Author: Tanay Ved, Victor Ramirez Source: Coin Metrics Translator: Shan Eoba, Jinse Finance
Key Points:
The renowned cryptocurrency exchange Bybit has suffered the largest-scale hack in cryptocurrency history, with $1.5 billion worth of ETH stolen from its cold wallets.
Although the hackers still hold the stolen assets, having dispersed the 401,346 ETH across multiple accounts, Bybit has replenished the $1.2 billion deficit, bringing its ETH reserves to 380,000 ETH.
The market impact has been largely contained, with relatively smaller and shorter-lived price fluctuations compared to past incidents.
Introduction
In the past, we have seen many headline changes, narrative shifts, new projects emerging and fading, and many other seismic events shaking the crypto industry. Since its inception, Coin Metrics has upheld the OPEN values: Open, Pioneering, Elucidating, and Neutral. Our writing reflects these values: clarifying the complex public blockchain world, being at the forefront of the crypto market, and maintaining editorial neutrality to preserve the integrity of our research.
Ironically, as we were contemplating the content for our 300th issue and reflecting on the eternal themes of cryptocurrency history, we experienced a crisis that often occurs in the industry: the Bybit exchange becoming the victim of the largest exchange hack in history. In this article, we will focus on the Bybit exchange hack, using on-chain data to analyze the exchange's reserves, fund flows, and the impact on the market.
The Progression of the Bybit Hack
Shockingly, one of the largest cryptocurrency exchanges, Bybit, has been hacked, losing approximately $1.5 billion worth of ETH. This event is one of the largest cryptocurrency hacks in history, even surpassing the infamous Mt. Gox collapse and the FTX implosion. While the broader contagion has been contained, studying this series of events and their on-chain footprint can provide valuable context about the hack and its market impact.
While past high-profile hacks have stemmed from a series of security vulnerabilities, the Bybit attack occurred during the routine transfer of ETH from the platform's multi-signature cold wallets to hot wallets, a standard operating procedure for centralized exchanges managing user funds. Shortly after, Bybit CEO Ben Zhou confirmed the hack and assured users of the exchange's financial stability and ability to meet withdrawal requests in a live stream.
The attack targeted the signers of Bybit's cold wallets, by "blinding" the Safe wallet (the wallet provider used by Bybit) user interface and altering the underlying smart contract code. This tricked the signers into approving malicious transactions, granting the attackers full access to Bybit's Ethereum cold wallets.
As of UTC 2:16 PM, shortly after the attacker's accounts were created, the hackers had gained control of 401,346 ETH (worth $1.1 billion), draining the funds from Bybit's cold wallets. The stolen assets reportedly also included Ethereum staking derivatives like stETH, totaling $1.5 billion.
While exchanges like Bybit operate off-chain like centralized entities, on-chain data can track exchange wallets, counterparties, and fund flows in real-time. Coin Metrics has mapped the typically complex operational structure of exchange wallets, allowing us to trace the movement of funds from the exchange to the hacker wallets and beyond.
As shown in the image, 401,347 ETH flowed from Bybit's cold wallet (0x1d...) into the hacker's account (0x47...), and were then dispersed across over 40 accounts, with multiple withdrawals of 10,000 ETH each. While the perpetrators still control the assets, some funds have been transferred to decentralized exchanges (DEXs) and bridged to other networks like Solana, to convert into native assets that cannot be frozen by a central authority.
Bybit Exchange Supply and Flows
From the exchange's perspective, we can see that as the events of February 21st unfolded, Bybit experienced an ETH outflow of around $1.2 billion. This brought Bybit's total ETH supply down from 438,000 ETH at the end of that day to 60,000 ETH. With the news of the hack spreading, Bybit's BTC exchange supply also declined by 21,000 BTC (as of February 23rd), as users increasingly demanded withdrawals.
However, the subsequent inflows of funds show that Bybit has successfully plugged the $1.2 billion deficit, through means such as secured loans, over-the-counter trades, and user deposits. An audit of the reserves conducted by Hacken has confirmed this, verifying that all major assets, including ETH, maintain over 100% collateralization. As of February 24th, Bybit's reserves stand at 380,000 ETH.
Market Reaction to the Bybit Hack
The Bybit hack has left aftershocks in the market. Shortly after the hack was disclosed, ETH plummeted from $2,850 to $2,600, and Bybit's ETH-USDT market saw a slight discount compared to other prominent markets over the course of a few hours. Over the weekend, the gap between Bybit and other markets narrowed, and by early Sunday, ETH had even recovered to pre-hack price levels.
We have written about the market impact of previous hacks, and this hack's impact seems much smaller than in recent years. The market has matured to the point where it can weather such shocks without hesitation, let alone pose an existential risk to the exchange or the entire industry.
While most stablecoins maintained their dollar peg, another noteworthy contagion was the brief de-peg of Ethena USD (USDe). USDe dropped below $0.96 but began recovering the following day.
Ethena does rely on exchanges like Bybit to execute hedging strategies to maintain its peg, but importantly, Ethena USD stores the majority of its stablecoin collateral with institutional-grade custodians, not within Bybit (or any exchange) itself. Only the margin required to hedge short positions is held on exchanges like Bybit. The bulk of the collateral remains off-chain, not directly exposed to Bybit's risks.
To better understand this, we can draw a comparison to the Silicon Valley Bank (SVB) crisis, which caused USDC to de-peg for a few days in March 2023*. Concerns about Circle's reserves being custodied at SVB led USDC to briefly drop to $0.88.
Coincidentally (and importantly), both of these events occurred on Fridays. While traditional finance's weekend downtime can impact USDC holders, the secondary effects of the Bybit hack were self-corrected over the weekend. Overall, the contagion has been largely contained. The community has come together to ensure the safety of funds, and Bybit has been able to fulfill its obligations to its clients.
Although Ethena USD is not affected by exchange rate risk, USDe (and other stablecoins) are not immune to custodial risk. If there is no warning about custodial risk, the story of the exchange hacking incident is not complete, so we will end with this well-worn phrase: not your keys, not your coins.
*Of course, these two incidents are not entirely comparable: one was a bank run, resulting in a small portion of stablecoin reserves being locked, while the other was a direct loss of funds due to theft. In this case, the relative scale of the "lost" crypto assets is comparable. Of the $40 billion USDC, $3.3 billion was locked in Circle's SVB account, while Bybit held 15% of the "backing" for USDe, or around $6 billion to $900 million.
Conclusion
The Bybit hacking incident is another test of the resilience of the cryptocurrency industry. Over the past few years, this has been crucial not only for exchanges, but for the entire market. Miraculously, the community has worked together to track the funds flowing to the hackers, identify the malicious actors, verify the solvency of the custodians in real-time, and mitigate the potential damage from this crisis. This work could not have been done so quickly and efficiently without public tools, data, and a culture of transparency.
The industry must now consider attacks from hostile state actors and regulators. While the damage within the ecosystem appears to be largely under control, as cryptocurrencies become increasingly integrated with the broader international financial system, this incident will raise national security concerns. The industry will be responsible for addressing these legitimate concerns and demonstrating the value of the permissionless architecture.
