On February 21, the cryptocurrency world was shaken when Bybit, one of the largest Bitcoin exchanges, fell victim to a staggering $1.5 billion hack – marking it as the biggest cyber heist in crypto history. Despite the massive breach, the platform continued operating, thanks in part to swift crisis management and the backing of industry heavyweights.
How the Hack Unfolded
On February 21, on-chain detective ZachXBT reported suspicious ETH outflows from Bybit. We are talking about 499,395 ETH (about $1.46 billion at the time). The assumptions about the hack were confirmed by the company’s CEO Ben Zhou, and his employees almost immediately published a statement according to which the incident occurred when transferring ETH from cold multisig storage to a hot wallet.
The attackers replaced the transaction signing interface so that all participants in the procedure saw the correct address. At the same time, the logic of the smart contract was changed, and the hackers gained control of the ETH wallet and withdrew all the funds.
Zhou hastened to reassure clients and emphasized that the platform remains solvent and continues to process withdrawal requests, albeit with a delay: within about 10 hours after the hack, the exchange recorded a record number of withdrawal requests – more than 350,000. At that time, about 2,100 requests remained pending, while 99.994% of transactions were completed.
Nevertheless, the platform’s CEO still asked partners to provide a loan in ETH – the funds were needed to cover liquidity during the crisis period. As a result, more than 10 companies supported the exchange.
Huobi co-founder Du Jun contributed 10,000 ETH and promised not to withdraw it for a month. The co-founders of Conflux and Mask Network also announced the deposit of Ether to the exchange’s cold wallets. Coinbase Head of Product Conor Grogan wrote that Binance and Bitget sent >50,000 ETH there too.
According to reporter Colin Wu, 12,652 stETH (around $33.75 million) were transferred from MEXC to Bybit’s cold wallet.
The ETH price responded to the Bybit hack by falling to $2,625 (Binance), but recovered fairly quickly. By the evening of February 23, the quotes momentarily exceeded $2,850, after which they corrected to $2,690 (as of February 24).
Bybit representatives said that information about the incident has been “reported to the relevant authorities.” In addition, cooperation with on-chain analytics providers has allowed them to identify and isolate the associated addresses, limiting the attackers’ ability to “withdraw ETH through legitimate markets.”
As of February 24, Bybit has fully restored its Ethereum reserves (~444,870 ETH).
Who Was Behind the Attack?
According to ZachXBT, unknown individuals quickly exchanged some of the stolen mETH and stETH tokens for ETH via decentralized exchanges. 10,000 ETH were divided between 36 wallets.
The founder of DeFi Llama, 0xngmi, noted that the methods in this attack are similar to the incident with the Indian exchange WazirX in July 2024. At that time, Elliptic analysts concluded that North Korean hackers were behind the attack.
0xngmi’s assumption was confirmed by Arkham Intelligence. According to them, on the day of the Bybit hack, ZachXBT investigator “provided irrefutable evidence of Lazarus Group’s involvement in the hack”:
Its analysis contains a detailed analysis of test transactions and associated wallets used before the attack, as well as a number of graphs and timestamps. This data has been transferred to the exchange team to assist with the investigation.”
The founder of the AML service BitOK and crypto investor Dmitry Machikhin noted that the stolen cryptocurrency is actively being withdrawn from the Ethereum network to other blockchains. According to his observations, immediately after the hack, the assets were distributed to 48 different addresses.

At the second stage:
- crypto assets from these addresses were gradually split into even smaller parts (50 ETH each);
- funds were sent through bridges (eXch and Chainflip) to other networks.
The image shows how one of the 48 addresses splits the transactions into 50 ETH and goes to Chainflip.
According to Taproot Wizards co-founder Eric Wall, the North Korean hackers are likely to convert all ERC-20 tokens to ETH, then exchange the resulting ETH for BTC, and then gradually transfer the bitcoins to yuan through Asian exchanges. In his opinion, the process could take years.
ZachXBT reported that Lazarus transferred 5,000 ETH to a new address and began laundering the funds through the centralized mixer eXch, and then transferred them to bitcoin through Chainflip. The latter said that they have recorded attempts by the attackers to withdraw the stolen funds from Bybit in bitcoin through their platform. They disabled some front-end services, but it is impossible to completely stop the protocol, given its decentralized structure with 150 nodes.
The mETH Protocol team reported that they blocked the withdrawal of 15,000 cmETH (~$43.5 million) and redirected the assets from the attacker’s address to a recovery account. Tether CEO Paolo Ardoino said that the company froze 181,000 USDT related to the attack.
In a comment to ForkLog, Bitget CEO Gracie Chen emphasized that “the exchange’s systems have already blacklisted the attackers’ wallets.”
As of February 23, the attackers had exchanged 37,900 ETH (about $106 million) for bitcoin and other assets through Chainflip, THORChain, LiFi, DLN, and eXch. The hackers’ address still had 461,491 ETH of the 499,395 ETH stolen.
What to do?
After the hack, some community members started talking about rolling back the state of the Ethereum network to return the stolen funds. Thus, former BitMEX CEO Arthur Hayes noted that as an investor with large ETH reserves, he would support the community’s decision in the event of a chain rollback to an earlier state – as after the hack of The DAO in 2016.
Bitcoin maximalist Samson Mow also spoke out in support of restoring the blockchain, but leading Ethereum developer Tim Beiko criticized the idea. According to him, the Bybit incident involved an incorrect presentation of transaction data in the hacked interface, and not technical problems.
In addition, after the hack, the funds quickly spread across the complex ecosystem of the second-largest cryptocurrency by capitalization. “Rolling back” the network would mean canceling many legitimate transactions, some of which are related to actions outside the Ethereum network. The Vice President of Yuga Labs, nicknamed Quit, also drew attention to this. He added that many ordinary users would lose money, and the accounting systems of large players like Circle and Tether would collapse.
What’s the bottom line
The Bybit hack turned out to be the largest in the crypto industry so far. However, the head of Bitget did not find any reason to panic: according to her, the losses are equivalent to Bybit’s annual profit ($1.5 billion), and clients’ funds are completely safe.
The incident did not affect market sentiment either. According to Glassnode, the implied volatility of the first cryptocurrency is close to record lows. Price fluctuations against the backdrop of the hacker attack decreased after Strategy founder Michael Saylor published a chart of the company’s coin purchases.
This time, there was no platform crash or market panic, and a quick response and community participation helped restore liquidity and partially block the stolen assets. However, the incident highlighted a persistent problem – even large centralized platforms are still susceptible to attacks and vulnerable to hackers.