The Biggest Bybit’s $1.4B Crypto Hack: How It Happened & What’s Next

On February 21, 2025, Bybit, one of the world's leading cryptocurrency exchanges, suffered an unprecedented security breach. 

Hackers stole approximately $1.4 billion worth of digital assets, marking it as the largest cryptocurrency heist in history.

How the Hack Happened

The attack targeted Bybit’s cold wallet—a secure offline storage used to protect users’ assets from online threats. 

According to reports, hackers exploited vulnerabilities during a routine transfer of Ethereum (ETH) from Bybit’s cold wallet to a warm wallet used for daily operations.

Here’s how they managed to steal the funds:

• Exploiting a Transfer Process: The hackers gained access to Bybit’s cold wallet signing mechanism, allowing them to alter transaction details without detection.

• Manipulating Smart Contracts: Bybit’s system showed a legitimate address, but the underlying contract logic had been tampered with. This allowed the funds to be redirected to the hacker’s address.

• Rapid Fund Diversion: The stolen ETH was quickly transferred across multiple wallets and laundered using different protocols, making it difficult to trace.

Immediate Aftermath: Panic and Withdrawals

The scale of the attack was so massive that it triggered a panic among Bybit users. Over 350,000 customers rushed to withdraw their assets, fearing further security breaches. Despite this, Bybit assured users that their funds remained secure.

Bybit’s CEO, Ben Zhou, quickly addressed the situation:

“Bybit is solvent even if this hack loss is not recovered; all client assets are 1:1 backed; we can cover the loss.”

This statement reassured investors, as Bybit holds over $20 billion in customer assets. The company also secured bridge loans to cover potential losses and ensured that withdrawal requests were honored without delay.

Who’s Behind the Attack? The Lazarus Group Connection

Blockchain sleuth ZachXBT and Blockchain analysis firms Arkham Intelligence and Elliptic were immediately involved in tracking the stolen assets. Their findings point to the notorious Lazarus Group, a North Korean state-sponsored hacking organization known for its sophisticated cyberattacks on cryptocurrency platforms.

Why is Lazarus Group a Prime Suspect?

• Past Attacks: The group has been linked to major crypto heists, including the Ronin Bridge ($625M) and Horizon Bridge ($100M) hacks.

• Tactics Used: The manipulation of smart contracts and rapid fund movement match the Lazarus Group’s previous attack patterns.

• Political Motive: North Korea has been accused of using stolen crypto to fund its nuclear weapons program.

• The stolen Ethereum was quickly moved across multiple wallets and converted using decentralized exchanges, making it extremely difficult to recover. Experts warn that without intervention, most of these funds could be lost permanently.

Bybit Hacker Moves $106M in ETH

According to ZachXBT, Bybit hackers have used multiple addresses to exchange 37,900 ETH ($106 million) for BTC and other assets through Chainflip, THORChain, LiFi, DLN, and eXch. The hacker’s wallet still holds 461,491 ETH ($1.29 billion), while the total stolen amount stands at 499,395 ETH ($1.4 billion).

eXch, a non-KYC coin mixer known for its ties to North Korean hackers, denied Bybit's request for cooperation. SlowMist reported that eXch has been involved in multiple security breaches, exposing industry security personnel. The firm urged platforms to strengthen risk controls on funds linked to eXch.

In response to allegations of laundering funds from the Bybit hack, eXch claimed innocence and promised to donate proceeds to open-source privacy and security initiatives inside and outside the crypto space.

Meanwhile, reports indicate the Bybit exploiter is laundering money through meme tokens. Address 5STkQy...95T7Cq transferred 60 SOL to 9Gu8v6...aAdqWS, which then launched a token called QinShihuang (500,000 supply). The token has already traded over $26 million.

How Other Crypto Exchanges Responded

The broader crypto community quickly stepped in to support Bybit. Binance and Bitget transferred 50,000 ETH and 40,000 ETH respectively to assist with liquidity needs. Meanwhile, HTX (Huobi co-founder Du Jun personally pledged 10,000 ETH.\

Additionally, Tether (USDT’s issuer) took immediate action by freezing $181,000 USDT linked to the hackers, preventing them from laundering at least a small portion of the stolen funds.

What’s Next for Bybit? Recovery and Legal Action

Bybit has already taken several steps to recover the stolen funds and strengthen its security:

• The exchange said it is collaborating with law enforcement agencies to track the hackers and attempt fund recovery.

• ByBit also offered a $140 million bounty—10% of the stolen amount—for anyone who helps retrieve the lost assets.

• The exchange is upgrading its cold wallet architecture, enhancing multi-sig security and implementing real-time monitoring to prevent future breaches.

• While Bybit remains operational, regulatory scrutiny is expected to increase, particularly in Singapore, where it is headquartered.

• Global authorities, including the FBI and Chainalysis, continue tracking the stolen funds.

Meanwhile, Bybit CEO Ben Zhou confirmed that the exchange has fully replaced the $1.4 billion in Ether stolen on Feb. 21.

Ben Zhou stated: 

“Bybit has already fully closed the ETH gap, new audited POR report will be published very soon to show that Bybit is again Back to 100% 1:1 on client assets through merkle tree. On-chain data shows that Bybit has obtained more than 400,000 ETH through OTC purchases and loans.”

The Bigger Picture

The Bybit hack raises serious concerns about the security of even the most advanced cryptocurrency platforms. Despite Bybit’s robust security measures, hackers managed to breach their system and steal a record-breaking amount.

Key Security Takeaways for Crypto Exchanges:

• Cold Wallets Are Not Invulnerable – The assumption that offline storage is completely safe is now being questioned.

• Transaction Signing Needs Better Security – The hackers manipulated the signing mechanism, showing the need for more secure multi-signature and biometric authentication systems.

• Real-Time Blockchain Monitoring is Crucial – Detecting unauthorized fund movements earlier could have minimized the loss.

• Decentralized Finance (DeFi) Risks – The stolen funds were quickly laundered using DeFi platforms, showing how hackers exploit decentralized protocols.