Bybit Hack: How Attackers Stole $1.5B in Ethereum and What It Means for Crypto Security

On February 21, 2025, Dubai-based cryptocurrency exchange Bybit experienced a significant security breach, resulting in the theft of approximately $1.5 billion worth of Ethereum (ETH). This incident is considered one of the largest digital currency heists to date.

Details of the Hack

• Incident Occurrence: The breach occurred during a routine transfer from Bybit's offline "cold" wallet to a "warm" wallet used for daily trading operations. Attackers exploited security vulnerabilities during this process, manipulating the transaction to gain control of the cold wallet and transferring over 400,000 ETH to an unidentified address.

Bybit's Response

• Assurance of Solvency: CEO Ben Zhou promptly addressed the situation, assuring customers that their assets remained secure and that Bybit possessed sufficient reserves to cover the loss. He emphasized that all client assets are backed 1:1 and that the company could absorb the financial impact without jeopardizing its operations.
• Withdrawal Surge: Following the announcement, Bybit experienced a surge in withdrawal requests, processing over 350,000 requests shortly after the incident. While this led to potential delays, the company maintained that operations continued as usual.
• Collaborative Efforts: Bybit has engaged blockchain forensic experts to trace the stolen funds and has launched a recovery bounty program, offering up to 10% of the recovered amount to individuals aiding in the retrieval of the stolen cryptocurrency.

Suspected Perpetrators

• North Korean Involvement: Blockchain analytics firms, including Arkham Intelligence and Elliptic, have linked the attack to the Lazarus Group, a North Korean state-sponsored hacking organization known for previous large-scale cryptocurrency thefts. This group has been implicated in several high-profile heists, including the $615 million theft from the Ronin Network in 2022.

Industry Implications

• Security Concerns: This incident underscores ongoing security challenges within the cryptocurrency industry, highlighting the need for robust protective measures to safeguard digital assets.
• Market Impact: The hack led to a temporary decline in Ethereum's value by nearly 4%, though prices have since stabilized.

Bybit remains committed to enhancing its security infrastructure and maintaining transparency with its user base as investigations continue.

The Bybit hack was a highly sophisticated attack that targeted the cold-to-warm wallet transfer process, exploiting vulnerabilities in private key management, wallet signing mechanisms, and internal security protocols. Below is a technical breakdown of how the attackers might have executed the heist:

Incident Overview

Key Details

• Compromised Wallet: 0x1Db92e2EeBC8E0c075a02BeA49a2935BcD2dFCF4
• Exploiter Wallet: 0x47666Fab8bd0Ac7003bce3f5C3585383F09486E2
• Estimated Total Loss: $1.44 billion

Attack Attribution

Renowned blockchain investigator ZachXBT provided definitive proof to Arkham Intelligence, confirming the attack was executed by the Lazarus Group, a North Korean state-sponsored hacking entity.

Attack Techniques

1. Deployment of a Malicious Contract

The attacker deployed a malicious implementation contract on February 19, 2025, embedding hidden backdoor functions:

• sweepETH: Transfers all ETH from the wallet to the attacker’s address.
• sweepERC20: Moves all ERC20 tokens to the attacker’s address.

2. Replacing the Safe Wallet Implementation

On February 21, 2025, the attacker exploited Bybit’s multi-signature wallet upgrade mechanism:

• The attacker tricked three Bybit signers into approving an upgrade transaction that replaced the legitimate contract with the malicious one.
• The transaction was signed using a Ledger hardware wallet, where transaction details were hard to verify due to UI constraints.
• Bybit CEO Ben Zhou unknowingly approved the final signature, believing the transaction was part of routine cold-to-warm wallet operations.

3. Exploiting DELEGATECALL

The attacker used DELEGATECALL, a smart contract function that allows executing external code within the context of the existing contract. This allowed the attacker to execute backdoor functions, draining all assets from the wallet.

Security Recommendations

To mitigate such risks, security teams must implement stronger operational and technical controls:

1. Verify Transactions Independently

• Use hardware wallets with dedicated displays to manually verify transactions.
• Cross-check transactions using multiple sources before signing.

2. Strengthen Endpoint Security

• Implement strict software whitelisting.
• Regularly update antivirus and anti-malware solutions.
• Conduct frequent security audits on critical systems.

3. Enhance Employee Cybersecurity Awareness

• Train employees to recognize social engineering attacks.
• Implement clear signing policies to prevent deceptive transactions.