Cryptocurrency exchange Bybit has suffered one of the largest hacks in crypto history. On 21 February 2025, hackers managed to steal approximately $1.4 billion worth of Ethereum ($ETH) from the platform.
The attack has sent shockwaves through the crypto community, leading to widespread panic and a massive outflow of funds from the exchange.
Following the breach, users rushed to withdraw their assets, fearing further security vulnerabilities. Data from DeFiLlama showed that Bybit processed an astonishing $2.5 billion in withdrawals on 22 February alone.
The following day, another $3.26 billion was withdrawn, bringing the total to nearly $6 billion in just 48 hours. As a result, Bybit’s total assets, which stood at $16.9 billion before the attack, fell to $10.8 billion in record time.
Despite the enormous volume of withdrawals, Bybit’s operations continued smoothly, and the exchange successfully processed transactions without any major disruptions.
However, financial analysts believe that in order to meet these withdrawal demands, Bybit may have had to sell Bitcoin ($BTC) or use it as collateral to acquire Ethereum.
This theory is based on observed market movements and on-chain data that suggest a significant shift in Bybit’s asset reserves.
Bybit’s CEO, Ben Zhou, reassured users that the exchange had successfully restored its Ethereum reserves and that all customer assets remained fully backed at a 1:1 ratio. He emphasised that the company had taken all necessary steps to mitigate further risks and ensure user funds were secure.
Who was behind the hack?
Following the attack, blockchain security experts quickly launched investigations to determine who was responsible.
Leading blockchain analysis firm, Elliptic, has suggested that the infamous Lazarus Group, a North Korean cybercrime syndicate, may be behind the hack.
This group has been linked to several large-scale cryptocurrency thefts over the years, often using stolen funds to finance North Korea’s state operations.
Elliptic’s report indicates that the hackers immediately began laundering the stolen $ETH through sophisticated methods designed to obscure their transactions. It is believed that they will continue moving the funds through various crypto mixing services, which are known for making illicit transactions harder to trace.
The level of expertise involved in the attack and the techniques used strongly suggest the involvement of a highly organised and well-funded cybercriminal organisation.
How the hackers stole $1.4B
According to blockchain security investigators, the attack on Bybit was meticulously planned and executed.
The hackers exploited a vulnerability in Bybit’s multi-signature approval system. Multi-signature wallets require multiple approvals for transactions to be processed, making them more secure than single-signature wallets.
However, in this case, the attackers managed to manipulate the system to gain unauthorised access to Bybit’s reserves.
The attackers reportedly created a fake user interface that closely resembled Bybit’s official system. This sophisticated deception allowed them to trick Bybit’s internal security team into unknowingly approving fraudulent transactions.
Once they gained access, the hackers rapidly transferred over 400,000 $ETH, worth approximately $1.4 billion, to their own wallets. The scale of the theft and the speed with which it was carried out indicate a high level of technical expertise.
This breach has once again highlighted the vulnerabilities that exist in even the most advanced cryptocurrency security systems.
Despite Bybit’s efforts to enhance its security, the attack demonstrated that well-coordinated hackers can still find ways to exploit weaknesses.
In the wake of the attack, Bybit faced an urgent challenge: how to restore its Ethereum reserves and prevent a full-scale crisis.
Blockchain data suggests that the exchange used a combination of emergency loans, large investor deposits, and market purchases to recover the lost assets.
One of the key factors that allowed Bybit to recover quickly was its strong financial position. CEO Zhou stated that the exchange’s retained earnings and reserves were sufficient to cover the loss.
This rapid response reassured users that their funds remained safe, helping to prevent further panic and mass withdrawals.
While Bybit’s ability to recover was commendable, the hack has raised serious concerns about the overall security of centralised cryptocurrency exchanges.
Many experts believe that such incidents could lead to increased regulatory scrutiny and pressure on exchanges to adopt even stricter security measures.
Hackers laundering the stolen crypto
Once the hackers stole the Ethereum, their next challenge was to launder the funds without getting caught.
The first step in this process was converting stolen tokens into Ethereum, as $ETH transactions are harder to freeze compared to tokens controlled by centralised issuers.
To further obscure their transactions, the hackers have been using decentralised exchanges (DEXs), which do not require identity verification. By using these platforms, they can swap large amounts of Ethereum without triggering alarms from centralised monitoring systems.
A significant portion of the stolen funds is also being funneled through crypto mixers like Tornado Cash. These mixers allow users to deposit crypto and withdraw it from different addresses, breaking the transaction trail and making it much more difficult for investigators to track the stolen funds.
The hackers are also distributing the stolen $ETH across dozens of different wallets, each holding smaller amounts to further complicate detection.
This process is expected to take months, if not years, as the hackers carefully move small portions of the funds over time to avoid drawing attention.
Despite blockchain analysis tools improving in recent years, cybercriminals continue to find ways to stay ahead of investigators.
This latest hack has once again exposed the vulnerabilities of centralised crypto exchanges. Even though Bybit is one of the most prominent platforms in the industry, it still fell victim to a highly sophisticated attack.
For individual users, this highlights the importance of safeguarding their own assets. The safest way to store cryptocurrency is in cold wallets, which are offline and inaccessible to hackers.
Relying solely on exchanges to hold assets can be risky, as history has shown that even the largest platforms can be breached.
The increasing sophistication of hackers also raises concerns about the future of crypto security. As cybercriminals continue to refine their methods, exchanges will need to invest heavily in advanced security measures to stay ahead of potential threats.
This attack could also prompt regulators to implement stricter rules for exchanges, potentially requiring them to improve security infrastructure and risk management practices.
