Bybit was hit with one of the biggest hacks in crypto history, losing $1.4 billion overnight. But instead of collapsing, it’s fighting back at full speed. What has happened since? Let’s break it down.
Bybit regaining strength bit by bit
Bybit, after suffering one of the largest crypto exchange hacks in history, has pulled off what many feared could take months — if not longer.
The $1.4 billion breach on Feb. 21 saw hackers drain one of Bybit’s cold wallets, a storage method typically considered the safest due to its lack of internet exposure.
Yet, the attackers exploited vulnerabilities in the exchange’s user interface and smart contract logic to reroute Ethereum (ETH) into unidentified wallets.
Despite the scale of the attack, Bybit has moved swiftly, nearly restoring its 1:1 asset backing and closing the deficit left in its wake.
On-chain data shows that over 446,870 ETH — worth approximately $1.23 billion — has already been sourced through loans, direct purchases, and large deposits.
More than $400 million in ETH was acquired via OTC trading, another $300 million from exchanges, and $285 million through loans, with the remainder from crypto funds.
Blockchain investigators later linked the attack to North Korea’s Lazarus Group — the same notorious collective behind some of the biggest crypto heists, including the $600 million Ronin Network breach in 2022 and the $234 million WazirX hack in 2024.
Bybit’s rapid response has restored operational stability, with deposits and withdrawals functioning normally as of Feb. 23 — an early sign that user confidence remains intact.
How a hack turned into a liquidity crisis
In the wake of Bybit’s security breach, the exchange faced a crisis that tested the very foundation of its liquidity.
Within three days, Bybit has seen more than $6.1 billion flow out, reducing its total tracked assets from nearly $17 billion to just under $10.8 billion as of Feb. 24, according to DeFiLlama, wiping out over a third of its holdings.
Bybit CEO Ben Zhou quickly mobilized his team to process withdrawals and maintain operational stability. Speaking in an X Spaces session, he detailed how the exchange initially faced withdrawal requests within just two hours of the breach.
During the session, ZHOU also revoked that despite losing around 70% of its Ethereum reserves in the attack, ETH withdrawals were not the biggest concern — most users were opting to move stablecoins, particularly Tether (USDT), off the platform.
Compounding the issue was an unexpected restriction from Safe, a decentralized custody provider that powered Bybit’s cold wallet system.
Safe temporarily disabled certain functionalities to prevent potential vulnerabilities from spreading, effectively locking up $3 billion in Bybit’s stablecoin reserves at a time when the exchange needed immediate liquidity.
The move was meant as a precaution, with Safe stating on Feb. 24 that it was “working diligently to restore services and will begin a phased rollout within the next 24 hours.”
The wallet provider also clarified that while its front end had not been compromised, it had paused specific features, including native Ledger integration, because the compromised signing method in Bybit’s attack involved a Ledger device.
To work around this, Bybit’s team developed a manual verification system, adapting code from Etherscan to confirm transaction signatures. This allowed them to gradually move the USDT reserves and continue processing withdrawals.
Zhou hinted at the issue in an X post, stating, “We are moving 2.95B USDT from cold wallet to warm wallet; this is a planned maneuver, FYI. We are not hacked this time…”
Beyond Bybit’s internal crisis management, external blockchain entities mobilized to contain the damage. On Feb. 23, Bybit revealed that $42.89 million in stolen assets had already been frozen.
A coordinated effort involving Tether, THORChain (RUNE), ChangeNOW, FixedFloat, Avalanche (AVAX), CoinEx, Bitget, and Circle (USDC) helped blacklist attacker wallets, track stolen funds, and block further movement.
The Ethereum rollback debate and the ongoing developments
As Bybit worked to stabilize its liquidity, a far more controversial discussion was unfolding — could the Ethereum blockchain be rolled back to recover the stolen assets? The idea emerged on Feb. 23, fueled by discussions within the crypto community.
BitMEX co-founder Arthur Hayes was among those who suggested that reversing Ethereum’s state could be a viable solution.
In a post on X, Hayes stated, “My own view as a mega $ETH bag holder is $ETH stopped being money in 2016 after the DAO hack hard fork. If the community wanted to do it again, I would support it because we already voted no on immutability in 2016. Why not do it again?”
Hayes was referring to the 2016 DAO hack, a landmark moment in Ethereum’s history when the network was hard forked to recover $60 million in stolen funds.
That decision led to the creation of Ethereum Classic (ETC), as a fraction of users rejected the rollback, arguing that blockchain immutability should never be compromised.
Zhou later confirmed that the exchange had reached out to Ethereum co-founder Vitalik Buterin and the Ethereum Foundation to explore possible options.
However, he was quick to acknowledge the difficulties involved, stating, “I’m not sure it’s a one-man decision based on the spirit of blockchain. It should be a work in process to see what the community wants.”
Even if there were broad community support, rolling back Ethereum today would be far more disruptive than in 2016. The network operates on a state-based model where balances and smart contract interactions are continuously updated.
Unlike Bitcoin (BTC), where transactions exist in simple blocks, Ethereum’s system is deeply interwoven with DeFi lending pools, liquidity providers, NFT markets, and staking contracts.
Reversing a state change would likely lead to massive smart contract failures, liquidations, and possibly a contentious hard fork.
While the debate over a rollback played out, Zhou ruled out any internal breaches, confirming that Bybit’s transaction signers had followed standard procedures. However, he pointed to Safe’s cold wallet infrastructure as the likely point of failure.
He stated, “We know the cause is definitely around the Safe cold wallet. Whether it’s a problem with our laptops or on Safe’s side, we don’t know.”
Meanwhile, authorities have stepped in. Zhou confirmed during the X session that Singaporean regulators had taken the case “very seriously” and were coordinating with Interpol to track the stolen funds.
Blockchain analytics firms, including Chainalysis, are also engaged in monitoring wallet movements.
However, if the attack was indeed orchestrated by North Korea’s Lazarus Group — as some analysts believe — recovering the funds would be exceptionally difficult.
The group has a history of laundering stolen crypto through decentralized protocols, using mixing services and cross-chain swaps to obfuscate their tracks.
How Bybit’s cold wallet was breached
As details continue to emerge, a clearer picture is forming around how the Bybit hack unfolded.
Unlike typical exchange breaches that exploit hot wallets or centralized databases, this attack targeted what was supposed to be the most secure part of Bybit’s infrastructure — its cold storage multisig wallet.
According to blockchain security analyst David, the attack followed a four-stage process:
- Deploying malicious smart contracts — The hackers set up two smart contracts: a trojan contract, which appeared normal but contained hidden malicious code, and a backdoor contract, designed to take full control of Bybit’s wallet at the right moment. These contracts were prepared in advance to bypass Bybit’s security without raising alarms.
- Tricking Bybit’s security signers — Bybit’s cold wallet required multiple signers to approve transactions. The attackers sent a fake ERC-20 token transfer request that appeared legitimate on Bybit’s interface. Seeing nothing unusual, the signers approved the transaction, unknowingly granting the hackers access.
- Hijacking Bybit’s wallet controls — Instead of merely transferring tokens, the trojan contract replaced the master copy of Bybit’s Safe multisig wallet with the hackers’ backdoor contract. This altered the wallet’s security rules, silently handing control to the attackers.
- Draining the wallet — Now in full control, the hackers executed “sweepETH” and “sweepERC20” commands, which emptied all funds from the wallet. They swiftly withdrew ETH, Lido Stake ETH (stETH), Mantle Staked Ether (mETH), and Mantle Restaked Ether (cmETH), moving them to external addresses.
The sophistication of this attack suggests that the perpetrators had an in-depth understanding of multisig wallets and exploited a flaw that few had previously considered a risk.
Industry leaders chime in
Beyond the technical details of the hack itself, the Bybit incident has reignited a broader debate on how exchanges should respond to security breaches. Binance’s former CEO, Changpeng Zhao (CZ), weighed in on the attack.
CZ noted that Bybit, alongside Phemex and WazirX, had fallen victim to attacks targeting multi-signature cold storage solutions—wallets traditionally considered among the most secure ways to store crypto.
What makes the Bybit case particularly alarming, CZ pointed out, is that the attack involved front-end manipulation. Hackers managed to make Bybit’s interface display a legitimate transaction while secretly executing a different one.
Transaction signers believed they were approving a standard transfer, while in reality, an entirely different transaction was being executed in the background.
Adding another dimension to the security debate, CZ reflected on his own approach to handling exchange hacks. He acknowledged that some had criticized his suggestion to halt withdrawals following Bybit’s breach immediately.
In his view, however, this is sometimes a necessary step — allowing an exchange to assess the full extent of the compromise before resuming operations.
Citing Binance’s 2019 security breach, in which $40 million was stolen and withdrawals were paused for a week, CZ explained that once operations resumed, deposits actually exceeded withdrawals.
Despite his concerns, CZ commended Zhou for handling the crisis transparently and maintaining a steady presence. He contrasted this with past incidents involving FTX and WazirX CEOs, who were less forthcoming about what had actually happened, leading to a loss of trust among users.
Tron (TRX) founder Justin Sun echoed similar sentiments but shifted the focus from security specifics to the need for industry-wide collaboration. He praised Zhou’s crisis management, noting that he remained composed under intense pressure.
Yet, a critical question remains: If hackers can consistently manipulate how cold wallets process approvals, does this undermine the long-held assumption that cold storage is the safest way to secure funds?
The crypto industry has long treated multisig wallets as the gold standard for security, but if these wallets can be systemically compromised, centralized exchanges may need to rethink how they protect user assets.
