Bybit 1.50 billion ETH Theft: Latest Developments and Analysis

Bybit, a globally renowned cryptocurrency exchange, recently suffered a large-scale hacking attack, resulting in the theft of its ETH cold wallet, with a loss of up to $1.46 billion. This incident has become the largest single theft case in the history of the cryptocurrency industry. Bybit was founded in 2018, with its headquarters located in Dubai, UAE, and has over 60 million users worldwide. It is one of the top three cryptocurrency exchanges in the world in terms of trading volume, with a daily trading volume exceeding $36 billion. Prior to this theft incident, its platform assets were about $16.20 billion. Recently, there have been new developments in this incident. This article will focus on the latest developments and bring you in-depth analysis.
On February 21st, during a routine transfer process, Bybit encountered an abnormality in the Ethereum cold wallet. The transfer was originally part of a plan to transfer ETH from a multi-signature cold wallet to a hot wallet, but the transaction was manipulated by complex attack methods. Hackers successfully controlled the ETH cold wallet by tampering with the smart contract logic and hiding the signature interface, transferring over 400,000 ETH and stETH. Currently, more than 40 addresses have received stolen ETH, and some funds are being further split to avoid tracking. This is the largest cryptocurrency hack in history, surpassing the 2022 Ronin Bridge attack ($620 million) and the 2021 Poly Network incident ($611 million).
Bybit stated that the remaining cold wallets are not affected, and customer assets are still fully covered at a 1:1 ratio. The exchange has sufficient solvency, and even if losses cannot be recovered, it will not affect operations. Bybit is currently investigating with the blockchain security team and external forensic experts, and welcomes the global security community to assist in tracking stolen funds.
On-chain analysis shows that hackers have split and dispersed some of the stolen ETH to multiple wallets. According to the monitoring of investigator ZachXBT, 10,000 ETH (about 30 million USD) has been distributed to 48 different addresses. No obvious cash-out path has been found yet, and hackers are trying to launder funds through Tornado Cash or cross-chain bridges.
After nearly $1.50 billion was stolen, Bybit CEO Ben Zhou said the withdrawal system has fully returned to normal. According to Ember Monitoring, multiple institutions and individuals have provided loan support to Bybit, totaling about 120,000 ETH worth about $321 million. Among them, Bitget supported and supported 40,000 ETH loans (worth $105.90 million), which were directly transferred to the Bybit cold wallet address; MEXC hot wallet transferred 12,652 stETH (about $33.75 million) to the Bybit cold wallet. In addition to the institutions that provide funding, OKX has added Bybit hackers to its blocklist and stated that it can provide security and liquidity support for Bybit. HashKey supports Bybit and believes that security incidents will be properly resolved. BitMart has frozen hacker addresses, and its founder Sheldon stated that Bybit will provide support if needed. Justin Sun, global advisor of Huobi HTX and founder of TRON, promised to assist in tracking funds. JuCoin provided 1000 BTC industry co-construction funds and technical support for Bybit security incidents.
On February 23rd, after suffering the largest cryptocurrency hack, Bybit faced a "bank run" of over 4 billion dollars, causing panic withdrawals by users. However, on February 24th, Bybit made a series of key progress. Through coordination and efforts from multiple parties, Bybit solved the liquidity problem and restored full withdrawal function. At the same time, Bybit has recovered 447,000 ETH through various channels, almost making up for the funding gap caused by the hack. In addition, Bybit announced that 15,000 cmETH has been successfully recovered by the mETH Protocol team. BeosinTrace traced the new address of Bybit hackers to transfer assets at 14:52:59 on February 24th. The old address also transferred all assets later. BeosinKYT tagged these addresses and found that the hacker's preferred fund cleaning channel was Thorchain. In addition, Bybit hackers were selling ETH for DAI through multiple DEXs. Arkham intelligence analysis pointed out that Bybit hackers may be manually laundering money, with a fixed 15-minute break every hour.
On February 25th, the incident further developed. Bybit hackers have cleaned 100,000 ETH, accounting for 20% of the stolen ETH. However, the good news is that Bybit has returned 40,000 ETH to Bitget to repay the previous loan. In addition, Bybit CEO revealed that it has returned to 1:1 rigid redemption and will soon launch the stolen fund flow website for users to track fund dynamics. Bybit has also released a blocklist wallet API to assist in the recovery plan, aiming to further combat hacker behavior and maintain platform security.
After preliminary analysis, the attack method is extremely complex. The attacker is likely to have taken advantage of the vulnerability in the Bybit multi-signature cold wallet signature process, disguised the transaction interface, replaced Safe to implement the contract, and successfully tricked the multi-signature Owner into signing malicious transactions. Like the attack incident in October last year, the attacker may also have used social engineering methods, such as invading the signer's computer or tampering with the intermediate communication link, replacing normal transaction requests with malicious transactions, making the signer relax their vigilance. In the malicious contract, the DELEGATECALL instruction was also used, which may allow malicious code to be executed in the context of the multi-signature wallet, thereby modifying the contract logic and achieving fund transfer.
From the perspective of the characteristics of the exchange itself, centralized exchanges, as centralized custodians of user funds, naturally have the risk of "single point of failure" and are easy targets for hacker attacks. As early as 2020, Bybit CEO Ben Zhou publicly acknowledged the inherent vulnerability of CEX.
From the external environment, the cryptocurrency market as a whole showed a recovery trend in February 2025, and the price of ETH continued to rise, which may have stimulated the motivation of hackers to steal. In addition, other cryptocurrency platforms such as ZkLend have also been attacked recently, which also reflects that the security environment of the entire industry may be deteriorating.
The theft incident of up to $1.50 billion from Bybit exchange can be regarded as the "ceiling" of the single loss in capital in the cryptocurrency industry, and has also sounded a harsh alarm about the security risks of centralized exchanges. Hackers have carefully planned and combined technical vulnerabilities with social engineering methods to break through the security defenses of exchanges, not only causing Bybit to suffer huge economic losses, but also plunging the entire industry into a crisis of trust.
However, in the face of this sudden security incident, Bybit quickly responded and maintained relative openness and transparency in the handling process, which greatly eased the market's anxiety. Peers have extended a helping hand, and security agencies have also actively provided support, which undoubtedly demonstrates the unity of the cryptocurrency community and shows us the maturity and strong resilience of the encryption field in the face of crisis.
Looking to the future, this incident is highly likely to become an opportunity for a comprehensive upgrade in the security field of the cryptocurrency industry. Centralized exchanges must continue to increase investment in technical security and comprehensively improve the security protection capabilities of key links such as multi-signature wallets, smart contracts, and internal risk control. Regulatory agencies may also take this opportunity to further strengthen compliance supervision of CEX and promote the industry towards a healthier and more orderly direction. For the majority of users, this incident once again clearly warns that asset security will always be the core concern when participating in the cryptocurrency market. Reasonable Risk Diversification and prudent selection of safer asset custody solutions have become key factors that users must pay attention to in cryptocurrency investment.