Bybit Security Incident: Timeline of Events and FAQs

Introduction

Bybit suffered a major hacking incident on Feb 21, 2025, affecting one of Bybit's Ethereum cold wallets and resulting in almost $1.5 billion in losses. The exploit is linked to the North Korean state-backed Lazarus Group.

Timeline of Events

February 21, 2025, 13:30 UTC — Bybit conducted a routine transfer from one of our Ethereum multisig cold wallets to a warm wallet, first transferring an amount of 30,000 ETH.

February 21, 2025, 14:13 UTC — Hackers exploited the UI of the Safe multisig cold wallet through a sophisticated phishing attack, musking the specific transaction, which resulted in the change in smart contract logic of the ETH cold wallet. This allowed hackers to transfer out the funds from the compromised cold wallet, splitting it all across 39 addresses.

How much was lost in the hack?

Only a single Bybit cold wallet was compromised, resulting in the loss of $1.46 billion as follows:

• 401,347 ETH ($1.12 billion)

• 90,375 stETH ($253.16 million)

• 15,000 cmETH ($44.13 million)

• 8,000 mETH ($23 million)

February 21, 2025, 15:44 UTC — Bybit's co-founder and CEO Ben Zhou tweeted about the evolving situation, informing the community early on that the hackers "took control of the specific ETH cold wallet," and assuring users that Bybit is solvent and can cover the loss, ensuring client assets are backed 1:1.

February 21, 2015, 16:07 UTC — Ben reiterated in his X post that "Bybit is Solvent even if this hack loss is not recovered, [and] all of clients' assets are 1 to 1 backed, [so] we can cover the loss."

February 21, 2025, 17:15 UTC — Ben went on a livestream to explain the situation transparently to affected users.

How did the hack happen?

Through a phishing attack on the Ethereum cold wallet multisig signers, the transaction and Safe UI was spoofed, allowing the hacker to change the smart contract logic of the multisig wallet. This allowed the hacker to gain control of the Bybit cold wallet, and to transfer out the funds. Our team is still investigating how the hacker was able to spoof the cold wallet, and we will release a full postmortem report shortly.

No plan to purchase ETH

Ben stated during a livestream that there are currently no plans to purchase ETH. However, he emphasized that the company is actively seeking assistance and leveraging bridge loans from partners, in order to navigate liquidity constraints during this critical period.

Other cold wallets are safe

Ben clarified that Bitcoin remains the primary reserve asset, and that other cold wallets remain unaffected.

Withdrawals as usual

Ben reassured users that all products and services are operating as usual. Withdrawals have not been halted, and continue to be processed as normal.

Normal P2P Services

Bybit’s Head of Derivatives and Institutional, Shunyet Jan, confirmed during the livestream that the platform’s P2P services are functioning normally.

February 21, 2025, 19:09 UTC — ZachXBT submitted definitive proof linking the attack to the Lazarus Group, a North Korean cybercriminal organization, and claimed the bounty from Arkham Intelligence. His analysis included test transactions, connected wallets, forensic graphs and timing details. According to ZachXBT, the cluster of addresses is also linked to the Phemex and BingX hack.

February 21, 2025, 20:09 UTC — Bitget deposited 40,000 ETH to Bybit, exhibiting the strong support demonstrated by industry partners and peers.

February 21, 2025, 21:07 UTC — Bybit reported the case to the appropriate authorities, and will provide updates as soon as further information becomes available. It actively collaborated with on-chain analytics providers in order to identify and demix the implicated addresses.

February 22, 2025, 00:54 UTC — Ben announced that 99.994% of over 350,000 withdrawal requests had been processed within 10 hours following the hack, with the Bybit team working around the clock to ensure smooth operations and assure client concerns.

February 22, 2025, 01:08 UTC — Safe confirmed that there was neither any compromise of its codebase, nor any malicious dependencies, and no other Safe addresses were affected. Following the incident, Safe has temporarily paused its {Wallet} functionality in order to conduct a thorough review of service.

February 22, 2025, 01:21 UTC — Hacken stated that the Bybit hack was significant, and had dealt a heavy blow to the industry. However, Bybit’s reserves still exceed its liabilities, and its user funds remain fully backed.

February 22, 2025, 02:51 UTC — Ben tweeted that all withdrawals have been processed, and that the platform has resumed normal operations, less than 12 hours after the $1.4 billion hacking incident, the largest in the industry to date.

February 22, 2025, 07:29 UTC — According to the latest monitoring data from SoSoValue and on-chain security team TenArmor, over $4 billion in funds have flowed into the Bybit trading platform in the past 12 hours. Comparative fund inflow analysis indicates that this capital influx has fully covered the shortfall caused by yesterday’s hack.

February 22, 2025, 08:52 UTC — Chainflip responded on X, stating that while they have made every effort to assist, as a decentralized protocol they’re unable to fully block, freeze or redirect any funds.

February 22, 20225, 11:00 UTC — Ben and Shunyet held a Chinese-language AMA with ETHPanda, Wu Blockchain, Bitget CEO Gracy Chen and other participants, in order to discuss the hack incident and share their insights on how to manage it.

February 22, 2025, 13:15 UTC — Tether CEO Paolo Ardoino announced that Tether had frozen $181,000 USDT linked to the hack.

February 22, 2025, 13:45 UTC — Bybit processed approximately $4 billion in withdrawals following the surge (post-exploit). Hacken confirmed that Bybit's user funds remain fully backed, with reserves still exceeding liabilities.

February 22, 2025, 15:32 UTC — Bybit launched a Recovery Bounty Program, with a reward of 10% of the stolen funds. To participate, contact Bybit at bounty_program@bybit.com

February 22, 2025, 16:01 UTC — Ben went on a live AMA with Crypto Town Hall, to discuss how he was handling the situation post-hack; the industry support Bybit received from peers, such as Bitget; and the way that the Bybit team was working tirelessly to handle the crisis. 

Ben also stated that rolling back Ethereum should be a community decision, rather than an individual choice, possibly through a vote.

February 23, 2025, 04:32 UTC —Ben emphasized that the issue goes beyond Bybit or any single entity, stating, "It’s about our industry's approach to hackers." He urged eXch to reconsider and assist in blocking the outflow of funds.

February 23, 2025, 08:55 UTC — Bybit announced that all deposits and withdrawals have resumed to normal levels.

February 23, 2025, 15:41 UTC — In total, $42.89 million of exploited funds were frozen, thanks to the coordinated efforts of industry partners, including Tether, THORchain, ChangeNOW, FixedFloat, Avalanche, CoinEx, Bitget and Circle. Additionally, mETH Protocol recovered 15,000 cmETH tokens worth nearly $43 million.

February 24, 2025, 02:35 UTC — Two days following the hack, Bybit received $1.23 billion in ETH through bridge loans, whale deposits and OTC purchases, effectively covering the ETH deficit from the exploit.

February 24, 2025, 09:12 UTC — Hacken, an independent blockchain security firm, released an updated proof-of-reserves (PoR) report. Bybit has fully closed the ETH gap of client assets within 72 hours, through strategic partnerships with Galaxy Digital, FalconX, Wintermute and others, along with support from Bitget, MEXC and DWF Labs. Key assets, such as BTC, ETH, SOL, USDT and USDC, exceed 100% collateral ratios. Users can read the full report here.

February 25, 2025, 14:40 UTC — Ben announced the launch of the LazarusBounty program — the industry-first bounty platform that specifically aims to recover funds allegedly stolen by the North Korean state-backed Lazarus Group in the Bybit exploit.

February 26, 2025, 15:17 UTC — Ben shared the preliminary reports of the hack. These reports, conducted by Sygnia Labs and Verichains, both have suggested that the root cause of the hack was due to malicious JavaScript code on Safe{Wallet}'s platform, and no vulnerability was detected in Bybit's infrastructure. For more information, download the reports here.

February 28, 2025, 13:25 UTC — Ben announced the V1.1 update to the LazarusBounty platform, which added the following:

• a cross-chain hacker address analysis

• Discord channel

• hacker address wallet balance

• verified ranking of bounty hunters

#LearnWithBybit