Event chronology

2025-02-21 at 17:15 A post with a live broadcast was [published] on the official Bybit X page, in which Bybit CEO Ben Zhou comments on the situation.

Introduction and Overview:
Ben Zhou started the live stream by explaining the current situation and thanking the viewers for tuning in. He mentioned that ByBit is going through a very challenging time after the hack of their Ethereum wallet. The incident occurred about two hours ago. Ben stated that the live stream would provide updates and answer questions from the community.

How the Incident Happened:
- ByBit uses a cold and hot wallet system for managing funds. When the balance in the hot wallet reaches a certain threshold, funds are transferred from the cold wallet to the hot wallet.
- During a routine transfer from the cold wallet to the hot wallet, the transaction was carried out using a multisig (multi-signature) system through the Safe service. This system requires multiple signers to approve the transaction.
- At the time of signing, Ben, being the last signer, verified the URL and destination address using the official Safe website. He also used a Ledger device to sign the transaction.
- About 30 minutes after signing, Ben received an emergency call that the wallet had been drained — the funds were stolen.

Details of the Hack:
- Hackers managed to manipulate the signing interface, possibly by compromising the computers of all the signers or exploiting a vulnerability in the Safe service. While Ben was confident they were using the correct URL and destination address, it’s possible that the hackers altered the transaction data at the smart contract level.
- Ben emphasized that Ethereum uses smart contracts, which can be more vulnerable to manipulation, and this vulnerability was likely exploited in the hack of ByBit’s Ethereum wallet.

Size of the Damage:
- Around 401,000 ETH was stolen. This affected only the Ethereum wallet, and no other assets or wallets were compromised.
- According to Ben, other wallets holding assets like Bitcoin or USDT were not affected by this incident.
- Despite the loss, the company is actively working to mitigate the consequences and recover the stolen funds.

Current Situation with Withdrawals:
- ByBit continues to process withdrawal requests, but the number of requests has increased significantly over the past few hours, causing delays.
- At the moment, withdrawals remain open, but some large requests require additional verification from the security team.
- Importantly, despite the high load, the company is still paying out funds and overall 70% of withdrawal requests have already been processed.

Answers to Client Questions:
- Ben guaranteed that customer funds are safe, as ByBit adheres to a 1:1 principle on reserves.
- Ben noted that despite the theft of funds from the Ethereum wallet, the company has enough reserves to cover losses from its coffers if needed.
- Question about possible compensation for the stolen funds: ByBit plans to reach out to partners and use its reserve fund to cover losses if the funds cannot be recovered.

Investigation and Security Measures:
- ByBit is working with the security team and law enforcement to recover the stolen funds and find out the details of the hack.
- An investigation is currently underway and the team is working with external specialists to trace the stolen funds and possibly recover them through centralised exchanges or other channels.
- Ben said ByBit's security team is scrutinising all other wallets to make sure there are no other vulnerabilities. So far, only the Ethereum wallet has been compromised.

Recovery Efforts and Security Enhancements:
- To address the liquidity issue with Ethereum, ByBit is securing a bridge loan from partners to cover the deficit and ensure the continuation of withdrawals.
- Ben clarified that ByBit is not buying Ethereum on the market but is relying on bridge loans to resolve the liquidity crunch.
- Additionally, ByBit is working with the Safe team to understand what happened and identify any weaknesses in their security protocols.

Follow-up on Client Questions:
- Ben responded to concerns about whether ByBit would be able to recover the stolen Ethereum. He confirmed that the company is actively working with partners and authorities to track and recover the stolen funds. However, the amount is large, and the recovery may take time.
- Withdrawals for tokens other than Ethereum are unaffected, and all other services are functioning as usual.

Conclusion:
- Despite the hack, Ben Zhou reassured the community that ByBit will continue operating, and clients’ funds will be protected. He thanked partners and clients for their support and assured everyone that ByBit is committed to transparency and restoring trust.
- The company is investigating the incident, and more updates will be provided as the situation unfolds.
- ByBit plans to conduct a thorough review of its security procedures and implement necessary improvements to prevent such incidents in the future.

Number of attacker addresses at the moment: 44

API to get blacklist: https://btrace.amlcrypto.io/api/v2/­bybit_blacklist

Ben Zhou Live Stream

The interview not only detailed the steps taken to manage the crisis but also revealed the personal toll the incident has taken on Zhou, who confessed that the past few days have been some of the most stressful of his life.

Immediate Reaction and Crisis Management
Questions:
- What was your immediate reaction to the news of the hack?
- How have you been handling the stress and managing the situation?
Answers:
- Zhou emphasized that his first reaction was to mitigate the damage and keep the company's operations open to maintain client trust. He deliberately avoided halting withdrawals to prevent panic among users.
- In managing stress, Zhou noted that personal circumstances cause him more stress than professional ones, highlighting his commitment to maintaining balance and resilience during crisis periods.

Financial Stability and Transparency
Questions:
- How does ByBit plan to cover the financial losses?
- What steps have you taken to ensure transparency towards your clients and the public?
Answers:
- Zhou assured that ByBit has sufficient funds to cover the losses, underscoring the company's financial stability.
- He has actively engaged with the public through social media and other communication channels, demonstrating openness and transparency in crisis management.

Enhancing Technical Security
Questions:
- What lessons has ByBit learned from this hack in terms of security?
- What technical changes are planned to prevent future hacks?
Answers:
- Zhou confirmed that the company will strengthen security measures, including the development of proprietary solutions for managing cryptocurrency wallets.
- Plans are in place to enhance security systems and infrastructure to ensure a higher level of asset protection for clients.

Personal Reflections and Future Outlook
Questions:
- What personal lessons and insights have you gained from this experience?
- How does this impact your vision for the future of cryptocurrencies and ByBit?
Answers:
- Zhou spoke about the importance of managing a crisis with professionalism and dignity, aiming to use this experience to improve corporate standards and practices.
- He expressed confidence that such challenges strengthen the industry and contribute to the development of more secure and robust technologies.

API for getting the blacklist: https://btrace.amlcrypto.io/api/v2/­bybit_blacklist

FBI Confirmation: The U.S. Federal Bureau of Investigation has officially stated that North Korea is responsible for the Bybit hack, which resulted in the theft of approximately $1.5 billion in cryptocurrency (mostly Ethereum). The FBI links the attack to the Lazarus Group, a hacking group known for its cybercrimes.

Bybit Initiative: Bybit CEO Ben Zhou announced a $140 million reward program aimed at encouraging the crypto community to help track and freeze the stolen assets. On Bybit’s dedicated website, progress has already been reported: part of the funds have been frozen, and some exchanges and participants have been rewarded for their assistance.

Investigation and Findings: Forensic analysis revealed that the hack did not occur due to vulnerabilities in Bybit’s systems, but rather through the compromise of Safe{Wallet} infrastructure, which Bybit uses for multi-signature wallets. Hackers injected malicious code into Safe's servers, enabling them to redirect funds during a scheduled transfer from cold storage to hot wallets.

Market Reaction: The hack has led to panic-driven withdrawals from cryptocurrency exchanges, totaling more than $4.3 billion, and has exacerbated the exodus of stakers from centralized platforms like Bybit. This is seen as a blow to confidence in institutional staking.

Movement of Funds: The hackers have already laundered around $335 million of the stolen assets (approximately one-third of the total amount) using decentralized exchanges and cross-chain bridges. The remaining funds (about $900 million) are still on addresses controlled by the perpetrators.

Regulatory Actions: The FBI has urged crypto node operators and exchanges to block transactions associated with the hackers' addresses to prevent further money laundering.

API for getting the blacklist: https://btrace.amlcrypto.io/api/v2/­bybit_blacklist

Thorchain is a decentralized cross-chain platform enabling direct cryptocurrency swaps between different blockchains without intermediaries (DEX). Instead of relying on centralized exchanges, Thorchain claims to use its proprietary protocol for secure and efficient asset exchanges.

🌐 How does it work?

Thorchain allows users to swap assets like Bitcoin, Ethereum, BNB, and others without centralized exchanges. Instead, it uses RUNE* — the native token that ensures liquidity.

*RUNE in Thorchain acts as the mediator in every swap, linking assets in liquidity pools. The token also secures the network through node operator obligations and participates in governance. Users don’t need to hold RUNE — swaps occur automatically via pools.

💡 Key Facts:

- Founded in 2018, mainnet launched in 2022. In 2021, it suffered a $7.6 million hack — losses were fully compensated.
- After the ByBit hack in February 2025, the volume of exchanges increased several times.
- January 25, 2025: Paused BTC and ETH lending due to debt to prevent insolvency and restructure protocol liabilities.

API for getting the blacklist: https://btrace.amlcrypto.io/api/v2/­bybit_blacklist

Ben Zhou, CEO of Bybit, shared important information on the progress of the $1.4 billion theft investigation, including over 500,000 ETH stolen from the platform. According to him, the current status is as follows:

• 77% of the stolen funds are traceable.
• 20% of the funds have gone dark and are no longer traceable.
• 3% of the funds have been frozen.

Key points:

• 83% of the funds, totaling 417,348 ETH (~$1 billion), were converted into BTC across 6,954 wallets (an average of 1.71 BTC per wallet). This and the coming week are critical for freezing the funds as they begin to clear through exchanges, OTC, and P2P platforms.
• 72% of the converted ETH (361,255 ETH or $0.9B) was transferred via ThorChain, which we can trace.
• 16% of the funds (79,655 ETH) went dark via ExCH, and Bybit is still awaiting a response from the service.
• 8% of the funds (40,233 ETH or $100M) were routed through the OKX Web3 proxy, of which 16,680 ETH can be traced, while 23,553 ETH (~$65M) remain untraceable.

Bounty Program Updates:

• 11 participants helped freeze funds, with the top 3 players being Mantle, Paraswap, and ZachXBT.
• $2,178,797 USDT has been paid out to 11 bounty hunters.

Full details are available on LazarusBounty.com.

API for getting the blacklist: https://btrace.amlcrypto.io/api/v2/­bybit_blacklist

On February 21, 2025, the cryptocurrency exchange Bybit fell victim to the largest hack in the history of crypto, amounting to $1.4 billion. This incident was a true test for Ben Zhou, CEO and co-founder of Bybit, who found himself at the center of a crisis requiring immediate decisions and a swift response. Such situations can either strengthen or damage a leader’s reputation. Here’s how Bybit and Ben Zhou tackled this challenge:

• Immediate Response: Upon learning of the hack, Ben Zhou took charge right away and began responding within 30 minutes. He actively used his X account and organized a two-hour live stream, providing real-time updates and reassuring users.
• Platform Continuity: Despite the crisis, Bybit continued to offer its services, including withdrawals, processing more than 350,000 requests within the first 12 hours after the hack.
• Securing Emergency Funding: The exchange secured emergency funding and successfully replenished its asset reserves, maintaining a 1:1 ratio to protect customer funds.
• Industry Support: In response to the incident, competing cryptocurrency exchanges and other industry players joined forces with Bybit, identifying and blocking hacker addresses, and helping to prevent further movement of the stolen funds.
• Independent Audit: To ensure transparency and financial stability, Bybit enlisted Hacken to conduct a reserves audit, confirming that all assets were fully backed 1:1.
• Collaboration with Law Enforcement: In response to the incident, Bybit actively collaborated with law enforcement, which helped provide a swift and effective response to the breach.
• Ben Zhou’s Response: Ben Zhou not only responded swiftly to the hack but also actively shared information with users and investors, building their trust.
• User Support: Within 12 hours of the hack, more than 350,000 withdrawal requests were processed, and the exchange continued to operate normally, providing users access to their assets.

Ben Zhou, co-founder and CEO of Bybit, previously worked in the financial sector, and in 2018, he founded Bybit, which quickly became one of the world’s largest cryptocurrency platforms. His experience in the financial industry helped him navigate the crisis, but the hack incident has undoubtedly been an important lesson for the entire industry.

This situation highlights the importance of crisis management, constant readiness for attacks, and the need for transparency and cooperation between platforms, analytics firms, and law enforcement agencies in handling major incidents.

The information is based on an article on Cointelegraph, thanks to the author for providing the data. The full version and all details can be found at this link.

API for getting the blacklist: https://btrace.amlcrypto.io/api/v2/­bybit_blacklist