Bybit Security Incident: Timeline of Events and FAQs

Introduction

Bybit suffered a major hacking incident on February 21, 2025, affecting one of Bybit's Ethereum cold wallets and resulting in almost $1.5 billion in losses. The exploit is linked to the state-backed North Korean Lazarus Group.

Timeline of Events

February 21, 2025, 13:30 UTC — Bybit conducted a routine transfer from one of our Ethereum multisig cold wallets to a warm wallet, first transferring an amount of 30,000 ETH.

February 21, 2025, 14:13 UTC — Hackers exploited the UI of the Safe multisig cold wallet through a sophisticated phishing attack, musking the specific transaction which resulted in the change in smart contract logic of the ETH cold wallet.

This allowed hackers to transfer out the funds from the compromised cold wallet, splitting it across 39 addresses.

How much was lost in the hack?

Only a single Bybit cold wallet was compromised, resulting in the loss of $1.46 billion:

• 401,347 ETH ($1.12 billion)

• 90,375 stETH ($253.16 million)

• 15,000 cmETH ($44.13 million)

• 8,000 mETH ($23 million)

February 21, 2025, 15:44 UTC — Bybit's co-founder and CEO Ben Zhou tweeted about the evolving situation, informing the community early on that the hackers "took control of the specific ETH cold wallet" and assured users that Bybit is solvent and can cover the loss, ensuring client assets are 1:1 backed.

February 21, 2015, 16:07 UTC — Ben reiterated in his X post that "Bybit is Solvent even if this hack loss is not recovered, all of clients' assets are 1 to 1 backed, we can cover the loss."

February 21, 2025, 17:15 UTC — Bybit's CEO Ben Zhou went on a livestream to explain the situation transparently to affected users.

How did the hack happen?

Through a phishing attack on the Ethereum cold wallet multisig signers, the transaction and Safe UI was spoofed, allowing the hacker to change the smart contract logic of the multisig wallet. This allowed the hacker to gain control of the Bybit cold wallet and transfer out the funds. Our team is still investigating how the hacker was able to spoof the cold wallet and will release a full post-mortem report shortly.

No plan to purchase ETH

Bybit's co-founder and CEO Ben Zhou stated during a livestream that there are currently no plans to purchase ETH. However, he emphasized that the company is actively seeking assistance and leveraging bridge loans from partners to navigate liquidity constraints during this critical period.

Other cold wallets are safe

Ben clarified that Bitcoin remains the primary reserve asset and that other cold wallets remain unaffected.

Withdrawals as usual

Ben reassured users that all products and services are operating as usual. Withdrawals have not been halted and continue to be processed as normal.

Normal P2P Services

Bybit’s Head of Derivatives and Institutional, Shunyet Jan confirmed during the livestream that the platform’s P2P services are functioning normally.

February 21, 2025, 19:09 UTC — ZachXBT submitted definitive proof linking the attack to the Lazarus Group, a North Korean cybercriminal organization, claiming the bounty from Arkham Intelligence. His analysis includes test transactions, connected wallets, forensic graphs, and timing details. According to ZachXBT, the cluster of addresses is also linked to the Phemex and BingX hack.

February 21, 2025, 20:09 UTC — Bitget deposited 40,000 ETH, exhibiting the strong support shown by industry partners and peers .

February 21, 2025, 21:07 UTC — Bybit reported the case to the appropriate authorities and will provide updates as soon as further information becomes available. It actively collaborated with on-chain analytics providers to identify and demix the implicated addresses.

February 22, 2025, 00:54 UTC — Ben announced that 99.994% of over 350,000 withdrawal requests have been processed 10 hours following the hack, with the Bybit team working round the clock to ensure smooth operations and assure client concerns.

February 22, 2025, 01:08 UTC — Safe confirmed that there was no compromise of its codebase or malicious dependencies, and no other Safe addresses were affected. Following the incident, Safe has temporarily paused its Wallet functionality to conduct a thorough review of service.

February 22, 2025, 01:21 UTC — Hacken stated that Bybit hack was significant and dealt a heavy blow to the industry. However, Bybit’s reserves still exceed its liabilities and its user funds remain fully backed.

February 22, 2025, 02:51 UTC — Ben tweeted that all withdrawals have been processed and has resumed normal operations, less than 12 hours after the $1.4 billion hacking incident — the largest in the industry.

February 22, 2025, 07:29 UTC — According to the latest monitoring data from SoSoValue and on-chain security team TenArmor, over $4 billion in funds have flowed into the Bybit trading platform in the past 12 hours. Comparative fund inflow analysis indicates that this capital influx has fully covered the shortfall caused by yesterday’s hack.

February 22, 2025, 08:52 UTC — Chainflip responded on X, stating that while they have made every effort to assist, as a decentralized protocol, they are unable to fully block, freeze, or redirect any funds.

February 22, 20225, 11:00 UTC — Ben and Shunyet held a Chinese-language AMA with ETHPanda, Wu Blockchain, Gracy Chen, and other participants, to discuss the hack incident and share their insights on how to manage it.

February 22, 2025, 13:15 UTC — Tether's CEO Paolo Ardoino announced that Tether froze $181,000 USDT linked to the hack.

February 22, 2025, 13:45 UTC — Bybit processed approximately $4 billion in withdrawals following the surge post-exploit. Hacken confirmed that Bybit's user funds remain fully backed, with reserves still exceeding liabilities.

February 22, 2025, 15:32 UTC — Bybit launches the Recovery Bounty Program with a reward of 10% of the stolen funds. To participate, contact Bybit at bounty_program@bybit.com

February 22, 2025, 16:01 UTC — Ben went on a live AMA with Crypto Town Hall, talking about how he handled the situation post-hack, the industry support Bybit received from peers like Bitget, Binance and how the Bybit team worked tirelessly to handle the crisis. Ben also stated that rolling back Ethereum should be a community decision, possibly through a vote, rather than an individual choice.

February 23, 2025, 04:32 UTC — Ben emphasized that the issue goes beyond Bybit or any single entity, 

stating, "It’s about our industry's approach to hackers." He urged @eXch to reconsider and assist in blocking the outflow of funds.

February 23, 2025, 08:55 UTC — Bybit announced that all deposits and withdrawals have resumed to normal levels.

February 23, 2025, 15:41 UTC — $42.89 million of exploited funds were frozen thanks to the coordinated effort of industry partners, including Tether, Thorchain, ChangeNOW, FixedFloat, Avalanche, CoinEx, Bitget and Circle. Additionally, mETH Protocol recovered 15,000 cmETH tokens, worth nearly $43 million.

February 24, 2025, 02:35 UTC — 2 days following the hack, Bybit has received $1.23 billion in ETH 

through bridge loans, whale deposits and OTC purchases, effectively covering the ETH deficit from the exploit.

February 24, 2025, 09:12 UTC — Hacken, an independent blockchain security firm, released an updated proof-of-reserves (PoR) report. Bybit has fully closed the ETH gap of client assets within 72 hours, through strategic partnerships with Galaxy Digital, FalconX, Wintermute and more, along with support from Bitget, MEXC and DWF Labs. Key assets like BTC, ETH, SOL, USDT and USDC exceed 100% collateral ratios. Users can read the full report here: https://www.bybit.com/app/user/audit-report

February 25, 2025, 14:40 UTC — Ben Zhou, Bybit's CEO, announced the launch of the LazarusBounty program — the industry-first bounty platform that specifically aims to recover funds allegedly stolen by the North Korean state-backed Lazarus Group in the Bybit exploit.

February 26, 2025, 15:17 UTC — Ben Zhou, Bybit's CEO, shared the preliminary reports of the hack conducted by Sygnia Labs and Verichains. Both reports suggested that the root cause of the hack was due to malicious JavaScript code on Safe{Wallet}'s platform, and no vulnerability was detected in Bybit's infrastructure. For more information, download the reports here.

February 28, 2025, 13:25 UTC — Ben announced the V1.1 update to the LazarusBounty platform, which added a cross-chain hacker address analysis, Discord channel, hacker address wallet balance and verified ranking of bounty hunters.

#LearnWithBybit