On February 21, 2025, the Bybit crypto exchange was the victim of a hacker attack that stole 70% of its Ethereum assets (400,000 ETH). The company's CEO Ben Zhou confirmed the hack, and cybersecurity experts attribute the $1.4 billion attack to the Lazarus group.

After the hack, the attackers scattered the funds across dozens of wallets. The Bybit team assures that only one cold wallet was hacked, while other assets were not affected.



Bybit employees were conducting a planned fund transfer when a hacker was able to take control of a cold wallet by altering its interface, Ben Zhou said. The exchange’s other cold wallets remain secure and all transactions are running smoothly, he said. He also asked the community for help in finding the stolen assets.

ZachXBT was the first to notice the anomalous activity in Bybit wallets, noting the transfer of large amounts at 18:20 Kyiv time. Ben Zhou, the exchange’s CEO, later confirmed that a hack had occurred, explaining that the hackers used a sophisticated transaction substitution method that allowed them to take possession of the assets.

Unlike typical attacks that rely on password theft or server compromise, this time the attackers targeted Bybit’s transaction confirmation mechanism itself. Large assets on exchanges are typically stored in multi-signature wallets, where multiple people need to confirm a transfer.

The hackers replaced the interface used by signatories when confirming transactions. Visually, everything looked like a normal transfer: the correct recipient address and the familiar Safe (formerly Gnosis Safe) interface, but in reality, the signature gave the attackers full control over the wallet.

Once they gained access, the hackers quickly transferred the funds to an unknown address and began spreading them across the network. According to on-chain analysts, more than 20 wallets have already received some of the stolen assets. The attackers are exchanging tokens for Ethereum and continuing to distribute the funds among dozens of addresses to cover their tracks.

Blockchain tracking systems already mark these wallets as compromised, allowing crypto exchanges to track the movement of stolen funds and, if necessary, block them.

Bybit said that all other cold wallets remained safe and withdrawals were working as usual. The exchange also emphasized that customer funds are fully protected, and even if lost assets cannot be recovered, the losses will be covered by the platform itself.

Tags:#Bybit#hackers#hack#cryptocurrency#Ethereum#security#blockchain#asset_theft

Source: news.google.com