Yesterday (February 21st) during the day, some friends were still immersed in the joy of "the bull returning quickly", because Bitcoin rebounded to around $99,500 and Ethereum also rebounded to around $2,850. We won't discuss whether yesterday's rebound was a bull trap, but this kind of market seems to have given some partners hope again.

However... in the evening, the market encountered a black swan event: the Bybit exchange was attacked by hackers, and more than 510,000 ETH were stolen (worth about $1.5 billion, including 401,347 ETH, 90,376 stETH, 15,000 cmETH and 8,000 mETH).

The complex attack techniques do not need to be understood in detail, but if interested partners can search the internet. In simple terms: Bybit's multi-signature cold wallet was managed and authorized by Zhang San, Li Si, and Wang Wu. Any transaction must be signed by them simultaneously to be completed. The hackers located the "brothers" through some special means (social engineering attacks), and then planted malware on their computers. One day, the "brothers" simultaneously received a transfer request to transfer out 500 ETH, and they signed it as usual, not knowing that the signature interface they saw was forged by the hackers, resulting in the transfer of 510,000 ETH to the hacker's wallet address.

After the Bybit attack incident, various speculations appeared on the internet, such as insider theft, the Lazarus Group of North Korea being responsible, and even PI community users claiming responsibility...

However, based on the analysis of experts this morning, it seems that professionals have basically determined that this attack was carried out by the North Korean hacker group Lazarus Group, using the "blind signature" method, where the UI displayed to the user is different from the actual backend UI, similar to the scenario described above. Interested partners can refer to the detailed report released by Slow Mist.

The Lazarus Group has been accused of carrying out multiple cyber attacks since 2010, including the Sony Pictures invasion, the 2016 bank theft case, the "WannaCry" ransomware attack, and multiple attacks on cryptocurrency and pharmaceutical companies.

The following are some of the Lazarus Group's attacks on the crypto sector:

- October 2024: $50 million worth of assets stolen from Radiant Capital
- July 2024: $230 million worth of assets stolen from WazirX
- 2023: $100 million worth of assets stolen from Atomic
- 2023: $70 million worth of assets stolen from CoinEx
- 2023: $41 million worth of assets stolen from Stake
- 2023: $120 million worth of assets stolen from Poloniex
- 2022: $625 million worth of assets stolen from Ronin Bridge
- 2022: $100 million worth of assets stolen from Horizon Bridge

It can be seen that the Bybit theft is the largest theft incident in history. Although the scale of this black swan event is relatively large, it seems that it has not caused a heavy blow to the overall market. As of the writing of this article, the price of BTC is still around $96,000, and the price of ETH is around $2,700.

There were some minor incidents, such as a 10% drop in the price of MNT (Bybit's token) within a few minutes, and a 5% de-pegging of USDE, which also indirectly caused a rise and fall in ENA. Bybit's public relations handling seems to have been relatively good, with the CEO responding on the X platform within 30 minutes of the incident and the official account releasing an official statement within 10 minutes, followed by the CEO's live broadcast to answer community questions.

However, there are still various messages and speculations circulating on the internet. My suggestion is that everyone should remain calm, not click on any links to avoid phishing, and consider temporarily transferring assets to large exchanges like Binance and OKX if concerned about asset safety.

Since the hackers are from the North Korean organization, the probability of recovering the stolen assets is relatively low, and the loss will likely have to be borne by Bybit itself. As for how Bybit will compensate for this loss, such as by purchasing ETH, we can follow Bybit's latest official announcements.

As for the impact of this event on the market going forward, some KOLs say it will lead the market directly into a bear market, and some say Bybit is the next FTX. Personally, I'm not that pessimistic. It depends on how Bybit handles this incident, especially the user withdrawal rush. If Bybit can continue to handle the public relations and user issues well, the market should be able to recover in a few months, although it may lose some customers. Other exchanges may also try to poach Bybit's customers behind the scenes, despite their public statements of solidarity.

If Bybit fails to handle this well in the next two weeks, or if there are new negative chain reactions, the market sentiment may be hit again, and ETH may see further corrections, which would likely lead to further bloodbath in altcoins.

The best-case scenario (just speculating here) would be: Bybit buys ETH to fill the hole, the North Korean hackers convert the ETH to BTC through special channels (not directly to USDT to avoid freezing by Tether), which can offset each other and stabilize the current ETH trend, while also further stimulating the short-term BTC market. The hackers may then slowly cash out the BTC over the next few years or even longer, as the Lazarus Group has historically been in no rush to quickly liquidate stolen assets.

Currently, it seems to be a process of multi-party game, and we can only wait and see. Below is the wallet address of the hackers, and interested partners can observe the movement of the stolen funds.