Overview
Bybit experienced a significant security breach in which hackers gained control over a multisignature Ethereum cold wallet, stealing approximately 400,000 ETH, valued at around $1.4 billion. Following confirmation of the breach by Bybit CEO Ben Zhou, Ethereum’s price declined by 3%.
In response to the Bybit hack, the company has assured users that all customer funds remain secure and platform operations continue uninterrupted. It is actively investigating the breach and working with experts to trace and recover the stolen assets.
Details of Bybit Hack
Bybit, a leading cryptocurrency exchange, experienced a significant security breach resulting in the theft of approximately $1.4 billion worth of Ethereum (ETH). The stolen assets included liquid-staked Ether (stETH), Mantle Staked ETH (mETH), and other ERC-20 tokens.
Ben Zhou promptly confirmed the breach through his official X account, assuring users in a tweet that all customer funds remain secure and that client assets are backed on a 1:1 basis. He emphasized that the platform’s operations continue uninterrupted and that the company is collaborating with blockchain experts to trace and recover the stolen assets.
How the Breach Occurred
Bybit’s recent security breach was not just another crypto hack, it was a highly sophisticated attack that exploited vulnerabilities in the exchange’s multisignature Ethereum cold wallet. The breach, which led to the theft of approximately $1.4 billion worth of ETH and ERC-20 tokens, was carried out through a cleverly disguised manipulation of smart contract logic.
Bybit CEO Ben Zhou explained that the incident occurred when the exchange’s Ethereum multisig cold wallet; a highly secure offline storage method, executed a transfer to its hot wallet. Hot wallets, being connected to the internet, are more commonly used for user transactions but are also more vulnerable to attacks.
Zhou further detailed in a tweet that the attack was highly sophisticated, as the hacker manipulated the transaction by altering the underlying smart contract logic. While the signing interface displayed a legitimate destination address, the actual transaction was redirected elsewhere, allowing the hacker to seize control of the cold wallet and transfer funds to an unidentified address.
According to blockchain security firm SlowMist, the attack began with the deployment of a malicious contract on February 19, 2025. On February 21, at 14:13:35 UTC, the attacker used three multisig owner signatures, enough to approve changes, to replace the legitimate Safe implementation contract with their own malicious version.
SlowMist’s analysis revealed that the hacker exploited DELEGATECALL, embedding a hidden upgrade function that enabled them to execute sweepETH and sweepERC20 functions, draining the wallet of its holdings.
Stolen Assets
The attack led to the theft of approximately $1.4 billion in digital assets, including liquid-staked Ether (stETH), Mantle Staked ETH (mETH), and other ERC-20 tokens.
The exploit was identified shortly after it occurred, with on-chain security analyst ZachXBT urging the crypto community to blacklist the hacker’s wallet addresses to prevent further movement of stolen funds.
The hacker’s primary address, identified as “0x47666..”, has been traced, revealing that over $1 billion worth of ETH (approximately 400,000 ETH) has already been moved to new wallets.
According to blockchain monitoring firm EmberCN, the stolen assets were dispersed across 49 different addresses, with each receiving 10,000 ETH. This tactic is commonly used by hackers to obscure the movement of funds and evade tracking efforts.
Market Impact
The security breach at Bybit has had a noticeable impact on the cryptocurrency market, particularly Ethereum. Following the incident, Ethereum (ETH) dropped approximately 6% as investors reacted to the news, leading to increased volatility.
Adding to concerns, the hackers are attempting to unstake 15,000 cmETH, a process that requires an 8-hour waiting period before the funds become available. This move indicates that the stolen assets are actively being moved and potentially liquidated.
Additionally, 200 million stETH have already been sold, further contributing to selling pressure. stETH, a cryptocurrency token representing staked Ether, is typically locked in smart contracts for an extended period to secure the network in exchange for staking rewards. The mass liquidation of these assets could exert additional downward pressure on ETH’s price.
Blockchain research firm Arkham Intelligence has confirmed the significant outflows from Bybit, stating on X (formerly Twitter) that “funds have started moving to new addresses and are being sold.”
Beyond price fluctuations, the breach has also triggered heightened activity among Bybit users, with a substantial number withdrawing funds from the platform due to security concerns. This shift in user behavior underscores the broader impact security incidents can have on investor confidence and market stability.
Ongoing Investigation
Bybit has launched an extensive investigation to track down the perpetrators behind the $1.4 billion security breach and recover the stolen funds. The exchange is working closely with blockchain security experts and forensic analysts to dissect the attack, determine vulnerabilities, and prevent similar incidents in the future.
Bybit CEO Ben Zhou has reassured users that all customer funds remain unaffected, emphasizing that the platform continues to function normally. He reiterated the company’s commitment to transparency and user security, acknowledging the seriousness of the breach while ensuring that necessary measures are in place.
The broader crypto community has also stepped in. Binance founder Changpeng Zhao (CZ) recommended that Bybit temporarily halt withdrawals as a precautionary measure. Offering Binance’s assistance, CZ stated, “Might suggest to halt all withdrawals for a bit as a standard security precaution. Will provide any assistance if needed.”
Additionally, Arkham Intelligence initially announced a 50,000 ARKM bounty to help identify those responsible for the hack. In a major breakthrough, blockchain investigator ZachXBT submitted definitive proof that the attack was carried out by the Lazarus Group. According to Arkham, ZachXBT’s submission included a detailed analysis of test transactions and connected wallets used before the exploit, along with forensic graphs and timing analyses.
Ben Zhou has been issuing regular updates across its official channels, keeping users informed about the investigation’s progress and new security enhancements. This incident highlights the persistent risks in digital asset security and serves as a critical reminder for exchanges and users alike to stay vigilant against evolving threats.
Bottom Line
Bybit’s $1.4 billion hack shakes trust in crypto exchange security, leading to a dip in Ethereum and Bitcoin prices. The breach adds to growing concerns over asset safety in the industry. It may push for stricter security measures and oversight.
