This article is updated as new information becomes available.
Crypto exchange Bybit has confirmed a major security breach, resulting in the loss of over $1.4 billion worth of Ethereum (ETH). The incident, which targeted one of Bybit’s cold wallets, was executed through a sophisticated phishing attack.
Analysts believe that North Korea’s Lazarus Group was behind the exploit. Despite suffering the largest crypto theft in history, the Bybit exchange claims to remain solvent.
Table of Contents
How the Hack Happened
According to Bybit’s CEO, Ben Zhou, the attackers used a “musked” transaction to deceive the exchange’s team. This involved manipulating the signing interface to display a legitimate-looking address while secretly redirecting the funds to a malicious destination. Bybit’s team unknowingly approved the transfer, allowing the attackers to take control of the cold wallet and drain it of its ETH holdings.
The stolen funds were then moved to unidentified addresses before being swapped for other tokens on decentralized exchanges, likely to make the trail harder to follow. This level of deception shows just how advanced phishing techniques have become, targeting not just users but entire companies.
New details reveal that the attackers used a combination of social engineering and a delegate call within a seemingly normal transaction to replace Bybit’s master contract, giving them full control over the wallet. This method involved a trojan contract with a backdoor, which tricked signers into approving what appeared to be a regular ERC-20 token transfer. Hidden inside the transaction was malicious code that altered the smart contract logic of Bybit’s cold wallet.
The hack was enabled by a vulnerability in Bybit’s upgradeable multisig wallet. Analysts suspect the attackers infected the devices of all signers, allowing them to intercept and manipulate the signing process. This level of sophistication suggests the involvement of highly skilled cybercriminals with inside knowledge of Bybit’s system.
Bybit Remains Solvent
In the immediate aftermath of the hack, Bybit assured users that only one cold wallet was compromised and that all other wallets remain secure. Withdrawals continued to function normally, and the exchange emphasized its solvency, stating that user assets are 1-to-1 backed.
However, the breach triggered a wave of withdrawal requests, creating liquidity constraints. Bybit is now seeking a bridge loan to cover the loss, rather than buying Ethereum on the open market, which could further impact prices. The stolen funds account for about 1/20 of Bybit’s total assets, and the exchange maintains that it remains solvent even if the stolen ETH is not recovered.
Bybit is working with blockchain security experts to trace the stolen funds, urging other platforms to blacklist the involved addresses. Despite these efforts, the likelihood of recovering the stolen assets remains low due to the complex laundering methods used.
Official Livestream on Incident
Bybit CEO Ben Zhou hosted a livestream to explain the situation and answer user questions. He acknowledged that Bybit was experiencing “massive withdrawals” following the breach and admitted that the platform was struggling to process these requests due to liquidity constraints.
Zhou reassured users that withdrawals would be completed within “a few hours” and emphasized that there were no plans to suspend them. He also disclosed that Bybit is actively seeking a bridge loan to cover the loss, further emphasizing the platform’s solvency and commitment to user security.
Impact on Crypto
The news of the hack sent shockwaves through the cryptocurrency market. Bitcoin (BTC) initially fell by $2,000 within seconds, unsettling investor confidence. Although it briefly recovered half of this loss as Bybit assured users of its solvency, BTC has since dropped even further near $95,000.
Ethereum (ETH) also took a hit, plunging by 5%, following confirmation of the hack. After a brief recovery, ETH has fallen even lower, near $2,650. Other cryptocurrencies mirrored this pattern, experiencing sharp declines followed by partial rebounds, only to dip again.
Data from CoinGecko showed a 46% spike in Bybit’s spot trading volume within 24 hours as users rushed to secure their funds. The surge reflects growing panic and uncertainty in the market.
North Korea’s Lazarus Group Identified
ZachXBT identified North Korea’s Lazarus Group as the party responsible for the Bybit hack. This group has been linked to several high-profile crypto hacks, including the $600 million Ronin Network exploit in 2022 and the $100 million Atomic Wallet hack in 2023.
Using on-chain data, test transactions, and forensic analysis, ZachXBT connected the Bybit hack to previous attacks orchestrated by Lazarus Group. This group is known for using advanced laundering techniques, making recovery of stolen funds extremely difficult.
This event is a harsh reminder that keeping your crypto on an exchange isn’t as safe as it seems. When your funds are on an exchange, you don’t fully control them. You can read why you should consider moving your investments to a cold wallet for better security in this article.
