Bybit’s $1.5 billion ETH theft: Latest developments and analysis

iChainfo ｜2025-02-25 15:50

The world-renowned cryptocurrency exchange Bybit recently suffered a large-scale hacker attack, resulting in the theft of its ETH cold wallet, with a loss of up to $1.46 billion. This incident has become the largest single theft in the history of the crypto industry. Bybit was founded in 2018 and is headquartered in Dubai, UAE. It has more than 60 million users worldwide and is one of the top three cryptocurrency exchanges in the world in terms of trading volume, with an average daily trading volume of more than $36 billion. Before this theft, its platform assets were approximately $16.2 billion. Recently, there has been new progress in the incident. This article will focus on the latest developments and bring you in-depth analysis.

On February 21, during a routine transfer on Bybit, an abnormality occurred in the Ethereum cold wallet. The transfer was originally part of a plan to transfer ETH from an ETH multi-signature cold wallet to a hot wallet, but the transaction was manipulated by complex attack methods. The hacker successfully controlled the ETH cold wallet by tampering with the smart contract logic and hiding the signature interface, transferring more than 400,000 ETH and stETH. Currently, more than 40 addresses have received the stolen ETH, and some funds are being further split to avoid tracking. This is the largest hacker attack in the history of cryptocurrency, exceeding the 2022 Ronin Bridge attack (US$620 million) and the 2021 Poly Network incident (US$611 million).

Bybit said that the remaining cold wallets were not affected, customer assets are still fully backed up at a 1:1 ratio, and the exchange has sufficient solvency. Even if the losses cannot be recovered, it will not affect operations. Bybit is currently investigating with the blockchain security team and external forensics experts, and welcomes the global security community to assist in tracking the stolen funds.

On-chain analysis shows that hackers have split some of the stolen ETH and dispersed them to multiple wallets. According to investigator ZachXBT's monitoring, 10,000 ETH (about 30 million US dollars) has been distributed to 48 different addresses. No obvious cash-out path has been found so far, and hackers are trying to launder funds through Tornado Cash or cross-chain bridges.

After nearly $1.5 billion was stolen, Bybit CEO Ben Zhou said the withdrawal system has fully returned to normal. According to Ember's monitoring, many institutions and individuals have provided loan support to Bybit, totaling about 120,000 ETH, worth about $321 million. Among them, Bitget supported and supported 40,000 ETH loans (worth $105.9 million), which were directly transferred to Bybit's cold wallet address; MEXC hot wallet transferred 12,652 stETH (about $33.75 million) to Bybit's cold wallet. In addition to the institutions that provided funds, OKX added the Bybit hacker to the blacklist and also stated that it could provide security and liquidity support for Bybit; HashKey supported Bybit and said that it believed the security incident would be properly resolved; BitMart froze the hacker's address, and its founder Sheldon said that Bybit would provide support if needed; Justin Sun, global consultant of Huobi HTX and founder of TRON, promised to help track funds; JuCoin provided 1,000 BTC industry co-construction funds and technical support for the Bybit security incident.

On February 23, Bybit faced a "bank run" of more than $4 billion after suffering the largest hacker attack in the cryptocurrency, and users withdrew their money in panic. However, on February 24, Bybit made a series of key progress. Through multi-party coordination and efforts, Bybit solved the liquidity problem and restored the full withdrawal function. At the same time, Bybit has recovered 447,000 ETH through various channels, almost making up for the funding gap caused by the hacker incident. In addition, Bybit announced that 15,000 cmETH have been successfully recovered by the mETH Protocol team. BeosinTrace tracked that the new address of the Bybit hacker began to transfer assets at 14:52:59 on February 24, and the old address also transferred all assets afterwards. BeosinKYT tagged these addresses and found that the hacker's preferred fund washing channel was Thorchain. In addition, the Bybit hacker is selling ETH for DAI through multiple DEXs. Arkham Intelligence analysis pointed out that Bybit hackers may be laundering money manually, taking a fixed 15-minute break every hour.

On February 25, the incident developed further. Bybit hackers have cleaned 100,000 ETH, accounting for 20% of the stolen ETH. However, the good news is that Bybit has transferred 40,000 ETH back to Bitget to repay the previous loan. In addition, Bybit CEO revealed that it has returned to 1:1 rigid redemption and will soon launch a website for the flow of stolen funds so that users can track the dynamics of funds. Bybit also released a blacklist wallet API to assist in the recovery plan, aiming to further combat hacker behavior and maintain platform security.

After preliminary analysis, the attack method is extremely complex. The attacker is very likely to have exploited a vulnerability in the Bybit multi-signature cold wallet signature process, and successfully tricked the multi-signature Owner into signing a malicious transaction by disguising the transaction interface and replacing the Safe implementation contract. Just like the attack in October last year, the attacker may have also used social engineering methods, such as hacking into the signer's computer, or tampering with the intermediate communication link to replace normal transaction requests with malicious transactions, causing the signer to relax his vigilance. In the malicious contract, the DELEGATECALL instruction is also used, which may allow the malicious code to be executed in the context of the multi-signature wallet, thereby modifying the contract logic and realizing fund transfer.

From the perspective of the exchange's own characteristics, centralized exchanges, as centralized custodians of user funds, naturally have the risk of "single point failure" and are naturally easy to become the focus of hacker attacks. As early as 2020, Bybit CEO Ben Zhou publicly acknowledged this inherent vulnerability of CEX.

From the external environment, the overall cryptocurrency market showed a recovery trend in February 2025, and the price of ETH continued to rise, which may have stimulated hackers' motivation to steal. In addition, other crypto platforms such as ZkLend have also been attacked recently, which also indirectly reflects that the security environment of the entire industry may be deteriorating.

The theft of $1.5 billion from Bybit Exchange is the highest single-time capital loss in the cryptocurrency industry, and it has also sounded a piercing alarm for the security risks of centralized exchanges. The hackers carefully planned and combined technical vulnerabilities with social engineering methods to break through the exchange's security defenses, causing Bybit to suffer huge economic losses and plunging the entire industry into a crisis of trust.

However, in the face of this sudden security incident, Bybit responded quickly and remained relatively open and transparent in the process, which greatly alleviated the anxiety in the market. Peers have lent a hand and security agencies have actively provided support, which undoubtedly demonstrates the solidarity of the cryptocurrency community and also allows us to see the maturity and strong resilience of the crypto field in the face of crisis.

Looking ahead, this incident is very likely to become an opportunity for a comprehensive upgrade in the security field of the cryptocurrency industry. Centralized exchanges must continue to increase their investment in technical security and comprehensively improve the security protection capabilities of key links such as multi-signature wallets, smart contracts, and internal risk control. Regulators may also take this opportunity to further strengthen compliance supervision of CEX and promote the industry to develop in a healthier and more orderly direction. For the majority of users, this incident once again clearly warns that asset security is always the core concern of participating in the cryptocurrency market. Reasonable risk diversification and prudent selection of safer asset custody solutions have become key factors that users must pay attention to in cryptocurrency investment.

Author ：iChainfo
This article reflects the opinions of PANews's columnist and does not represent the stance of PANews. PANews does not assume legal responsibility. The article and opinions do not constitute investment advice.
Image Source ： iChainfo If there is any infringement, please contact the author to remove it.