on their respective devices. However, the transaction that was ultimately broadcasted to the blockchain was not the one shown in the Safe interface.
This deceptive maneuver allowed the hackers to seize control of Bybit’s cold wallet. It is highly likely that a visual spoofing attack was carried out on the web interface during the transaction approval process, demonstrating the attackers’ high level of technical sophistication.
What happened to Ethereum?
Bybit’s losses had an immediate impact on the price of ETH. Ethereum plummeted by 8%, dropping below $2,600 and triggering a wave of liquidations among leveraged traders. Market panic intensified as rumors spread about potential security vulnerabilities at other exchanges. However, unlike FTX’s collapse, the crypto market responded with caution rather than total devastation.
A helping hand: How crypto exchanges and projects reacted
The crypto industry, including competing platforms, swiftly rallied to assist Bybit in recovering lost assets and ensuring the seamless processing of withdrawal requests. Within seven hours, the exchange secured emergency funding amounting to $172.5 million from crypto platforms such as Bitget, Binance, and MEXC. The most significant contribution came from Bitget, which transferred 40,000 ETH (approximately $105 million) to bolster Bybit’s liquidity reserves.
Despite the substantial losses, Bybit reassured users that their funds remained secure. The exchange tapped into its reserves to cover the missing assets and even announced a $140 million reward for information leading to the identification of the hackers.
By the evening of February 23, coordinated efforts across the crypto community had resulted in the freezing of nearly $43 million in stolen funds. According to an official post on X, major stablecoin issuers Tether (USDT) and Circle (USDC) participated in the asset freeze, alongside exchanges such as Bitget and CoinEx. Additionally, blockchain project teams from THORChain, AVAX, ChangeNOW, and FixedFloat joined the initiative to block suspicious transactions.
Loading...
This significantly limited the hackers’ options for cashing out their stolen crypto. Unlike Bitcoin and Ethereum, which cannot be censored or frozen in noncustodial wallets, stablecoins like USDT and USDC come with built-in freeze mechanisms. This forced the attackers to seek alternative ways to launder their funds, likely converting them into less-regulated cryptocurrencies.
At present, Bybit has fully replenished the stolen assets—nearly $1.4 billion in cryptocurrency. According to Bybit CEO Ben Zhou, the exchange has returned to full 1:1 coverage of client funds and is preparing to publish an official report confirming this.
Loading...
What’s next?
The story of this hack is far from over. Leading analysts suggest that the attack may have been orchestrated by the North Korean hacker group Lazarus, notorious for its exploits against crypto projects. Experts are also considering the possibility of a white-hat operation—an ethical counterattack aimed at recovering the stolen assets.
Given the transparent nature of blockchain transactions, there is hope that ongoing community efforts will eventually lead to crucial clues and, ultimately, the apprehension of those responsible.While the breach was undoubtedly a major blow, Bybit’s rapid response and open communication have demonstrated resilience in the face of adversity. Bybit faced the largest hack in crypto history but managed to set a new precedent for crisis management.
Rather than halting operations and freezing user assets, the exchange continued to function as usual. Instead of remaining silent, its leadership opted for transparency, keeping users informed throughout the ordeal. Moreover, Bybit actively collaborated with competitors to resolve the crisis.This case will likely serve as a foundational reference for future best practices in securing digital assets in an era where cyber threats are becoming increasingly sophisticated.
