Key Points
-
ByBit suffered a $1.4 billion hack on February 21, 2025, the largest in crypto history.
-
Hackers stole ETH and related tokens using a phishing scheme, linked to North Korea’s Lazarus Group.
-
ByBit assured users it remains solvent and is processing withdrawals normally.
The Hack Incident
On February 21, 2025, ByBit, a major cryptocurrency exchange, experienced a significant security breach, resulting in the theft of over $1.4 billion in digital assets. This hack is notable as the largest in the cryptocurrency industry’s history, surpassing previous major incidents like the Ronin Network and Poly Network hacks.
Stolen Assets and Method
The hackers stole approximately 401,347 ETH (worth $1.12 billion), 90,376 stETH ($253.16 million), 15,000 cmETH ($44.13 million), and 8,000 mETH (~$23 million), totaling around $1.44 billion. They used a sophisticated phishing scheme to trick ByBit’s multisignature cold wallet signers into approving a malicious transaction, which altered the wallet’s smart contract logic to siphon funds. The stolen assets were then moved across more than 40 wallets, with tokens converted to ETH and transferred in $27 million increments.
Suspected Culprits and Market Impact
Blockchain analysis firms, including Arkham Intelligence and Elliptic, have linked the attack to the Lazarus Group, a North Korean state-sponsored hacking collective known for previous crypto heists. The news caused a sharp decline in Ether’s price and triggered $76 million in ETH futures liquidations over four hours, reflecting significant market volatility.
ByBit’s Response
ByBit’s CEO, Ben Zhou, confirmed the breach, stating only one ETH cold wallet was compromised, while others remain secure. The exchange assured users it is solvent and can cover the loss, with all client assets 1-to-1 backed. By February 22, 2025, ByBit processed over 350,000 withdrawal requests, achieving a 99.994% completion rate, and is working with firms to track and potentially recover the stolen funds.
Comprehensive Analysis of the ByBit Hack on February 21, 2025
Introduction
On February 21, 2025, ByBit, a prominent cryptocurrency exchange, suffered a catastrophic security breach, marking the largest hack in the history of the crypto industry. This incident involved the theft of over $1.4 billion in digital assets, primarily Ethereum (ETH) and related tokens, and has raised significant concerns about the security of centralized exchanges. The attack, linked to North Korea’s Lazarus Group, not only impacted ByBit’s operations but also caused widespread market volatility, highlighting the persistent challenges in safeguarding cryptocurrency platforms.
Incident Details
The hack was first reported on February 21, 2025, with on-chain analyst ZachXBT flagging suspicious outflows totaling $1.46 billion at 10:20 AM ET. ByBit’s CEO, Ben Zhou, confirmed the breach via an X post, detailing the extent of the loss. The attack compromised a single ETH cold wallet, an offline storage system designed for enhanced security, which is surprising given the typically robust protections of such wallets.
Stolen Assets
The stolen assets comprised a mix of tokens, with the following breakdown based on reports from Nansen and other blockchain analytics:
-
401,347 ETH, valued at approximately $1.12 billion.
-
90,376 stETH (liquid-staked Ether from Lido), worth ~$253.16 million.
-
15,000 cmETH, valued at ~$44.13 million.
-
8,000 mETH (Mantle Staked ETH), worth ~$23 million.
The total value of the stolen funds is estimated at $1.44 billion, with slight variations in reported figures (e.g., $1.46 billion by some sources). The valuation was based on ETH trading at approximately $2,790 to $3,488 per coin at the time, reflecting the fluctuating crypto market prices.
Method of Attack
The hackers executed a sophisticated phishing scheme, tricking the signers of ByBit’s multisignature cold wallet into approving a malicious transaction. This wallet, requiring multiple signatures for transactions, was compromised through a deceptive user interface (UI) that masked the transaction’s true nature. The transaction contained malicious source code that altered the smart contract logic, enabling the hackers to take control and transfer funds to an unidentified address. This method, described as “blind signing” by some reports, highlights the vulnerability of even secure systems to social engineering attacks.
Funds Movement and Laundering
Post-hack, the stolen funds were initially transferred to a primary wallet, then distributed across more than 40 wallets. The hackers converted stETH, cmETH, and mETH to ETH on decentralized exchanges before systematically transferring the ETH in $27 million increments to over 10 additional wallets. This strategy is a common laundering technique to obscure the funds’ trail and complicate recovery efforts.
Suspected Culprits
Blockchain analysis firms, including Arkham Intelligence and Elliptic, have attributed the attack to the Lazarus Group, a state-sponsored hacking collective from North Korea. This group, known for targeting crypto platforms, was linked through on-chain data and previous attack patterns, as confirmed by on-chain sleuth ZachXBT’s submission to Arkham’s $50,000 ARKM bounty. ZachXBT’s analysis included test transactions, connected wallets, and timing analyses, providing “definitive proof” of Lazarus Group’s involvement. This connection is consistent with North Korea’s history of crypto heists, with reports indicating over $2 billion stolen in the past five years.
Market Impact
The hack had immediate repercussions on the cryptocurrency market, particularly affecting Ether’s price. Reports indicate a sharp decline in ETH’s value following the news, though exact percentages were not specified in the data. Additionally, CoinGlass data showed $76 million in ETH futures liquidations over four hours, with $43 million from short positions, reflecting panic selling and market sensitivity to such incidents. The timing, coinciding with ETHDenver, further dampened sentiment in the Ethereum community, already weakened by internal controversies.
ByBit’s Response and Operational Continuity
ByBit’s CEO, Ben Zhou, addressed the community via X posts and a livestream, reassuring users of the exchange’s solvency. Key points from his statements include:
-
Only the ETH cold wallet was compromised; all other hot, warm, and cold wallets remain secure.
-
ByBit is solvent even if the hack loss is not recovered, with all client assets 1-to-1 backed, as stated in an X post on February 21, 2025.
-
Withdrawals continued normally, with an update on February 22, 2025, indicating over 350,000 withdrawal requests processed, achieving a 99.994% completion rate, with 2,100 requests left.
Zhou also emphasized that ByBit is collaborating with blockchain analysis firms to track the stolen funds, though specific recovery efforts were not detailed in the available data. Former Binance CEO Changpeng Zhao (CZ) recommended pausing withdrawals as a precaution, but ByBit proceeded with normal operations, demonstrating confidence in its financial stability.
Comparison to Previous Hacks
This incident surpasses previous major crypto hacks in scale:
-
The Ronin Network hack in March 2022 resulted in a $624 million loss, primarily ETH and USD Coin (USDC).
-
The Poly Network hack in 2021 saw $611 million stolen, later partially recovered.
-
ByBit’s hack, at $1.44 billion, is not only the largest in crypto history but also potentially the largest single theft across any industry, as noted by Elliptic’s co-founder.
This comparison underscores the escalating sophistication and scale of cyber threats in the crypto space, with North Korean actors playing a significant role.
Conclusion and Implications
The ByBit hack on February 21, 2025, is a stark reminder of the vulnerabilities inherent in centralized cryptocurrency exchanges, even those employing cold wallet storage. The involvement of the Lazarus Group highlights the geopolitical dimensions of cybercrime, with North Korea leveraging such attacks to fund its activities. The market’s reaction, including significant liquidations and price volatility, reflects the crypto community’s hyper-sensitivity to security breaches. ByBit’s swift response and assurances of solvency aim to restore user confidence, but the incident underscores the urgent need for enhanced security measures, such as improved signer verification processes and multi-factor authentication, to mitigate future risks.
Tables for Clarity
Below is a table summarizing the stolen assets:
|
Token
|
Amount
|
Value (USD, Approx.)
|
|---|---|---|
|
ETH
|
401,347
|
$1,120,000,000
|
|
stETH
|
90,376
|
$253,160,000
|
|
cmETH
|
15,000
|
$44,130,000
|
|
mETH
|
8,000
|
$23,000,000
|
|
Total
|
–
|
$1,440,290,000
|
And a comparison table with previous major hacks:
|
Hack Event
|
Year
|
Amount Stolen (USD)
|
Notes
|
|---|---|---|---|
|
ByBit Hack
|
2025
|
$1,440,290,000
|
Largest ever, linked to Lazarus
|
|
Ronin Network
|
2022
|
$624,000,000
|
Ethereum sidechain for Axie Infinity
|
|
Poly Network
|
2021
|
$611,000,000
|
Partially recovered
|
Discover more from LEW.RO Software Solutions
Subscribe to get the latest posts sent to your email.