Hacker hacked the Bybit exchange and withdrew more than $1.4 billion in crypto funds

Get advice from AML Crypto experts
On February 21, 2025 at 02:16:11 (PM UTC), cryptocurrency exchange Bybit experienced a major hacker attack. Attackers accessed one of the platform's cold wallets and withdrew 401,346 ETH, as well as 113,375,548 synthetic ETH (including 15,000 cmETH, 90,375 stETH, 8,000 mETH) and 90 USDT. At the time of the theft, the total equivalent of the stolen funds exceeded $1.4 billion USD.
In total, the total amount of stolen funds was USD 1,456,318,985*
*according to coinmarketcap.com quotes at the time of the theft

AML Crypto tracks in real time how attackers are trying to launder stolen assets.
About the attack
While ByBit employees were transferring funds from a cold wallet to a hot wallet, attackers used a sophisticated attack that disguised the transaction signing interface. This resulted in signers seeing the correct address and trusted URL, but actually signing a transaction that altered the wallet's smart contract logic.

After the successful manipulation, the hackers gained full control of the Ethereum cold wallet and transferred all funds to an unknown address.

After the hack, the hackers moved the stolen funds tokens to multiple addresses.
Despite the attack, Bybit assures that the rest of the clients' assets are safe and withdrawals are working as usual. The exchange continues to investigate and take measures to prevent similar attacks in the future.
Money laundering
Graph of connections:

Legend:

⚫ - exploiter addresses (attacker)

🟣 - [13 - Bybit exchange hot wallet], [23,24,25,26 - decentralized services]

About graph of connections:

The graph of connections shows the flow of funds from the Bybit exchange address [13 - 0x1db92e2eebc8e0c075a02bea49a2935bcd2dfcf4], which was attacked, to the addresses that, at time of writing, hold funds on their balances.
About graph of connections:

The graph of connections shows the flow of funds from the Bybit exchange address [13 - 0x1db92e2eebc8e0c075a02bea49a293­5bcd2dfcf4], which was attacked, to the addresses that, at time of writing, hold funds on their balances.

Real-time events

21.02.2025 3:44 PM UTC Co-founder and CEO of the Bybit exchange has already responded to the exchange hack with a tweet:
The AML Crypto team has already put all the addresses of the attacker on tracking and will keep readers updated.
You can check the addresses of fraudsters who carried out this hack and get detailed information about their activity and counterparties in 2 clicks using our solution Btrace.
Update for the evening of 2/21/2025:

21.02.2025 5:15 PM UTC ByBit CEO Ben Zhou spoke live on air. We analyzed his speech and will note the key points below:
Introduction and Overview: Ben Zhou started the live stream by explaining the current situation and thanking the viewers for tuning in. He mentioned that ByBit is going through a very challenging time after the hack of their Ethereum wallet. The incident occurred about two hours ago. Ben stated that the live stream would provide updates and answer questions from the community.

How the Incident Happened:
  • ByBit uses a cold and hot wallet system for managing funds. When the balance in the hot wallet reaches a certain threshold, funds are transferred from the cold wallet to the hot wallet.
  • During a routine transfer from the cold wallet to the hot wallet, the transaction was carried out using a multisig (multi-signature) system through the Safe service. This system requires multiple signers to approve the transaction.
  • At the time of signing, Ben, being the last signer, verified the URL and destination address using the official Safe website. He also used a Ledger device to sign the transaction.
  • About 30 minutes after signing, Ben received an emergency call that the wallet had been drained — the funds were stolen.
Details of the Hack:
  • Hackers managed to manipulate the signing interface, possibly by compromising the computers of all the signers or exploiting a vulnerability in the Safe service. While Ben was confident they were using the correct URL and destination address, it’s possible that the hackers altered the transaction data at the smart contract level.
  • Ben emphasized that Ethereum uses smart contracts, which can be more vulnerable to manipulation, and this vulnerability was likely exploited in the hack of ByBit’s Ethereum wallet.
Size of the Damage:
  • Around 401,000 ETH was stolen. This affected only the Ethereum wallet, and no other assets or wallets were compromised.
  • According to Ben, other wallets holding assets like Bitcoin or USDT were not affected by this incident.
  • Despite the loss, the company is actively working to mitigate the consequences and recover the stolen funds.
Current Situation with Withdrawals:
  • ByBit continues to process withdrawal requests, but the number of requests has increased significantly over the past few hours, causing delays.
  • At the moment, withdrawals remain open, but some large requests require additional verification from the security team.
  • Importantly, despite the high load, the company is still paying out funds and overall 70% of withdrawal requests have already been processed.
Answers to Client Questions:
  • Ben guaranteed that customer funds are safe, as ByBit adheres to a 1:1 principle on reserves.
  • Ben noted that despite the theft of funds from the Ethereum wallet, the company has enough reserves to cover losses from its coffers if needed.
  • Question about possible compensation for the stolen funds: ByBit plans to reach out to partners and use its reserve fund to cover losses if the funds cannot be recovered.
Investigation and Security Measures:
  • ByBit is working with the security team and law enforcement to recover the stolen funds and find out the details of the hack.
  • An investigation is currently underway and the team is working with external specialists to trace the stolen funds and possibly recover them through centralised exchanges or other channels.
  • Ben said ByBit's security team is scrutinising all other wallets to make sure there are no other vulnerabilities. So far, only the Ethereum wallet has been compromised.
Recovery Efforts and Security Enhancements:
  • To address the liquidity issue with Ethereum, ByBit is securing a bridge loan from partners to cover the deficit and ensure the continuation of withdrawals.
  • Ben clarified that ByBit is not buying Ethereum on the market but is relying on bridge loans to resolve the liquidity crunch.
  • Additionally, ByBit is working with the Safe team to understand what happened and identify any weaknesses in their security protocols.
Follow-up on Client Questions:
  • Ben responded to concerns about whether ByBit would be able to recover the stolen Ethereum. He confirmed that the company is actively working with partners and authorities to track and recover the stolen funds. However, the amount is large, and the recovery may take time.
  • Withdrawals for tokens other than Ethereum are unaffected, and all other services are functioning as usual.
Conclusion:
  • Despite the hack, Ben Zhou reassured the community that ByBit will continue operating, and clients’ funds will be protected. He thanked partners and clients for their support and assured everyone that ByBit is committed to transparency and restoring trust.
  • The company is investigating the incident, and more updates will be provided as the situation unfolds.
  • ByBit plans to conduct a thorough review of its security procedures and implement necessary improvements to prevent such incidents in the future.
Arkham Intelligence has announced the launch of a reward programme for researchers aimed at enlisting help in the investigation into the massive hack of cryptocurrency exchange Bybit. The size of the reward was ARKM 50,000 (about $32,000).
ссылка: https://x.com/arkham/status/18929757­80218409203

Some time later, a ZachXBT analyst presented his version of what happened, providing them with a report including:
  • Analysis of test transactions and linked wallets.
  • Forensic data and timestamps.

Arkham Intelligence found ZachXBT's arguments convincing and proven, declaring him the winner of the reward programme. The information provided has been passed on to the Bybit team for further investigation.

The possible involvement of the Lazarus Group hacker group in the attack has been highlighted as a key element of the investigation, but final conclusions require further verification.
Want to learn more and get expert advice? Leave your email and we will contact you promptly!
Check blockchain address using Btrace
In seconds, determine the risk level of the counterparty’s address, find out the source of his funds and make an informed decision about interacting with him.

PREVENT FUNDS BLOCKING

PROTECT YOURSELF FROM SCAMMERS

AVOID TROUBLE WITH THE LAW

We also recommend