Key Takeaways
- Hackers stole $1.5 billion from Bybit, exploiting a flaw in the cold-to-warm wallet transfer process and bypassing security with blind signature tactics.
- Investigators linked the attack to the Lazarus Group, the same hackers behind the $625 million Ronin bridge theft in 2022.
- Bybit acted fast, securing emergency funds, freezing assets, and launching a bounty program that paid $2.18 million in USDT to those who helped recover funds.
- Crypto exchanges remain at risk as hackers find new ways to bypass security.
On February 21, 2025, Hackers breached Bybit, one of the largest cryptocurrency exchanges, stealing almost 1.5 billion in Ether, around 500,000 ETH.
Reports link the state-backed North Korean Lazarus Group, a cybercriminal organization known for large crypto heists.
They exploited a flaw in the wallet transfer process. Hackers focused on the cold-to-warm wallet transfer, where funds move between offline and online storage. The attack happened fast, showing automated fund movements and a pre-determined strategy to hide the stolen assets. They also took staked Ether tokens, making recovery more difficult.
According to reports, hackers might have compromised private keys or altered transaction signing. They replaced Bybit’s multisig contract with a malicious one and used blind signature tactics to bypass security checks.
In his attempt to reassure users, Bybit CEO Ben Zhou has provided regular updates on the investigation, security measures, and recovery efforts.
This article explains how the attack happened, its impact on users, and what it means for crypto security.
Timeline of the ByBit Hack
According to Bybit, the attack started with hackers altering the contract logic, splitting funds across 39 different wallets.
This prompted Bybit’s CEO, Ben Zhou, to reassure users that all assets were 1:1 backed and the exchange remained solvent.
It took only a few hours before blockchain analyst ZachXBT linked the attack to the Lazarus Group. Bybit swiftly reported the incident to authorities and blockchain analytics firms, while users saw 99.99% of withdrawals processed smoothly within hours.
By Feb. 22, the situation had stabilized, with Bybit restoring full withdrawal services within 12 hours. The exchange saw a $4 billion inflow, counteracting the hack’s impact. Tether froze $181K in fraudulent USDt, while Bybit launched a 10% bounty program to recover stolen assets.
Discussions emerged about a potential rollback, requiring community input, and by Feb. 24, Bybit had successfully recovered $1.23 billion in ETH, fully covering the deficit. $42.89 million in stolen funds were also frozen, reflecting industry-wide efforts to mitigate the damage.
Below is a detailed list of the facts as they happened, as detailed by Bybit:
| Timestamp | Event | Details |
| Feb 21, 13:30 | Bybit moved 30K ETH | Cold wallet transfer started |
| Feb 21, 14:13 | Hackers changed contract logic | Funds drained, split 39 wallets |
| Feb 21, 15:44 | CEO confirmed the hack and assured users | $1.46B lost, Bybit remains solvent |
| Feb 21, 16:07 | Ben Zhou: Funds 1:1 backed | Bybit can cover all losses |
| Feb 21, 17:15 | CEO live-streamed for users | Explained the situation in detail |
| Feb 21, 19:09 | ZachXBT linked the attack to Lazarus | Lazarus Group connection confirmed |
| Feb 21, 21:07 | Bybit reported the case to the authorities | Authorities, analytics firms assist |
| Feb 22, 00:54 | 99.99% withdrawals completed | Smooth operations reassured clients |
| Feb 22, 01:08 | Safe confirmed its code is secure | Safe’s started a review of the service |
| Feb 22, 02:51 | All withdrawals fully resumed | Withdrawals restored under 12 hours |
| Feb 22, 07:29 | $4B flowed into Bybit | Inflow covered hack losses |
| Feb 22, 08:52 | Chainflip: No funds can be blocked | Decentralized limits action |
| Feb 22, 13:15 | Tether froze $181K USDt | Fraud-linked funds stopped |
| Feb 22, 13:45 | Bybit processed $4B withdrawals | User funds remain secure |
| Feb 22, 15:32 | Bybit launched a bounty program | 10% bounty on stolen funds |
| Feb 22, 16:01 | Ben: Rollback needs community | Calls for collective decision |
| Feb 23, 08:55 | Bybit deposits, and withdrawals normalized | Operations fully stabilized |
| Feb 23, 15:41 | $42.89M stolen funds frozen | Crypto firms blocked stolen |
| Feb 24, 02:35 | $1.23B recovered in ETH | ETH deficit is completely covered |
Consequences of the Bybit Hack
The fallout from the attack extended beyond Bybit, impacting the broader crypto industry.
The hack fueled intense discussions, regulatory reactions, and geopolitical concerns. Investigators confirmed the Lazarus Group stole the funds.
- Rollback debate: The crypto community debated whether Ethereum should reverse transactions to recover stolen funds, similar to the 2016 DAO hack. However, strong opposition emerged, arguing that a rollback would undermine blockchain’s immutability, a core principle of decentralization. The debate reinforced the ongoing conflict between security and trust in the network.
- Market impact: Ethereum’s price dropped 4% as investors reacted to the breach. The hack also shook confidence in centralized exchanges, increasing market volatility.
- Regulatory response: Authorities, already monitoring Bybit for compliance issues, need to tighten scrutiny on centralized platforms. The hack fueled discussions about stronger security rules and stricter oversight for exchanges.
- The Bybit hack exposed security gaps in crypto, forcing the industry to confront cyber threats, decentralization challenges, and regulatory risks.
- International politics: The attack raised concerns that stolen funds support military expansion and cyber attacks. Governments and regulators face pressure to stop illegal activity and prevent exchanges from enabling state-backed crime.
Recovery and Security Enhancements
Bybit took several steps to restore operations:
- Launched a bounty program, offering up to 10% of the stolen funds to reward ethical hackers.
- Secured emergency funding to ensure withdrawals continued.
- Strengthened security measures across the platform, focusing on advanced threat detection and safer cold storage systems.
The attack forced exchanges across the industry to rethink security strategies and prepare for future threats.
Tracking the Stolen Funds and Bounty Efforts
Bybit CEO Ben Zhou reported that hackers moved 77% of the stolen funds through traceable transactions, 20% disappeared into untrackable channels and exchanges, and blockchain security teams froze 3%.
Hackers used THORChain to swap most of the stolen ETH for BTC, spreading transactions across 6,954 wallets.
Authorities and blockchain analysts are still tracking the funds, but $65 million remains untraceable without more data from OKX Web3.
Additionally, Bybit’s bounty program helped freeze assets, paying $2.18 million in USDt to those who assisted, including Mantle, Paraswap, and ZachXBT.
However, the Bybit case shows that fast action cannot always stop hackers from laundering funds. Crypto exchanges must continue improving security and increasing collaboration to prevent future breaches.
Conclusion
The Bybit hack exposed security gaps in exchange operations and revealed weaknesses in the cold-to-warm wallet transfer process. Hackers manipulated contract logic, moved funds across multiple wallets, and triggered an industry-wide response.
Bybit acted fast, securing emergency funding, launching a bounty program, and recovering $1.23 billion in ETH. The attack reignited debates on rollback solutions, regulatory oversight, and state-sponsored cyber threats. Ethereum’s price briefly dropped, reflecting market uncertainty.
The Lazarus Group has a history of targeting crypto platforms. In 2022, they orchestrated the $625 million Ronin bridge hack, draining funds from Axie Infinity’s ecosystem. The scale of their operations shows how vulnerable crypto platforms remain to coordinated attacks.
The crypto community must stay alert. Exchanges need stronger security, better monitoring, and rapid incident response to prevent future breaches. Users should take precautions, use secure wallets, and avoid storing large sums on centralized platforms.
FAQs
Hackers changed the contract logic in Bybit’s wallet system, letting them move funds without detection. Reports indicate they stole private keys or used blind-signature tactics to bypass security checks. Bybit restored withdrawals within 12 hours, secured emergency funds, and launched a bounty program. The exchange strengthened security to block future attacks. Hackers exploit weak smart contracts, stolen private keys, and wallet flaws to drain funds before security teams react.How did hackers breach Bybit’s security?
What did Bybit do after the attack?
What are the biggest security risks for crypto exchanges?
