Vicky Hindustani

Based on the information available as of February 22, 2025, here’s a detailed breakdown of how approximately 401,347 ETH (valued at over $1.4 billion) was stolen from Bybit, one of the largest cryptocurrency exchanges.
The hack occurred on February 21, 2025, targeting Bybit’s Ethereum multisignature (multisig) cold wallet—a secure, offline storage system designed to protect funds. According to Bybit’s CEO, Ben Zhou, and official statements, the attackers used a sophisticated method involving a "masked" transaction. Here’s how it unfolded:
- **The Setup**: Bybit was performing a routine transfer of ETH from its cold wallet to a warm wallet (an online wallet used for daily operations). This process required multiple signers to approve the transaction, a standard security feature of multisig wallets.
- **The Deception**: The hackers manipulated the transaction by compromising the signing interface. They presented a fake user interface (UI) that appeared legitimate to the signers. This UI displayed the correct recipient address and seemed to originate from Safe.global, the wallet provider Bybit uses for its multisig setup. However, the underlying transaction was altered.
- **The Exploit**: Instead of approving a simple transfer, the signers unknowingly signed a message that changed the smart contract logic governing the cold wallet. This alteration handed control of the wallet to the attacker. Essentially, the signers thought they were authorizing a standard move of funds, but they were actually giving the hacker the keys to the wallet.
- **The Theft**: Once in control, the attacker drained all the ETH from the compromised cold wallet—totaling 401,347 ETH—along with additional Ethereum-based assets like 90,376 stETH ($253 million), 15,000 cmETH ($44 million), and 8,000 mETH ($23 million). These funds were sent to an unidentified address and later split across multiple wallets (initially 39, then over 40) to obscure the trail.
- **The Aftermath**: The stolen ETH was converted from other tokens (like stETH and mETH) into regular ETH and moved systematically, often in batches like 10,000 ETH, as noted in recent X posts and blockchain analyses. Bybit confirmed that only this specific ETH cold wallet was affected, and other wallets (hot, warm, and remaining cold wallets) remained secure.
The method relied heavily on social engineering and phishing tactics, tricking human signers rather than exploiting a flaw in the Ethereum blockchain itself. The attackers likely used a counterfeit signing interface—possibly by compromising the Safe wallet provider’s system or mimicking its UI—to execute the heist. Zhou speculated during a livestream that the Safe server might have been hacked, though Safe issued a statement denying evidence of a frontend compromise and paused some functionalities as a precaution.
Blockchain investigator ZachXBT and firms like Arkham Intelligence traced the funds and linked the attack to North Korea’s Lazarus Group, a prolific hacking collective. ZachXBT’s analysis, which earned a $50,000 bounty from Arkham, included test transactions and wallet connections tying this hack to a prior Phemex exploit, suggesting a coordinated campaign. The hacker now holds about 0.42% of Ethereum’s total supply, making them one of the largest ETH holders globally.
Bybit has emphasized that it remains solvent, with client funds backed 1:1, and has secured bridge loans (e.g., 64,452 ETH from Bitget and 11,800 ETH from a whale via Binance) to cover losses and maintain operations. Withdrawals continued normally, though ETH withdrawals were briefly impacted until liquidity was restored.
This hack stands out as the largest in crypto history, surpassing the 2022 Ronin Network theft of $625 million, due to its scale and the sophisticated deception involved.