The Largest Crypto Asset Theft in History

Author: Mu Mu

Produced by: Bai Hua Blockchain (ID: hellobtc)

Cover: Photo by Terry Vlisidis on Unsplash

In the early morning of February 22nd, the crypto community was suddenly hit by the shocking news that the "hot wallet" of the leading trading platform Bybit had been hacked for $150 million. After a quick verification, the news turned out to be true, and the details of the incident gradually surfaced as the security audit teams in the crypto community and Bybit's official disclosure unfolded. It was a multi-signature wallet of Bybit that was completely controlled by hackers, who then drained about $150 million worth of crypto assets, mainly ETH and stETH, which are liquid staking Tokens closely tied to the value of ETH.

Was it a cold wallet that was stolen?

Initially, the rumor was that a hot wallet was hacked, as in most previous hacking incidents the targets were hot wallets, whose constant online connection makes them more vulnerable to security risks. However, after confirmation, the target this time was actually a cold wallet of Bybit, which was compromised during a routine transfer.

Does this mean that in certain cases, cold wallets are not absolutely secure?

Private keys have not been lost, and there are no vulnerabilities in the multi-signature contract code

In fact, according to the review, Bybit found the real problem. Their cold wallet uses the Safe contract multi-signature wallet. It is reported that Safe, formerly known as Gnosis Safe, has protected over $100 billion in assets in the Ethereum ecosystem. As a multi-signature wallet focused on security and with a consistent security record, many project teams, DAOs, and trading platforms have adopted their multi-signature solution.

In this security incident, the problem was with the front-end of the safe website or mobile client that Bybit accessed (the web page interface that users interact with to access). In simple terms, the hackers tampered with the web page where the Bybit team initiated the multi-signature, and when the Bybit team performed a normal transfer operation, the hackers replaced the signed transaction, causing the Bybit team's several signatories to sign a "deed of sale", successfully upgrading the multi-signature contract wallet to the malicious contract prepared by the hackers, essentially handing over the wallet to the hackers through the team's own signatures.

Therefore, the private keys of the hardware cold wallets used for signing were not lost, and the Safe contract also did not have any vulnerabilities in the multi-signature contract. They are still secure. This is not a vulnerability in the cryptocurrency industry, but essentially a vulnerability in the traditional internet infrastructure.

Sophisticated technique, top-tier hacker group

As mentioned earlier, the hackers tampered with the web page that the Bybit team accessed to interact with the wallet, but the Safe review did not find any issues on the server side. It is most likely that the hackers had already infiltrated the computers and related devices of the Bybit team members through Trojans or other means, and the tampering method may have involved DNS, Trojans, or browser plugin hijacking, which are relatively complex and difficult in certain scenarios. Relevant KOLs in the security field believe that this hacking technique is highly sophisticated.

Crypto investigator ZachXBT and blockchain analysis firm Arkham currently believe there is evidence that this attack may have been carried out by the hacker group Lazarus Group, which is suspected to be supported by a certain government and is known for attacking cryptocurrency platforms.

On social media, someone has posted the impressive track record of this hacker group: from 2017 to 2025, they have stolen large sums of funds from multiple trading platforms and cryptocurrency projects, such as stealing 4,000 BTC from Youbit, directly leading to its bankruptcy, stealing $300 million in cryptocurrency assets from the Kucoin platform, and stealing $620 million in cryptocurrency assets from the Ronin cross-chain bridge, among others. The amount stolen in this incident reached a staggering $1.5 billion, setting a new record.

No market crash, the cryptocurrency market is relatively stable

Based on past experience, whenever there are problems with major platforms in the cryptocurrency market, it usually triggers a market tsunami. Sometimes even just rumors involving top platforms can make the market feel like walking on thin ice. However, this $1.5 billion security incident has only resulted in a slight correction, and the cryptocurrency market now appears to be relatively stable.

The reason the cryptocurrency market appears stable is that the widely expected or even rumored large-scale market crash by the hackers did not occur. The hackers are mainly converting assets like stETH, which are ERC20 tokens with liquidity, into native ETH. It is clear that the hackers are much more professional than the average person, because for them, ETH is the safest on the Ethereum chain. Converting to USDT or USDC would likely result in them being frozen quickly.

Furthermore, after analysis, it appears this hacker group is very patient in handling cryptocurrency assets, and they still have a lot of cryptocurrency assets stolen years ago that they have not processed yet. This is mainly because cryptocurrency trading platforms are becoming more compliant, regulations are becoming stricter, and the transparency of the blockchain makes it increasingly difficult to launder funds through conventional means. Therefore, it is expected that this group will not dump the assets into the market in the short term (the amount is too large, the risk is too high, and no one can absorb it), and can only process them in batches slowly.

The platform has dealt with the issue properly overnight, without falling into a liquidity crisis

One reason the cryptocurrency market has stabilized is that Bybit has dealt with the issue properly overnight. Their official Chinese account on X platform's latest announcement stated: "Since the hacking incident occurred (10 hours ago), Bybit has experienced an unprecedented number of withdrawal requests. So far, we have received over 350,000 withdrawal requests, with about 2,100 withdrawal requests still being processed. Overall, 99.994% of the withdrawals have been completed."

Normally, an incident of this magnitude would be comparable to the liquidity crisis of FTX, and a bad news could cause the platform to be unable to continue operating or even be dragged down. However, with Bybit's own strength and the team's proper handling, the situation seems to have been turned around. Bybit not only has not fallen into a liquidity "quagmire", but has also obtained "bridge loans" from partners, covering 80% of the stolen ETH, or in other words, it has resolved the bank run issue. We have also seen reports of some platforms transferring large amounts of stETH to Bybit wallets.

After the incident, multiple platform founders in the cryptocurrency industry have expressed their willingness to lend a hand, and the hacker's addresses will also be marked and blocked on these Bybit competitor platforms. The entire global cryptocurrency ecosystem will participate in "hunting down" the relevant addresses.

Rumors of Ethereum rollback and deletion of hacker accounts taken seriously

After the incident, someone on the X platform jokingly or spreading rumors that "Vitalik announced that the Ethereum Foundation will vote tonight on whether to roll back the chain or delete the ETH held by the hackers."

Surprisingly, many in the cryptocurrency community took these obvious jokes or rumors seriously and started discussing the topic. In reality, the Ethereum network is too widespread, and there is no way to roll it back, nor are there any conditions to do so, because a rollback would reset all transaction records after the hacker attack, which would mean that the ETH spot ETF settlements by BlackRock and all CEX withdrawals since last night would be revoked, causing thousands of people to suffer losses, which would be charged to someone's account.

The idea of deleting the hacker's account is even more absurd.

Such a large platform did not carefully verify the transactions

Perhaps due to their strong confidence in the security of cold wallets and multi-signatures, the Bybit team carelessly signed the "deed of sale" for the cold wallet, which could have been easily avoided by simply glancing at the transaction content.

This incident has provided us with a lot of lessons:

1) Always verify cryptocurrency wallet operations multiple times, including but not limited to transfer addresses, signed information, etc.;

2) Do not blindly trust any third party, including operating systems, hardware wallets, software wallets, multi-signature wallets, no matter how secure they claim to be;

3) It's best not to sign any unreadable messages, such as just a string of hexadecimal (hex) characters;

4) Truly understand the principles of wallet and cryptocurrency operation, so that you can make secure operations based on your daily operations and protect your own wallet.

Summary

In any case, this incident has come to an end, and the current observation status is still acceptable, and the mentality of all parties is relatively calm. But its impact is certainly not over, and the cryptocurrency market will closely monitor the subsequent dynamics of Bybit and the hacker group.

Security is no small matter. Not every victim of a hacker attack can recover smoothly. The struggle between the cryptocurrency industry and hackers will continue.

Disclaimer: As a blockchain information platform, the articles published on this site only represent the personal views of the authors and guests, and are not related to the stance of Web3Caff. The information in the articles is for reference only and does not constitute any investment advice or offer, and please comply with the relevant laws and regulations of your country or region.