Bull market black swan: Bybit’s assets worth $1.46 billion were stolen. Is there still room for ETH?

02-21

This article is machine translated

Show original

Original | Odaily Planet Daily (@OdailyChina)

Author | Wenser (@wenser 2010)

At 11:20 pm Beijing time on February 21, ZachXBT posted that "suspicious fund outflows from Bybit have been detected, with a scale of up to $1.46 billion". According to Beosin Trace monitoring, Bybit has been stolen a total of 514,723 ETH and derivatives. Subsequently, Bybit co-founder Ben Zhou confirmed the theft of Bybit's official cold wallet, and is working on security handling.

Odaily Planet Daily will follow up on this event in this article for readers' reference.

The funds involved are mainly ETH, with a case scale of $1.46 billion

At 11:20 pm, after ZachXBT released the warning message, Odaily Planet Daily followed up immediately after a brief verification.

The information that could be confirmed at the time was that the hacker's related address was 0x47666Fab8bd0Ac7003bce3f5C3585383F09486E2; after stealing the funds, it quickly exchanged mETH & stETH for ETH on the DEX.

The hacker immediately conducted a Swap exchange

Just as the outside world was still guessing whether "the movement of such a large amount of funds is for Bybit's official wallet reorganization or other purposes", ZachXBT quickly gave a new hint: "My sources confirm it's a security incident."

In addition, ZachXBT reminded the major exchanges, service providers and other relevant personnel: "Suggest blacklisting the following EVM addresses -

0x47666fab8bd0ac7003bce3f5c3585383f09486e2;
0xa4b2fd68593b6f34e51cb9edb66e71c1b4ab449e;
0x36ed3c0213565530c35115d93a80f9c04d94e4cb;
0x1542368a03ad1f03d96D51B414f4738961Cf4443;
0xdD90071D52F20e85c89802e5Dc1eC0A7B6475f92."

This is to cut off the CEX channel for the hacker to launder the funds as soon as possible, and prevent further loss of the stolen Bybit funds.

According to Beosin Trace monitoring statistics, the stolen assets include:

401,347 ETH, worth $1.12 billion;
90,376 stETH, worth $253.16 million;
15,000 cmETH, worth $44.13 million;
8,000 mETH, worth $23 million.

Currently, the funds are divided into 10,000 ETH per group and settled in more than 40 Ethereum addresses. All hacker addresses have been added to the Beosin KYT label library, and Beosin KYT will issue alerts for all fund transfers involving hacker addresses. The Beosin security team analyzed that the attack method of this incident is similar to that of WazirX, both of which deceived the front-end UI to make the multi-signature wallet sign malicious content, and tampered with the logic implementation contract of the multi-signature wallet, resulting in the transfer of the multi-signature wallet's funds.

Bybit's official response: The multi-signature wallet transaction was attacked and tampered with, the assets of other cold wallets are safe, and the exchange's withdrawal is normal

Bybit co-founder Ben Zhou spoke out on the X platform: "About 1 hour ago, Bybit's ETH multi-signature cold wallet made a transfer to Bybit's hot wallet. This specific transaction may have been tampered with, and all multi-signature wallet signers saw the tampered UI interface showing the correct transfer address, and the website link came from @safe. However, the signing information was to modify the smart contract logic of our ETH cold wallet. This resulted in the hacker taking control of the specific ETH cold wallet signed by our multi-signature, and transferring all the ETH in the cold wallet to an unknown address. Rest assured, Bybit's other cold wallets are safe, and all withdrawals within the CEX are operating normally."

In addition, Ben Zhou also issued a call for help to the outside world in a timely manner: "We will keep the public informed of the latest developments of this incident. If any team can help us track down the stolen funds, we would be extremely grateful."

On-chain fund dynamics: The hacker is quickly dumping ETH, having transferred 10,000 ETH to 39 addresses

At 11:35 am, Arkham detected that the $1.4 billion in ETH and stETH that flowed out of Bybit had been transferred to new addresses for sale. As of that time, the hacker had sold $200 million worth of stETH. The on-chain tracking address is https://intel.arkm.com/explorer/address/0x47666Fab8bd0Ac7003bce3f5C3585383F09486E2.

At midnight, ZachXBT updated the latest on-chain fund dynamics again, in which 10,000 ETH were dispersed by the hacker into 39 addresses, and the hacker also transferred another 10,000 ETH to 9 other addresses.

At 12:18 pm, according to Arkham's monitoring, about $100 million worth of ETH (about 40,000) has been transferred from the hacker's original address to new wallets.

On-chain fund dynamics

As of the time of writing, the hacker's original address only had $3.669 million in assets left, with ETH holdings plummeting to 1,346 ETH.

On-chain information

After a small-scale investigation, the founder of the security company Slow Mist, Yu Xian, posted that based on the modus operandi of the Safe multi-signature and the current money laundering method, he initially suspects that this incident may have been carried out by North Korean hackers, and the specific information still needs further tracking.

Subsequently, Slow Mist released the details of Bybit attacker's operations:

A malicious implementation contract was deployed at UTC 2025-02-19 7:15:23: https://etherscan.io/address/0xbdd077f651ebe7f7b3ce16fe5f2b025be2969516
At UTC 2025-02-21 14:13:35, the attacker used the signatures of the three owners to replace the implementation contract of Safe with the malicious contract: https://etherscan.io/tx/0x46deef0f52e3a983b67abf4714448a41dd7ffd6d32d32da69d62081c68ad7882
The attacker then used the backdoor functions "sweepETH" and "sweepERC20" in the malicious contract to steal the hot wallet.

Aftermath of the Bybit theft incident: Currently under control

The theft of up to $1.46 billion in ETH-related assets is the largest security incident in terms of the amount stolen in 2025 or even 2023, which has further exacerbated market concerns about ETH price performance and Bybit asset security. As for the former, there is indeed some risk in the short term.

However, in the medium to long term, market concerns should be unfounded. It is believed that this is because ETH is the most decentralized asset other than BTC, and hackers are most likely to hold the majority of ETH rather than directly dumping it at low prices.

Regarding the latter, Bybit's official also responded immediately. At 7:07 am on the 22nd, Bybit co-founder Ben Zhou wrote in response:"Even if the losses caused by this hacking attack cannot be recovered, Bybit's assets are still 1:1 guaranteed, and we can bear the losses." Demonstrating the confidence and assurance of an established exchange.

Regarding this point, in addition to the common Merkle tree reserve fund on-chain proof, the information mentioned by Bybit co-founder and CEO Ben Zhou in a previous interview can also be used as evidence. He mentioned that "about 80% of Bybit's company assets are stablecoins, and the remaining part exists in the form of fiat currency. The core goal of this configuration is to ensure the financial soundness of the exchange, rather than pursuing asset appreciation."

Multi-party assistance and statements

After the incident, CZ replied to Ben Zhou's tweet saying: "This is not an easy situation to handle. Suggest temporarily suspending all withdrawals as a standard security precaution. Will provide any assistance if needed." Binance co-founder He Yi responded to Bybit CEO Ben Zhou, saying, "Will provide support if needed."

TRON founder Justin Sun posted that he is "closely monitoring the Bybit security incident and will do everything possible to assist the partner in tracking the relevant funds and provide all possible support."

Additionally, on-chain analyst @ai_ 9684 xtpa analyzed that: "Ethena has 21% of its USDe executing a delta-neutral hedging strategy on Bybit, with the ETH portion valued at $227 million, uncertain if it will be affected. After Bybit confirmed the theft, ENA has fallen 11.5% and recouped today's gains."

Ethena Labs later posted that they have noticed the Bybit incident, and all spot assets supporting USDe are held through an off-exchange custodial solution, with no spot value reserve funds stored on any exchange (including Bybit). Currently, the unrealized profit and loss of Bybit's hedging position is less than $30 million, less than half of the reserve fund, and USDe has sufficient collateral, and more information will be provided as soon as an update is received.

Latest news, Bybit CEO Ben Zhou posted on the Odaily platformstating that he will soon be live-streaming to answer all questions.

Odaily will also continue to track the latest news on the Bybit asset theft incident and look forward to a satisfactory resolution of this matter.

ETH

3.08%

Sector:

Smart Contracts

Layer 1

Source

Disclaimer: The content above is only the author's opinion which does not represent any position of Followin, and is not intended as, and shall not be understood or construed as, investment advice from Followin.

Add to Favorites

Comments

Relevant content

ODAILY

02-21

News

ZachXBT: My sources confirm that the Bybit fund outflow was a security incident