Bybit Hacked: Detailed Analysis of the $1.4 Billion Theft

Attack progress

• 0:20 p.m., Feb. 21: On-chain analyst ZachXBT discovered a large amount of assets, worth about $1.46 billion, being withdrawn from Bybit's cold wallet and transferred to an unknown address.

  • The stolen assets, including mETH and stETH, were immediately swapped into Ethereum on decentralized exchanges to hide the traces of the transaction.

  • ZachXBT confirmed that this was a targeted attack, not a technical error or insider trading.

• 10:44 p.m.: Bybit CEO Ben Zhou officially acknowledged the attack. He said the attackers exploited a security vulnerability using a fake user interface, causing the Bybit team to accidentally approve a transaction that changed the smart contract logic.

• 10:50pm: Hackers begin distributing 10,000 ETH into 39 different wallets to disperse funds and avoid tracing.

  • The hacker continued to split another 10,000 ETH into 9 new wallets and transferred about 245 million USD in Ethereum via the blockchain bridge to the SUI network to erase the traces.

• 11:07 PM: Bybit CEO reassures users that the exchange maintains liquidity and will fully compensate all affected users.

• 11:32 p.m.: Arkham Intelligence is offering a reward of 50,000 ARKM to anyone who provides information that can help identify the attacker.

• 12:09 AM, February 22: ZachXBT submits evidence identifying the hacker group behind the attack as possibly the Lazarus Group, a hacker group linked to North Korea.

• 12:15 AM: CEO Ben Zhou hosts a livestream on the X platform to answer questions from the community. He asserts that the stolen funds only represent about one-twentieth of Bybit’s total assets under management and that the exchange is able to cover all the lost ETH if it cannot be recovered.

• 12:52 AM: Bybit records record number of withdrawal requests, up to 350,000 requests within 10 hours, of which about 2,100 requests remain unprocessed.

Data: Arkham Intelligence

Comments on the attack above

Security experts say this is an extremely sophisticated attack. Security researcher 0xCygaar explains that the hackers manipulated the multisig transaction signing process by creating a fake interface that made signers think they were approving a valid transaction, when in fact, they were giving the hackers full control of the cold wallet.

Several other theories have also been put forward, such as the possibility that hackers identified senior Bybit employees and gradually attacked until they gained access to the transaction signing process.

According to Arkham Intelligence, the hackers dispersed the stolen funds across 48 different wallets. Approximately $245 million was transferred via a blockchain bridge to the SUI network to obscure its tracks. The stolen tokens included mETH and stETH, which were quickly swapped to Ethereum to increase liquidity. All addresses associated with the hackers have now been labeled “Bybit Exploiter 1” to track their transactions.

Data: Arkham Intelligence

Impact on the Cryptocurrency Market

Despite the large amount of funds stolen, the price of Ethereum has not fluctuated much, showing confidence in Bybit's solvency and crisis management. However, the hack has raised concerns about the security of centralized exchanges, which could lead to stricter regulations from regulators.

“CEO Ben Zhou affirmed that Bybit still maintains liquidity and will fully compensate users. He also emphasized that Bybit will not immediately buy ETH to replace the lost funds but will use loans from partners to avoid negative impact on the market.”

Comparison with other hacks

• Mt. Gox (2014, $450 million): Loss of control over security systems leads to prolonged bankruptcy.

• Binance (2019, $40 million): Get compensated quickly thanks to SAFU insurance fund.

• FTX (2022, $8 billion): Collapsed due to internal irregularities and poor management.

• Bybit (2025, $1.4 billion): Fast response, full compensation commitment, maintaining liquidity.

Conclude

The Bybit hack is a stark reminder of how sophisticated security threats have become in the cryptocurrency space. While Bybit responded quickly and pledged to fully compensate users, the incident raises important questions about the security of cold wallet systems, the risk of insider attacks, and the intervention of state-sponsored hacker groups like Lazarus. Going forward, the cryptocurrency industry will need to enhance security measures and increase oversight to avoid a repeat of similar incidents.