Key Insights
- Crypto exchange Bybit suffered the largest-ever exchange hack, with over 400,000 ETH and derivative tokens stolen through a sophisticated attack on its multisignature cold wallet.
- CEO Ben Zhou confirmed that customer withdrawals will continue despite the liquidity crunch, with 80% of the stolen Ethereum secured through a bridge loan from partners.
SINGAPORE (MarketsXplora) – In a stunning security breach, centralized crypto exchange Bybit has fallen victim to a $1.4 billion hack, marking the largest theft of digital assets in history. The attack, attributed to North Korea’s notorious Lazarus Group, resulted in the loss of over 400,000 ETH and various derivative tokens. The funds were swiftly distributed across multiple wallets before being converted into ETH using decentralized exchanges.
Bybit confirmed that a hacker gained access to its multisignature cold wallet, compromising a crucial layer of security. The breach was detected during a routine transfer from a cold wallet to a hot wallet, at which point the transaction was manipulated by a sophisticated attack that altered the smart contract logic, enabling the hacker to seize control.
Bybit CEO Vows Customer Withdrawals Will Proceed
In response to the unprecedented attack, Bybit CEO Ben Zhou assured customers that all withdrawals would be honored, despite the liquidity crunch caused by the massive theft.
Speaking during a livestream on X Spaces, Zhou revealed that the firm had secured a bridge loan from its partners to ensure customer withdrawals and operational stability.
“For immediate sake, we are currently reaching out to our partners to give us a bridge loan,” Zhou stated. “So, currently, we are not buying [Ethereum]. And even if we did want to buy, it is too big of an amount to be moving around.”
Bybit, a Singapore-based exchange that recorded $233.36 billion in spot trading volume in January, now faces a critical period as it works to recover from the attack. Zhou emphasized that 80% of the stolen Ethereum has already been secured through the bridge loan, mitigating some of the liquidity concerns.
“We actually already secured almost 80% of the Ethereum that’s been stolen as a bridge loan to give us that liquidity, to help us with the liquidity crunch so we can pass this crucial period,” Zhou reassured users.
How Did Bybit Lost Over 400,000 ETH?
Bybit’s internal post-mortem investigation has revealed that the attack was executed through a complex exploit of its multisignature cold wallet system. The hackers drained 401,347 ETH valued at $1.12 billion, alongside 90,376 stETH worth $253.16 million, 15,000 cmETH valued at $44.13 million, and 8,000 mETH amounting to $23 million. The swift transfer of stolen funds into decentralized exchanges has made tracking and recovery efforts significantly more challenging.
One focal point of the investigation is Safe{Wallet}, a self-custodial multi-signature solution widely used across the industry. Safe has confirmed collaboration with Bybit’s security team and has temporarily paused certain functionalities as a precautionary measure.
“For security reasons, we won’t be specific,” a Safe representative told MarketsXplora when asked what features had been disabled. While Safe has denied evidence of a direct compromise, the protocol’s front-end website and backend infrastructure both showed temporary signs of disruption following the attack.
Despite initial speculation regarding Safe’s involvement, Ethereum security teams and independent researchers now believe Lazarus may have infiltrated Bybit’s system by compromising the devices of its multisignature signers.
Did Lazarus Exploit a Safe{Wallet} Vulnerability?
Bybit’s security team is closely examining whether a vulnerability within Safe{Wallet} was exploited, as the platform is widely used for multi-signature transactions across the crypto industry. In the immediate aftermath of the hack, Zhou made an urgent—now deleted—post on X seeking direct contact with Safe’s developers.
Safe later confirmed it was working closely with Bybit on the investigation and temporarily paused “certain functionalities” as a precaution. While no definitive evidence has emerged linking Safe’s infrastructure to the breach, the protocol’s front-end was temporarily down, displaying a 503 server error message.
Ethereum security researchers are growing increasingly convinced that Lazarus leveraged an alternative approach—infecting the multi-sign signers’ devices rather than exploiting Safe directly. If confirmed, this would mean the attackers manipulated the interface seen by signers, tricking them into approving transactions that secretly transferred funds to the hacker’s wallets.
Was Bybit Hack An Inside Job?
As investigators scrutinize how Lazarus executed the attack so precisely, some experts suggest the possibility of an inside job. The group has a track record of infiltrating crypto firms by embedding operatives as employees or contractors. In December, a similar exploit occurred when a North Korean hacker, posing as an ex-contractor, gained access to Radiant Capital’s systems through a malicious ZIP file sent over Telegram.
Odysseus, founder of Ethereum security protocol Phalanx, noted similarities between the Bybit attack and previous Lazarus-led heists, including the $50 million Radiant hack and the $230 million WazirX breach last year. In those cases, compromised developer devices displayed falsified signing interfaces, allowing hackers to execute fraudulent transactions while tricking signers.
Bybit’s case bears hallmarks of these prior attacks. According to blockchain researcher pcaversaccio, Lazarus allegedly replaced Bybit’s Safe implementation with a backdoored version, utilizing Ethereum’s delegatecall function—a low-level operation that allows a contract to execute code from another contract, often exploited in hacks. The altered code then rewrote a critical section of memory, granting Lazarus complete control over the wallet.
Protecting Against Future Hack Attacks
The Bybit hack underscores the growing sophistication of targeted attacks against high-value crypto institutions. Experts caution that even the most secure key management solutions can be compromised if signers unknowingly approve fraudulent transactions due to malware or phishing.
Odysseus pointed out that hardware wallets, while an added security layer, offer little protection if transactions are signed on an infected device. “If the computer or phone is compromised, there is little anyone can do apart from signing from a non-networked, non-compromised machine,” he warned.
Ido Ben Natan, founder of security firm Blockaid, echoed these concerns, noting that blind signing attacks—where signers approve transactions without visibility into their real effects—are one of the fastest-growing threats in the industry.
“Companies need to understand that this is not another case of operational error—it’s an advanced, targeted attack and a threat to both consumers and organizations,” Ben Natan said.
He emphasized that while some crypto hacks help uncover vulnerabilities that can be patched, Lazarus’ attacks serve only to siphon funds into North Korea’s war chest.
For now, Bybit remains in crisis mode, working to ensure liquidity while investigators race to uncover exactly how the attack unfolded. But as security experts warn, this breach serves as a stark reminder that in the world of crypto, even the most fortified defenses can be breached with the right combination of malware, deception, and insider access.