Odaily News On-chain detective ZachXBT posted on his personal Telegram channel that he had detected suspicious outflows of more than $1.46 billion from Bybit, and relevant information will be updated later. The relevant address is 0x47666Fab8bd0Ac7003bce3f5C3585383F09486E2. mETH & stETH are currently being exchanged for ETH on DEX.
Odaily News ZachXBT posted on his personal Telegram channel that my sources confirm it's a security incident.
Earlier news, ZachXBT, a chain detective, posted on his personal Telegram channel that he had detected suspicious outflows of more than $1.46 billion from Bybit, and relevant information will be updated later. The relevant address is 0x47666Fab8bd0Ac7003bce3f5C3585383F09486E2. mETH & stETH are currently being exchanged for ETH on DEX.
Odaily News Ben Zhou posted on X platform that about an hour ago, the Bybit ETH multi-signature cold wallet just transferred funds to our hot wallet. It seems that this particular transaction is forged, and all signatories saw a forged UI that showed the correct address. The URL comes from @safe
However, the signature information was to change the smart contract logic of our ETH cold wallet. This resulted in the hacker taking control of the specific ETH cold wallet we signed and transferring all ETH in the cold wallet to this unidentified address. Rest assured, all other cold wallets are safe. All withdrawals are normal.
Odaily News According to Arkham monitoring, Bybit outflow exceeded $1 billion. $1.4 billion of ETH and stETH flowed out of Bybit, and the funds have begun to be transferred to new addresses for sale. So far, $200 million of stETH has been sold.
Address: 0x47666Fab8bd0Ac7003bce3f5C3585383F09486E2
Odaily News Bybit CEO Ben Zhou posted on the X platform that Bybit is solvent. Even if the losses from the hacker attack are irreversible, all customer assets are backed 1:1 and we can make up for the losses.
Odaily News Bybit CEO Ben Zhou posted on the X platform that he will start a live broadcast to answer all questions.
Odaily News According to Arkham monitoring, 560 million USDT were transferred from Bybit's cold wallet to its hot wallet.
Odaily News Binance co-founder He Yi responded to Bybit CEO Ben Zhou and said that support would be provided if necessary.
Odaily News DefiLlama data shows that Bybit had a net outflow of US$1.688 billion in the past 24 hours.
Odaily News CZ responded to Ben Zhou’s tweet, saying: “This is not an easy situation to handle. It is recommended to temporarily stop all withdrawals as a standard safety precaution. Any help will be provided if needed.”
Odaily News Beosin Trace detected that Bybit suffered a security incident and funds worth $1.44 billion were withdrawn, including:
401,347 ETH, worth $1.12 billion;
90,376 stETH, valued at $253.16 million;
15,000 cmETH, worth $44.13 million;
8,000 mETH, worth $23 million.
Currently, the funds are divided into groups of 10,000 ETH and deposited in more than 40 Ethereum addresses. All hacker addresses have been added to the Beosin KYT tag library. Beosin KYT will issue alerts for all fund transfers involving hacker addresses.
Odaily News SlowMist releases Bybit attacker operation details:
1) A malicious implementation contract was deployed at UTC 2025-02-19 7:15:23: https://etherscan.io/address/0xbdd077f651ebe7f7b3ce16fe5f2b025be2969516
2) UTC 2025-02-21 14:13:35, the attacker used the three owners to sign a transaction to replace the implementation contract of Safe with a malicious contract: https://etherscan.io/tx/0x46deef0f52e3a983b67abf4714448a41dd7ffd6d32d32da69d62081c68ad7882
3) The attacker then used the backdoor functions “sweepETH” and “sweepERC20” in the malicious contract to steal the hot wallet.
Odaily News In response to the Bybit hack, Sheldon, the founder of BitMart, posted on the X platform that the relevant addresses have been frozen. Once the stolen assets flow into BitMart, the relevant assets will be frozen immediately to support the recovery work.
He pointed out that "the cryptocurrency industry is a community of shared destiny, and the most important thing in this industry is credibility. We hope to work together to help Bybit recover its losses and regain its assets. This industry needs everyone to protect it together."
Odaily News Safe posted on the X platform that the security team is working with Bybit to investigate and has not yet found any evidence that the official Safe frontend has been hacked. However, out of caution, Safe Wallet has temporarily suspended some functions. User safety is the top priority and more updates will be provided soon.
Odaily News Defillama founder 0xngmi said in a post on X that since the theft, Bybit has seen a net outflow of $700 million due to user withdrawals.
Odaily News Bybit CEO has started a live broadcast on the Bybit platform to respond to the details of the platform's ETH asset theft incident.
According to previous news, Bybit suffered a security incident tonight, and funds worth $1.44 billion were withdrawn, including:
401,347 ETH, worth $1.12 billion;
90,376 stETH, valued at $253.16 million;
15,000 cmETH, worth $44.13 million;
8,000 mETH, worth $23 million.
Odaily News Bybit CEO said during the live broadcast: Bybit usually conducts internal asset transfers every three weeks, depending on the balance in our hot wallet. Whenever the hot wallet reaches the benchmark we think needs to be replenished, a transfer transaction will occur. I was the last signer of the transfer transaction. At that time, I checked the link, target address, code and other information, but I did not check it thoroughly, which led to this theft. Later, we determined that the hacker attack and the signed code wallet were Ethereum cold wallets under the security wallet, and other cold wallets were not affected. Bitcoin is our main reserve and it is very safe.
Odaily News In response to the theft of $1.44 billion worth of ETH from Bybit, Bybit CEO Ben Zhou said in a live broadcast that the platform has experienced large-scale withdrawals in the past two hours, and the risk and security team will review some of the larger amounts. This is a routine process and the community can rest assured.
Odaily News Bybit CEO Ben Zhou said in a live broadcast that some customers asked Bybit to buy Ethereum to immediately cover these costs. We are currently contacting our partners to provide us with loans. Even if we want to buy, we will not buy Ethereum immediately. We are currently considering obtaining a bridge loan from a partner to cover the stolen funds, 80% of which has been secured.
Odaily News Bybit CEO Ben Zhou said in the live broadcast, "All products and services are running as usual. We are not stopping withdrawals at this time, we are still processing withdrawals."
Odaily News The head of Bybit derivatives and institutions said in the live broadcast: The P2P function of the platform is currently operating normally.
Odaily News In response to the security incident that Bybit encountered, KuCoin CEO BC Wong expressed support for Bybit and has started to assist in monitoring the flow of funds and freezing suspicious assets. KuCoin always puts the security of user assets first and continues to strengthen security protection to maintain industry stability.
Odaily News In response to the previous asset theft, Bybit officially released a detailed announcement of the incident for the first time: At 20:30 on February 21, Beijing time, Bybit detected unauthorized activity in the Ethereum cold wallet during a routine transfer. This transfer was part of Bybit's official plan to transfer ETH from the ETH multi-signature cold wallet to the hot wallet. Unfortunately, the transaction was manipulated by a complex attack that changed the smart contract logic and hid the signature interface, allowing the attacker to control the ETH cold wallet. As a result, more than 400,000 ETH and stETH with a total asset value of more than US$1.5 billion were transferred to unknown addresses.
Funds stolen: Over $1.5 billion worth of ETH and stETH.
The main reason: During the planned regular transfer process, the ETH multi-signature cold wallet was maliciously manipulated during the transfer process.
Bybit reiterates the following key points: All other cold wallets under Bybit are safe and customer funds are not affected. Please be wary of other scams; although there has been a surge in withdrawal requests, excessively high request volumes may cause withdrawal delays, but all withdrawals are being processed normally and 70% of pending requests have been processed; Bybit's reserves are strong and 1:1 backed, all customer assets are fully protected, and users can view relevant information on the Proof of Reserve (PoR) webpage .
Meanwhile, Bybit is working with leading blockchain forensics experts to track down the stolen funds and resolve the situation; its security team is investigating the root cause, with a particular focus on potential vulnerabilities in the Safe.global platform user interface that could be exploited during trading. Bybit has an asset management scale of over $20 billion and will use bridge loans if necessary to ensure user funds are available. The Bybit platform and all other services, including trading products, cards, and P2P, are operating normally.
Odaily News According to Dyma Budorin, co-founder and CEO of Web3 security audit company Hacken Club, who posted on the X platform, "Hacken will conduct follow-up audits on Bybit's proof of reserves every two weeks. For more information, please see https://audits.hacken.io/bybit/ . Once Bybit officially approves it, it will issue proof of assets exceeding liabilities. In addition, I can personally confirm that Bybit has enough funds to pay off its debts and resolve this incident."
The tweet was retweeted and confirmed by Bybit co-founder and CEO Ben Zhou.
Subsequently, Hacken officially released the Bybit reserve proof update audit report .
Odaily News According to on-chain data, Binance and Bitget have deposited more than 50,000 ETH into Bybit's cold wallet address, of which Bitget transferred about 40,000 ETH.
Odaily News Bybit officially announced on the X platform that it has reported the theft to the relevant authorities and will update as soon as more information is available. Fortunately, we have quickly and extensively worked with on-chain analysis agencies to identify the relevant addresses involved. The relevant actions will mitigate and counter the ability of bad actors to dispose of and dump ETH in the market, and reduce the channels through which stolen funds can be disposed.
Odaily News Arkham posted on the X platform that the Bybit hacker bounty has been claimed by the on-chain detective ZachXBT. ZachXBT submitted conclusive evidence at 03:09 am on February 22, Beijing time, proving that the North Korean hacker group Lazarus Group planned the attack, along with test transaction analysis, related wallet connections and forensic charts. The report has been submitted to the ByBit team to assist in the investigation.
In addition, ZachXBT stated in the comment section that according to his and CF's Josh's investigation, the Bybit hack and the Phemex hack are related.
Odaily News Ben Zhou, co-founder and CEO of Bybit, said in the latest post on the X platform: "Since the hacker attack (10 hours ago), Bybit has experienced the most withdrawals we have ever experienced. We have received more than 350,000 withdrawal requests in total, and so far, there are about 2,100 withdrawal requests pending. Overall, 99.994% of withdrawal requests have been successfully completed. If your withdrawal has been completed, please leave a message here.
Despite what may have been the worst hack of any medium in history (banking, crypto, finance), all Bybit features and products remain operational. The entire team stayed up all night fielding and answering customer questions and concerns. It was all hands on deck. Rest assured, we are with you.”
Odaily News Bitget CEO Gracy Chen posted a message on the X platform to support Bybit, saying: "Bybit is a respectable competitor and partner. Although the loss this time is huge, it is only their annual profit. I believe that customer funds are 100% safe. There is no need to panic or run on the bank."
Odaily News In response to the community's mention of "Binance transferring ETH to Bybit", Bybit co-founder and CEO Ben Zhou responded and clarified: "Thank you Bitget for your help at this moment. We are communicating with Binance and several other partners. This fund has nothing to do with Binance."
Odaily News According to the monitoring of on-chain data analyst Yu Jin, 1 hour ago, the Bybit hacker's application for unstaking 15,000 cmETH was returned by the cmETH withdrawal contract. After that, the hacker authorized the transaction of cmETH on DODO, but there was no further transaction, which may be due to the very shallow liquidity pool of cmETH. These 15,000 cmETH should be intercepted.
In addition to these 15,000 cmETH, the amount of ETH stolen from Bybit is 499,000 (about US$1.37 billion), which are stored in 51 addresses by hackers.
Odaily News In response to the community's concern about "Binance is providing ETH loans to Bybit", Binance founder CZ responded on the X platform that Binance has not yet started to support Bybit. These are spontaneous transactions by users. Some whales may have lent to Bybit, and Binance cannot take credit for it. Previously, CZ suggested that Bybit suspend withdrawals , saying that "$1.5 billion in stolen assets is enough to be terrifying. It is better to be safe than sorry now."
Odaily News According to on-chain analyst Ember, MEXC's hot wallet transferred 12,652 stETH (about $33.75 million) to Bybit's cold wallet in the past hour. Bybit should have received 64,452 ETH (about $170 million) in loan support from Bitget, an institution that withdrew funds from Binance, and MEXC.
Odaily News In response to the incident that “ByBit multi-signature wallet was manipulated by malicious means, resulting in the theft of $1.5 billion in assets”, the multi-signature wallet platform Safe issued a statement on the X platform saying: “· No code base leak was found: The Safe code base was thoroughly checked and no evidence of leakage or modification was found.
No malicious dependencies found: There is no indication that malicious dependencies in the Safe codebase could affect transaction flow (i.e., supply chain attacks)
·No unauthorized access to the infrastructure was detected in the logs·No other Safe addresses were affected Safe stated that it has temporarily suspended the Safe{Wallet} function to ensure users have absolute confidence in the security of the Safe platform.
While our investigation revealed no evidence that the Safe{Wallet} frontend itself was compromised, we are conducting a more thorough review.”
Odaily News Ben Zhou, co-founder and CEO of Bybit, said in the latest post on the X platform: "We will transfer USDT worth $2.95 billion from cold wallets to hot wallets. This is a planned operation and is for reference only. We were not hacked this time."
Odaily News The Bybit theft is generally considered to be the work of the North Korean hacker group Lazarus Group. Chainalysis has previously released a report on the "disposal" of the stolen money by the Lazarus Group. Generally, the Lazarus Group will take three steps to "dispose" of the stolen money: the first step is to convert all ERC20 (including liquidity derivative tokens such as stETH) into ETH; the second step is to convert ETH into BTC; the third step is to gradually convert BTC into legal currency through Asian exchanges. The whole process may last for many years.
Odaily News mETH Protocol, a liquidity pledge/re-pledge protocol under Mantle, which has a deep binding relationship with Bybit, said that it has learned of the recent security incident involving certain mETH and cmETH transactions on Bybit, including a withdrawal request of 15,000 cmETH. In order to support the ongoing investigation, cmETH withdrawals on the platform have been suspended, and deposit and pledge services are proceeding as usual.
User funds on the mETH Protocol remain safe and unaffected, the protocol remains protected by the highest security standards, and the community will be notified immediately once withdrawals are resumed.
Odaily News Santiment posted on the X platform that due to the shock caused by the Bybit hack in the crypto space, coupled with the worrying news about LIBRA and other contributing factors this week, the crowd showed extreme fear as Bitcoin plummeted. According to the sentiment score, the negative sentiment in the crypto community is the same as before the price rebound on February 17 and 18. While nothing is certain, and a major exchange hack may have a lasting impact on the crowd's perception, remember that the market almost always moves in the opposite direction of what retail traders expect.
Odaily News According to LookonChain monitoring, 6 hours ago, a whale or institution transferred 11,800 ETH (worth 31 million US dollars) from Binance to Bybit's cold wallet as support for Bybit customer withdrawals.
Odaily News In response to the theft of more than $1.5 billion in assets from Bybit, BitMEX founder Arthur Hayes posted a question to Ethereum co-founder Vitalik on the X platform, saying, "Would you support rolling back the Ethereum chain to help Bybit? As an ETH whale holder, my view is that ETH is no longer a currency after the hard fork of The DAO hacker in 2016. If the community wants to do it again, I will support it, because we voted against immutability in 2016, why not do it again? No one has questioned the DeFi operations on CZ's computer (referring to BNB), why not question ETH (that is, Vitalik Buterin's computer)?"
Odaily News DWF Labs partner Andrei Grachev posted on the X platform that "The Bybit hacking security incident is extremely serious and must be properly investigated. DWF Labs has not made any withdrawals from Bybit_Official and is ready to provide ETH support to it. In addition, I am very curious about what Ethereum co-founder Vitalik Buterin will do. After all, he pushed for the rollback of ETH after The DAO fork ten years ago."
Odaily News Ben Zhou, co-founder and CEO of Bybit, posted on the X platform that 12 hours after the worst hacker attack in history, all withdrawals have been processed. The Bybit withdrawal system is now fully restored to normal, and users can withdraw any amount without any delay. Thank you for your patience, Bybit is sorry for this situation.
Bybit will release a full incident report and safety measures in the coming days.
Odaily News Coinbase director Conor Grogan posted on X that according to Arkham platform monitoring data, Bybit hackers (most likely from North Korea) have become the 14th largest ETH holder in the world, holding about 0.42% of the total supply of Ethereum, exceeding Fidelity and Vitalik's Ethereum holdings, and more than twice the Ethereum Foundation's ETH holdings.
Odaily News SlowMist CISO 23pds posted on the X platform: "The attacker took away the safe owner privilege with a single forged signature attack. It is speculated that more than one macOS or Windows computer must have been controlled, and the attacker may have stayed in the intranet for some time and was able to monitor internal chats, transfer times, and other information."
Odaily News Bitget CEO Gracy Chen posted on the X platform: "All ETH previously transferred from Bitget to Bybit was Bitget's own funds. In this difficult period, we are also assisting in tracking and investigating the stolen funds. All Bitget users' assets are safely stored on our platform, and we issue proof of reserves (PoR) every month to ensure that the reserve ratio is greater than 1:1."
Odaily News Bybit was disclosed to have been hacked at around 23:30 last night, with nearly $1.5 billion stolen. It has been about 12 hours since then. According to Coinglass data, the total amount of liquidation in the past 12 hours reached $325 million, including $265 million in long orders, $59.4751 million in short orders, and about $87.9 million in ETH liquidation.
Odaily News BenZhou, co-founder and CEO of Bybit, posted on X platform: "Some people saw me wearing a WHOOP watch (in the early morning live broadcast) and asked me what my stress monitor looked like last night. This is the monitoring result. I barely slept, but it actually looks pretty good. I think I may have been too focused on handling all the meetings and forgot to decompress. I feel that when I really understand the concept of losing $1.5 billion, it will come soon. Please note that I learned about the hacker attack around 10 pm."
Odaily News SlowMist Yuxian posted on the X platform that "There is no problem with the Safe contract, the problem lies in the non-contract part, the front end was tampered with and forged to achieve the effect of deception. This is not an isolated case. North Korean hackers have taken over several companies last year, such as:
WazirX $230 million Safe multi-signature;
Radiant Capital $50 million - Safe multi-signature;
DMM $305 million - Gonco multi-signature.
This attack method is well-engineered. Others should also pay more attention to it. Multi-signature may not only be a problem for Safe. "
Odaily News Zhu Su posted on the X platform that a large number of traders opened short orders in panic over the theft of Bybit ETH assets, and now ETH finally has a narrative of setting a new all-time high (i.e. short squeeze).
Odaily News According to Arkham platform data, Bybit currently has a total asset value of over $19.5 billion and still holds $1.2 billion worth of ETH. Its top five holdings are:
1. BTC: 69,856 pieces, equivalent to US$6.72 billion;
2. USDT: 4.122 billion, equivalent to US$4.12 billion;
3. MNT: 2.445 billion, equivalent to US$2.19 billion;
4. ETH: 450,462, equivalent to approximately US$1.2 billion;
5. USDC: 652.157 million, equivalent to US$652.16 million.
Odaily News The Wall Street Journal quoted the Web3.0 security agency CertiK as saying that the Bybit theft was the largest single theft in the history of encryption, and the stolen assets resulting from this hacker attack were valued at more than US$1.4 billion.
After the incident, Bybit announced that it had reported the case to the relevant authorities. Its CEO Ben Zhou said that all Bybit functions and products are still operating normally, the exchange has solvency, and will bear the full amount of customer losses. As of now, all Bybit withdrawal requests have been processed and the withdrawal system has returned to normal speed.
Odaily News @leptokurtic_, founder of Ethena Labs, posted on the X platform: "Ethena handled the largest single-day redemption and closed all unrealized risk exposure as soon as the news broke. In any case, at its peak, the unrealized risk exposure was always only a small part of the excess reserves of USDe. Although Bybit, as the world's second largest derivatives exchange, represents more than 20% of the risk-averse exposure, USDe has never underestimated the deposit. Even if the unrealized risk exposure does not drop to zero within the hour, this exposure may be completely lost, and USDe will still be overcollateralized. I hope this incident can verify some of the design decisions made to reduce the risks of users using the OES custody solution. The simple design route is to avoid costs and the engineering complexity added by custodians in the off-chain hedging system. Ethena Labs has not encountered any support losses or redemption request issues."
Odaily News According to Deflama data, after the Bybit hack, CEXs saw divergent capital flows. Binance had a 24-hour net inflow of $1.046 billion, making it the exchange with the most inflows; at the same time, Bybit had a 24-hour net outflow of $2.675 billion, with OKX, Bitfinex, and Robinhood seeing net outflows of $7.35 million, $188 million, and $39.95 million, respectively.
Odaily News Crypto KOL NingNing posted on X platform: "Part of the ETH reserves in Bybit's cold wallet exist in the form of stETH/mETH. Hackers exchanged them for ETH through Uniswap, DODO and ParaSwap. The current relationship map of North Korean hacker addresses presents a central cluster + N satellite small clusters + a complex inter-conversion network. Moreover, North Korean hackers have transferred funds from the Ethereum mainnet to Solana. Because Solana's transaction event logs are very poorly readable by humans, they are often ridiculed as having built-in mixer properties. Given that Kanye will launch his celebrity meme coin in the near future, it is reasonable to speculate that North Korean hackers will launder money by participating in this on-chain carnival."
Odaily News According to a post by the security community Dilation Effect on the X platform, "Compared to previous similar incidents, in the Bybit incident, only one signer was needed to complete the attack, because the attacker used a 'social engineering' technique. Analysis of on-chain transactions shows that the attacker executed a malicious contract's transfer function through delegatecall. The transfer code used the SSTORE instruction to modify the value of slot 0, thereby changing the implementation address of the Bybit cold wallet multi-signature contract to the attacker's address. The transfer here is very clever. It only requires the person/device that initiated the multi-signature transaction to be dealt with. When the subsequent auditors see this transfer, their vigilance will be greatly reduced. Because normal people see transfer and think it is a transfer, who knows that it is actually changing the contract. The attacker's tactics have been upgraded again."
Odaily News ABCDE co-founder Du Jun posted on the X platform: "Today, 10,000 ETH will be deposited to Bybit, and will not be withdrawn within a month."
Odaily News The crypto KOL issued a clarification that the previous analysis about Bybit hackers using Solana network and Kanye Meme coins to launder money was wrong due to the misleading article by @barneyxbt. He said that the ETH funds worth $1.38 billion on the Bybit hacker address are still on the Ethereum mainnet, and he has deleted the previous analysis tweet.
Odaily News According to LookonChain monitoring, another 36,000 ETH (worth $96.5 million) was transferred from Binance hot wallet to Bybit cold wallet in the past 15 minutes.
Odaily News According to the official news released by Bitunix, after the Bybit theft, Bitunix took prompt action and blocked the addresses of the hackers to prevent them from further using the platform to launder money. Regarding the security incident encountered by Bybit, Bitunix expressed its willingness to provide all possible assistance to jointly safeguard the security and stability of the industry.
Odaily News Casey Taylor, Global Support Director of DragonFly, gave a high evaluation and detailed review of the "Bybit official quick handling of the $1.5 billion theft" on the X platform. She mentioned: "After experiencing the largest hacker attack in the history of cryptocurrency, Bybit staged a master-level crisis management communication process. Among them, the quick and personal response of the CEO, the rapid and transparent follow-up actions, the online live broadcast response, the calm performance under pressure, the clear live broadcast management, the clear timeline, the numbers, and the planning and taking the corresponding risks of security vulnerabilities are all worthy of learning for other exchanges and project parties." In addition, she mentioned: "Note that the incident is still fermenting, and the facts may change as more information emerges. Although DragonFly is an early investor in Bybit, we receive the latest news at the same time as the public and are committed to maintaining transparency as the incident develops."
Odaily News In response to the criticism from community users that "CZ suggested that Bybit suspend withdrawals", SlowMist Yuxian posted on the X platform: "To be honest, from a security perspective, the suggestion to urgently stop the wallet system when the cause is unknown is correct. In addition, Bybit's theft shows that they respond very quickly and locate the problem very quickly. We and some security teams were the first to intervene in the communication and exchange, quickly identify the problem and speculate on the hacker's portrait, and we went to rest around 3 am. Bybit must have opened withdrawals in a timely manner when everything was ready. I think there is nothing wrong with it. It's a pity that many people are now consuming this dispute internally, but forgetting who our common enemy is."
Odaily News According to statistics from SoSoValue and the latest monitoring data from the on-chain security team TenArmor, the Bybit trading platform has received a total inflow of more than US$4 billion in the past 12 hours, including 63,168.08 ETH, US$3.15 billion in USDT, US$173 million in USDC and US$525 million in CUSD.
According to the comparative fund inflow data, this fund inflow has completely covered the fund loss caused by the hacker attack yesterday. At the same time, all services of the Bybit exchange, including the withdrawal function, have returned to normal.
Odaily News OKX President Hong Fang posted on the X platform that “The Bybit hacker addresses have been added to OKX’s blacklist. Team engineers are closely monitoring these addresses and will take immediate action if there are any changes in funds. Our team is also in contact with the Bybit team to provide any IT security support and liquidity support we can provide at this stage.”
Odaily News ZachXBT posted on his personal channel: "The Lazarus Group in the Bybit incident transferred 5,000 ETH to a new address, laundered the money through eXch (a centralized mixer), and bridged the funds to Bitcoin through Chainflip. 5,000 ETH was transferred at 6:28:23 am on February 22, 2025, and the TXN was 0xbf80907830e46317da2c1708a13a9f016e242f8a6db6e6b0706ea5f2328cb001; the final address of Bitcoin through Chainflip is bc1qlu4a33zjspefa3tnq566xszcr0fvwz05ewhqfq."
Odaily News Ben Zhou, co-founder and CEO of Bybit, posted on the X platform that hackers have been detected trying to transfer BTC through Chainflip. He hopes that the cross-chain bridge project will help Bybit block and prevent further transfers of assets to other chains. Bybit will soon launch a bounty program to anyone who helps it block or track funds that lead to fund recovery.
Odaily News According to the DefiLlama website hacker incident statistics, Bybit's stolen assets of more than $1.4 billion are the largest security incident in the history of cryptocurrency, accounting for about 15% of the stolen amount in all security incidents in the history of cryptocurrency. The panel data shows that the cumulative amount of stolen assets in the history of cryptocurrency exceeds $10.62 billion, of which DeFi-related stolen assets amount to $6.31 billion, and various bridge projects have stolen assets amount to $2.87 billion.
Odaily News Tim Wong, Chairman of Catizen Foundation, expressed his confidence on Twitter that Bybit will overcome the current challenges. As one of Bybit’s important partners, Tim reviewed the valuable support Bybit provided in the early stages of Catizen’s development, especially in terms of marketing and resource integration.
Tim Wong emphasized that although Bybit is currently facing some challenges, he believes that Bybit will quickly resolve the current difficulties and draw strength from them to continue to grow and develop. The tweet reads: "What doesn't kill you will only make you stronger."
Odaily News Chain detective ZachXBT posted on X platform: “We have just directly linked the Bybit hack to the Phemex hack. The funds from the initial theft addresses of the two incidents overlap on the chain. Overlapping addresses:
0x33d057af74779925c4b2e720a820387cb89f8f65;
Bybit hacker transaction on February 22:
0xc963e65b9ec39b11076f78990c31f29aaa80705c75312dafd1748479e3e94ed0;
0x411374feedcfa560335f00c0fcfa0a3906fdcc33687e6f924dd78ebecc45cd00;
Phemex hack on February 20, 2025:
0x6262a3339842240aeebae4ebfe338dbc771aa0e2df8f5a1ebcd7f9b090bedfe3. "
Odaily News Chainflip, a cross-chain bridge, responded to the freezing request of Bybit CEO by saying: “We have tried our best to deal with the current situation, but as a decentralized protocol, we cannot completely block, freeze or redirect any funds. However, we have currently shut down some front-end services to prevent the flow of funds.”
Odaily News According to monitoring by on-chain analyst Aunt Ai, asset management company Metalpha recharged 30,006 ETH worth $80.48 million to Binance four hours ago. It has been three months since Metalpha's multi-signature address last recharged a large amount of ETH, and the intention of the recharge has not been confirmed for the time being.
Odaily News According to Lookonchain monitoring, a whale has just transferred 20,000 ETH worth 53.7 million US dollars to the Bybit cold wallet.
Odaily News Galaxy CEO Mike Novogratz posted on the X platform calling on global leaders to take action against the hacker group Lazarus Group, while praising Bybit for completing a world-class resolution after the attack.
Odaily News Orderly Network announced that deposits on the Mantle chain have been reopened. Previously, due to the hacker attack on Bybit, a large amount of funds were transferred, and Orderly temporarily suspended the deposit business on the Mantle chain.
Odaily News Mask Network founder Suji Yan posted on the X platform that he has deposited some ETH back to Bybit, and there is probably less than 10 million US dollars in the public address, and he will continue to support it.
Odaily News Chainflip updated the latest situation of the Bybit theft incident and said: "We have noticed that hackers are trying to convert the stolen funds from Bybit into BTC through Chainflip. At present, we have shut down some front-end services to prevent the flow of funds, but because the protocol is completely decentralized with 150 nodes, we cannot completely shut down the entire system. As a longer-term solution, we are strengthening the screening mechanism at the ETH broker level to reject suspicious deposits through the broker-api. Currently, the mechanism has been applied to BTC, and we only need to complete the implementation of ETH."
Odaily News According to on-chain analyst Yu Jin’s monitoring, 5 institutions/individuals have provided Bybit with a total of 120,000 ETH (US$320.97 million) in loan support. Specifically:
Bitget: 40,000 ETH ($105.96 million);
Institutions/whales withdrawing from Binance: 11,800 ETH ($31.02 million);
MEXC: 12,652 stETH ($33.75 million);
Binance or another institution/whale withdrawing funds from Binance: 36,000 ETH ($96.54 million);
0x327...45b address: 20,000 ETH ($53.7 million).
Odaily News The liquidity staking/re-staking protocol mETH Protocol announced on the X platform that cmETH withdrawals have been restored, user funds are safe and fully supported, and a detailed post-event analysis report will be released soon, outlining the incident and all measures taken.
Earlier news, mETH Protocol, a liquidity pledge/re-pledge protocol under Mantle, which has a close relationship with Bybit, announced the suspension of cmETH withdrawals after learning about the recent security incident involving certain mETH and cmETH transactions on Bybit, but deposit and pledge services will proceed as usual.
Odaily News The Beosin security team conducted in-depth tracking and analysis of the stolen funds in the Bybit exchange hacker attack. The study found that one of the stolen funds deposit addresses, 0x36ed3c0213565530c35115d93a80f9c04d94e4cb, transferred 5,000 ETH to the split address 0x4571bd67d14280e40bf3910bd39fbf60834f900a at 06:28:23 UTC on February 22, 2025. Subsequently, the funds were split into amounts ranging from tens to hundreds of ETH at a frequency of once every few minutes, and further transferred to multiple addresses. It is worth noting that after multiple transfers, some funds attempted to cross-chain to the BTC chain address bc1qlu4a33zjspefa3tnq566xszcr0fvwz05ewhqfq through Chainflip, indicating that hackers attempted to further conceal the flow of funds through cross-chain operations.
In addition, at 07:44:47 UTC on February 22, 2025, the split address transferred 56.68 ETH to the black address 0x33d057af74779925c4b2e720a820387cb89f8f65. This address is marked as "Hacker: Phemex Hacker" in the Beosin tag library, and the "Phemex Exchange $85 million theft" was done by the well-known hacker group Lazarus Group. This key discovery further confirms our previous inference based on the similarity between the attack mode and the WazirX incident, that is, the Bybit exchange hacker attack is very likely related to the Lazarus Group.
It is worth mentioning that in the Phemex incident, some of the stolen funds were transferred to mixers such as Tornado Cash to conceal their flow. For the Bybit incident, we are fully prepared. Once the relevant funds enter the Tornado.cash mixer, Beosin will immediately start the fund penetration analysis. The special working group has been equipped with the latest version of the Tornado Cash penetration algorithm, and several professional analysts who have successfully completed fund penetration in similar cases have joined to ensure that the flow of funds can be tracked efficiently and provide strong support for subsequent actions. At present, the Beosin security team is cooperating with the Bybit security team to track funds.
Odaily News ZachXBT published an update on the movement of Bybit’s stolen funds, stating that a few minutes ago, the Lazarus Group linked an address related to the BingX hacker attack, which now connects the stolen funds of Bybit, BingX, and Phemex to the chain.
Overlapping address: 0xd555789b146256253cd4540da28dcff6e44f6e50
Bybit hacker attack transaction: 0x4a366130118d750715c2d35fdc07509cf943fcc988fa5e6d02211e3d5472796e
BingX hacker attack transaction: 0x93424aa87731bb9b1d8cc1f708d2ac9f3faf914f368a00494d87cba3e7719e8c
Odaily News Bitget CEO Gracy said in a Space about "Analysis of the Bybit Theft" that she took the initiative to communicate with Bybit CEO BEN and provided 40,000 ETH. The short-term liquidity provided did not require any collateral, interest rate, or any commitment. It could be transferred back when Bybit no longer needed it. The current situation is that Bybit's liquidity has been perfected and no more support is needed. Bybit said that some liquidity providers require collateral.
Odaily News According to on-chain analyst Yu Jin’s monitoring, a new address withdrew 10 million USDT from Bybit, then purchased 3655.6 ETH on the chain and immediately transferred it to Bybit. The average purchase price was $2,735.
Odaily News mETH Protocol released an update on the Bybit security incident, disclosing that a security incident occurred on Bybit resulting in the unauthorized withdrawal of mETH and cmETH from the exchange, including the exchange of 8,000 mETH for ETH through three transactions on DEX, and an unsuccessful withdrawal of 15,000 cmETH initiated through mETH Protoc. There was no risk to Mantle or mETH Protocol and the cmETH liquidity on Mantle Network L2 was reduced. The attacker's wallet address was blacklisted, thereby preventing further cmETH transfers or interactions within the protocol. Ultimately, no unauthorized cmETH withdrawals occurred, the contract has now been restored, and operations have returned to normal.
Odaily News CZ said about the recent Bybit hack: “We have seen a pattern where hackers are able to steal large amounts of cryptocurrency from multi-signature ‘cold storage’ solutions, such as Bybit, Phemex, WazirX and other exchanges. In the recent Bybit case, the hacker was able to make the front-end UI show a legitimate transaction, while the actual signature pointed to another transaction. For other cases, based on the limited information available, it seems that similar tactics were used.
What is even more worrying is that the affected exchanges use different multi-signature solution providers. The hacker group Lazarus Group has demonstrated extremely advanced and extensive penetration capabilities. It is still unclear whether the hackers successfully penetrated multiple signature devices, the server side, or both.
Some have questioned my previous suggestion to suspend withdrawals as a standard security precaution (tweeted from my shuttle bus to the airport). My intention was to share a practical approach based on experience and observation, but there is no right or wrong approach. My guiding principle is always to lean on the safe side. After any security incident, all operations should be suspended to ensure we fully understand what happened, how the hackers penetrated the system, which devices were compromised, triple-check to ensure safety, and then resume operations.
Of course, suspending withdrawals could cause more panic. In 2019, we suspended withdrawals for a week after a major $40 million hack. When we resumed withdrawals (and deposits), deposits exceeded withdrawals. This is not to say that this approach is better, each situation is different and requires judgment. I tweeted to share what might work and to show support in a timely manner. I believe Ben made the best decision based on the information he had.
Ben has maintained transparent communication and a calm demeanor while handling this challenging situation, which is in stark contrast to other CEOs who have lacked transparency, such as WazirX, FTX, etc.
Each of the cases mentioned here is different. FTX is a fraud, and as for WazirX, I cannot comment due to the ongoing litigation.
The bottom line is that we should never take safety for granted. It’s important to understand safety so you can choose the right tools for your needs, but the basic concepts still apply. Stay safe (SAFU)!”
Odaily News Paolo Ardoino, CEO of Tether, announced on the X platform that he had just frozen 181,000 USDT related to the ByBit hacker attack. Although it may not be much, it is a very effective method and Tether will continue to monitor it.
Odaily News According to Lookonchain monitoring, the Bybit stolen funds address (from Lazarus Group) has transferred 10,000 ETH and started money laundering. Currently, the Bybit hacker holds 489,395 ETH (US$1.32 billion) and 15,000 cmETH (unable to withdraw) in 53 wallets.
Odaily News In response to CZ's suggestion to stop Bybit withdrawals on X platform, Bybit CEO Ben Zhou said: "I agree with CZ's point of view. If the hacker attack was through infiltrating our internal system (such as a part of the withdrawal system) or the hot wallet was breached, we would immediately suspend all withdrawals until the root cause of the problem is found. But in yesterday's incident, it was our ETH cold wallet (we use Safe) that was breached, which has nothing to do with any of our internal systems. Therefore, I can decisively decide to let all Bybit withdrawals and system functions operate as usual. During the crisis last night, Binance and CZ, as well as many partners and industry leaders, took the initiative to provide help. We are deeply grateful for this and feel extremely warmed by the support we have received. This incident is a huge blow to Bybit, but the entire industry has shown the power of unity. I believe that from now on, everything will only move in a better direction."
Odaily News According to Lookonchain monitoring, Bybit appears to have spent $100 million to purchase 36,893 ETH at $2,711 from Galaxy Digital and FalconX via OTC.
Odaily News Bybit posted on the X platform that as part of the investigation and recovery efforts, Bybit has pledged to use 10% of the recovered funds to reward ethical network and cybersecurity experts who actively recovered the stolen cryptocurrencies in the incident.
Odaily News According to Lookonchain monitoring, DWF Labs deposited 2,200 ETH, equivalent to approximately US$6.02 million, into Bybit one hour ago.
Odaily News Regarding whether to support Ethereum's rollback to before the theft, Bybit CEO Ben Zhou said in Space: "I'm not sure if it's one man's decision. Based on the spirit of blockchain, maybe it should be a voting process to see what the communities want, but I am not not sure."
Odaily News Arkham data shows that 34,862.5 ETH was transferred from an unknown wallet to Bybit.
Odaily News According to Lookonchain analysis, Bybit is suspected to have purchased 71,755 ETH through OTC.
According to previous news, Arkham data showed that 34,862.5 ETH were transferred from an unknown wallet to Bybit.
Odaily News Chain detective ZachXBT disclosed in a post on his personal channel that after helping the Lazarus Group, the hacker team behind the Bybit security incident, to launder $35 million, the eXch (centralized coin mixer) team mistakenly sent 34 ETH (worth $96,000) to another exchange’s hot wallet address.
Odaily News Bybit CEO Ben Zhou called out to eXch: “At this moment, it’s actually not about Bybit or any entity, but our general attitude towards hackers as an industry. I sincerely hope @eXch
We also had help from Interpool and international regulators to help stop these funds from leaving them.”
According to previous news, eXch rejected Bybit’s request to intercept funds, and a large amount of ETH was transferred through eXch mixing.
Odaily News Arkham data shows that 34,742.6 ETH were transferred from Wintermute to an address that interacted with the Bybit deposit address.
On-chain data shows that the address received 34,862.5 ETH from FalconX and Galaxy Digital early this morning and then transferred it to Bybit.
Odaily News According to the monitoring of on-chain analyst Ember, the address (0x2E4...b77) that may be Bybit or its affiliates received another 34,743 ETH (US$97.75 million) from Wintermute 20 minutes ago. They are likely to have purchased a total of 106,498 ETH (US$294.93 million) in the past day or so: through Galaxy Digital, FalconX, and Wintermute. This address first received ETH after receiving 100 million USDT from Bybit's cold wallet and transferring it to FalconX and Galaxy Digital. Galaxy Digital, FalconX, and Wintermute all transferred ETH from various CEXs to the 0x2E4...b77 address, and they should have all been bought on the secondary market.
Odaily News Julio Moreno, head of research at CryptoQuant, published data on the X platform, saying that Bybit's ETH reserves have rebounded to about 160,000.
Odaily News Bybit released an update on the X platform stating that deposits and withdrawals on Bybit have fully returned to normal levels, and the on-chain data has been confirmed.
Odaily News According to Arkham monitoring data, about 1 minute ago, 34,743 ETH were transferred from the Bybit Deposit address to the Bybit hot wallet address, worth US$97.6 million.
Odaily News Bybit exchange was hacked and lost more than $1.4 billion worth of liquid staked ETH, mETH, and other ERC-20 tokens. However, according to CryptoQuant data, within two days of the hack, Bybit replenished its ETH reserves to nearly 50% of the pre-hacker level. According to Lookonchain monitoring, Bybit may have purchased a total of 106,498 ETH ($295 million) through OTC in the past 24 hours. (Cointelegraph)
Odaily News SlowMist Yuxian posted on the X platform: "After 30 days of in-depth analysis and investigation, through forensic analysis and correlation tracking, we confirmed that the attacker was the North Korean Lazarus Group. This was a national APT attack against cryptocurrency exchanges. We decided to share the relevant IOCs (Indicators of Compromise), including some cloud service providers, agents and other IPs that were exploited, for emergency investigation by exchanges and related platforms. Please note that this disclosure does not mention which platform or platforms, nor does it say Bybit. If there is any similarity, it is really not impossible."
Odaily News According to on-chain analyst Yu Jin’s monitoring, the Bybit hacker laundered the ETH at a very fast speed.
It has been almost 30 hours since the wash began yesterday afternoon. A large number of addresses have used cross-chain exchange platforms such as Chainflip, THORChain, LiFi, DLN, and eXch to exchange 37,900 ETH ($106 million) for other assets (BTC, etc.).
The Bybit hacker address currently has 461,491 ETH ($1.29 billion), and the total amount of ETH they stole from Bybit is 499,395 ($1.4 billion).
Odaily News According to Arkham monitoring, about 31 minutes ago, Mirana Ventures transferred 10,000 ETH worth approximately $27.97 million to Bybit Deposit, and the funds were subsequently transferred to the Bybit hot wallet address.
Odaily News Bybit issued a warning on the X platform that there are fraudsters who will impersonate Bybit employees, reminding the community to be vigilant. Bybit will never ask for your personal information, deposits or passwords. Be sure to check the official source carefully and report any suspicious situations. If you feel there is a problem, it is likely that there is a problem. Be safe.
Odaily News On-chain data shows that the Bybit attacker is suspected of issuing Meme tokens in PumpFun for money laundering. It is reported that the attacker launched Meme coins after transferring SOL tokens to a certain address. The current market value of the relevant Meme coins has reached approximately US$2.2 million, with a trading volume of approximately US$26 million, but the liquidity is low, reminding community users to be vigilant in interactions.
Odaily News According to updated data released by Spot On Chain, Bybit raised 254,830 ETH ($693 million) within 48 hours after the hack, including:
132,178 ETH ($367 million), likely acquired through OTC transactions with Galaxy Digital, FalconX, and Wintermute;
122,652 ETH (US$326 million), loans from trading platforms/institutions such as Bitget, MEXC, Binance and DWF Labs (it may also be personal borrowing behavior of some whales).
At the same time, the hacker has exchanged 40,944 ETH ($115 million) for BTC and other assets through Chainflip, THORChain, LiFi, DLN and eXch. Currently, the hacker still holds 458,451 ETH ($1.29 billion), accounting for about 91.7% of the stolen 499,395 ETH ($1.4 billion).
Odaily News The Pumpfun frontend has removed the Lazarus-related meme coins.
Odaily News Cryptocurrency exchange Bybit has announced the launch of a new API to update the blacklist of identified suspicious wallet addresses. The API will help various project owners and security experts track and recover stolen funds more efficiently under time pressure. This list of suspicious addresses was compiled by industry white hat hackers and investigators within three days of the hack, and Bybit has received thousands of clues from industry colleagues so far.
With the joint efforts of internal and external security teams, the elite investigation team confirmed a number of malicious wallet addresses. This collaborative initiative will greatly improve the efficiency of security response and strengthen the security of the entire crypto network. Bybit will continue to update the blacklist to ensure that cybersecurity experts and partners can effectively intercept illegal activities. For contributors who successfully intercept and recover funds, Bybit will provide a 10% bounty reward.
Bybit is developing the HackBounty platform and will release an announcement at the appropriate time. This platform aims to empower the entire industry to jointly track the actions of hackers and encourage all security experts to continue to pay attention to the latest progress of this innovative program. Bybit will also continue to update the blacklist to help partners intercept illegal fund flows, and contributors who successfully recover funds will receive a 10% bounty reward.
This action has led to a historic and comprehensive cooperation in the crypto industry, forming an industry-wide Crypto's Defense Alliance. Bybit has announced a list of individuals, institutions and teams that have contributed to this emergency action, and the list is still being updated. This includes but is not limited to the following partners and peers:
Mandiant, Verichain, and Sygnia.co provided critical forensic analysis to reveal the truth behind this hack.
ZeroShadow has launched a 24/7/365 global emergency response team to assist in tracking malicious actors, fund flows, and communicate with law enforcement agencies to support investigations and recover stolen assets.
Chainalysis, Elliptic, TRM, Goplus, SEAL 911, and ZachXBT quickly marked on-chain addresses associated with the attack, limiting the hacker’s ability to launder stolen assets.
SlowMist, BlockSec, and BEOSIN provide professional security consulting and threat analysis.
VerifyVASP, AML Bot, and CryptoForensic contribute key compliance and risk assessment solutions to enhance overall security response capabilities.
Binance, Coinbase, Bitget, Polygon, Arbitrum, Optimism, Wormhole, Synapse, Connext, Chainflip, Across.to, Symbiosis.finance, AVAX, ChangeNow, fixedfloat, and cBridge provide cross-chain security measures to help block the flow of hacker funds.
Odaily News eXch posted on the Bitcointalk forum that some people accused its service of laundering Lazarus Group funds, which was purely "opposition to decentralized cryptocurrency". Although some analysts pointed out that eXch's recent ETH trading volume has increased abnormally and its Bitcoin reserves are almost empty, eXch insisted that the funds involved were only "isolated cases" and promised to support open source privacy and security projects through donations. eXch also released screenshots of its communication with Bybit and rejected Bybit's request to block the address suspected of receiving stolen money. (The Block)
Odaily News Bybit published a statement on the X platform stating that through the coordinated efforts of multiple parties, it successfully froze $42.89 million of stolen funds in one day. The institutions that provided assistance include Tether, THORChain, ChangeNOW, FixedFloat, Avalanche Ecosystem, CoinEx, Bitget, Circle, etc.
Odaily News According to Ember’s monitoring, the Bybit hacker has now sold 50,700 ETH (US$142 million) in exchange for DAI and other on-chain assets (BTC, etc.), and currently holds 448,600 ETH (US$1.26 billion).
The address of Bybit or its affiliates (0x2E4...b77) purchased a total of 157,600 ETH (US$441 million) through three brokers, Galaxy Digital, FalconX, and Wintermute, in the past two days and then transferred it to Bybit.
Odaily News According to Lookonchain monitoring, Bybit has accumulated 446,870 ETH through various channels, worth approximately US$1.23 billion.
Odaily News Bybit CEO Ben Zhou posted an update saying, "Bybit has fully made up for the ETH shortfall, and a new audited Proof of Assets (POR) report will be released soon, so stay tuned."
