Bybit Suffers $1.4 Billion Crypto Hack in One of the Largest Breaches

Massive Security Breach at Bybit Raises Alarm Across Crypto Industry

Bybit, one of the world’s largest cryptocurrency exchanges, has been hacked for more than $1.4 billion in liquid-staked Ether (stETH), MegaETH (mETH), and various ERC-20 tokens. The massive exploit was first spotted by onchain security analyst ZachXBT, who identified suspicious outflows from the exchange shortly after the attack occurred. 

He reported that a source confirmed to him that it was a “security incident” and later revealed that the stolen ETH was being split across 39 different addresses, an apparent attempt by the attacker to obfuscate the funds’ movement and evade detection.

More than $1.4 billion in Ethereum (ETH) and liquid staking derivatives were drained from Bybit’s hot wallet on Friday, with a substantial portion of the stolen assets quickly offloaded through decentralized exchanges. On-chain intelligence firm Arkham also flagged significant ETH and stETH outflows from the platform, corroborating the scale of the breach. 

Following the incident, ZachXBT urged users to blacklist addresses linked to the hacker, warning that the attacker was actively attempting to launder the stolen funds.

Bybit’s co-founder and CEO, Ben Zhou, confirmed the security breach and disclosed that the exploit stemmed from unauthorized activity involving one of the exchange’s ETH cold wallets. The exchange explained that the attack was executed when its ETH multisignature cold wallet initiated a transfer to a warm wallet. 

However, the transaction had been manipulated through a sophisticated attack that altered the underlying smart contract logic while displaying a legitimate address in the signing interface. This allowed the attacker to gain control of the affected cold wallet and siphon its holdings into an unidentified address.

Zhou revealed that the exploit had been carefully designed to appear as a routine transaction, with malicious source code embedded to alter the wallet’s smart contract mechanics. 

Despite the severity of the breach, he assured customers that all other cold wallets remained secure, and withdrawals were functioning normally. “Bybit is solvent even if this hack loss is not recovered, all of the client’s assets are 1-to-1 backed — we can cover the loss,” Zhou stated, emphasizing that customer funds remained unaffected.

The exchange later reaffirmed that its cold wallets were fully secure and that operations remained unaffected. However, the magnitude of the hack sent shockwaves through the crypto market, triggering a sell-off in Ethereum. The price of ETH fell more than 3% following confirmation of the breach before starting to stabilize, adding to broader concerns over security vulnerabilities in the industry. 

The attack adds to a growing list of major exchange breaches that have rocked the crypto space in 2024 and early 2025, underscoring persistent threats despite increasing security measures across platforms.

Later, onchain security researcher ZachXBT linked the infamous North Korean state-backed Lazarus Group to the staggering Bybit hack, exposing yet another high-profile cybercrime operation in the crypto industry. His findings, submitted on February 21, 2025, were based on blockchain data and earned him a 50,000 ARKM bounty from Arkham Intelligence, valued at roughly $31,500. This revelation confirms growing concerns over Lazarus Group’s escalating cyber offensives, marking one of the largest crypto heists to date.

Bybit has garnered widespread industry support in its ongoing effort to recover the stolen funds. Tron founder Justin Sun announced that his team was actively aiding the exchange in tracking the assets, while OKX confirmed its security division was directly assisting Bybit’s investigation. 

KuCoin, another major exchange, publicly backed Bybit and its CEO, Ben Zhou, stressing that crypto security is a collective responsibility. The exchange called for industry-wide cooperation to counter increasingly sophisticated cyber threats, reinforcing the urgent need for stronger security protocols across the sector.

Despite the magnitude of the breach, concerns over Bybit’s financial stability were quickly dismissed by key industry figures. Coinbase executive Conor Grogan reassured the community that Bybit remains operational, with over $20 billion in assets and untouched cold wallets. He dismissed comparisons to the FTX collapse, stating, "Bybit is not an FTX situation. If it was, I would be screaming it out. They will be fine." 

His remarks were echoed by Aave founder Stani Kulechov, who provided insight from his own experience dealing with major security breaches, reinforcing confidence in Bybit’s ability to navigate the crisis.

As the investigation continues, security experts have emphasized the importance of enhanced protective measures. Yuga Labs’ Vice President of Blockchain, known as "Quit," advised users to implement multisignature authentication, use hardware wallets as signers, and conduct transaction simulations before finalizing transfers. 

KuCoin further reinforced security best practices, urging users to enable two-factor authentication (2FA), adopt strong, unique passwords, and implement passkeys for added protection. With Lazarus Group’s latest attack underscoring the persistent risks in crypto, the industry faces mounting pressure to fortify its defenses against an evolving cyber threat landscape.

In February 2025, the crypto industry faced a surge in hacks and scams, impacting multiple platforms. Notably, ZkLend, a Starknet money-market protocol, was exploited on February 14, losing $9.5 million. Cybersecurity firm Cyvers revealed that the stolen funds were funneled through Ethereum and Railgun, but the latter returned the assets. 

Additionally, on February 5, Jupiter, a Solana-based DEX, and former Malaysian Prime Minister Mahathir Mohamad experienced social media exploits promoting fake memecoins. Eliza Labs founder Shaw Walters reported a hack of his X account, despite using two-factor authentication, which also disseminated scam links.

This article has been refined and enhanced by ChatGPT.