A vulnerability caused a loss of about $1.46 billion, and it happened to a single entity!
This was the disastrous incident that the trading platform Bybit encountered, the main reason for the loss of funds was that Bybit's Ethereum cold wallet was stolen by the North Korean hacker organization Lazarus Group due to a malicious contract upgrade. This theft exceeded the $611 million stolen from Poly Network in 2021, as well as the approximately $1 billion stolen by Saddam Hussein from the Central Bank of Iraq in 2003, making it the largest single theft case in terms of amount.
After Bybit's funds were stolen, it triggered a series of panic and reflections in the industry, and MetaEra will disassemble them one by one to restore the "life and death speed" played out on Bybit.
Breaking the common sense: the cold wallet was attacked, how did the hackers break through this iron and steel wall?
Users who understand hot wallets and cold wallets know that the withdrawal and transfer of funds in cold wallets are completely isolated from the Internet, and the withdrawal of funds requires strict multi-factor authentication and approval. Bybit used a Safe multi-signature wallet combined with a hardware cold wallet, with a 3/3 signature threshold, meaning that all three private key holders must authorize simultaneously to execute any asset transfer operation.
The hacker organization Lazarus Group did not directly attack the cold wallet to steal the funds, but rather successfully invaded the computer systems of the three signatories through some means. The hackers deployed a malicious contract with a backdoor three days in advance, and when the signatories were performing their daily operations, the hackers quietly replaced the normal transaction request with the malicious contract they had deployed in advance.
In summary, the root cause of this vulnerability was a successful phishing attack. The hackers tricked the wallet signatories into signing malicious transaction data, which ultimately led to the contract being maliciously upgraded, allowing the hackers to control the cold wallet and transfer all its funds. It can be seen that even the coldest security barriers, as long as there is human involvement, things become uncontrollable, and decentralization will also become relatively centralized, which is one of the habitual breakthroughs of hackers.
Community voting: How feasible is it to roll back Ethereum to before the theft?
Because the stolen funds are astronomical, the call to "roll back" the blockchain and reload it is growing louder and louder. On February 22, Bybit CEO Ben Zhou was asked in a Spaces whether he supports rolling back the Ethereum blockchain to the state before the Lazarus Group hacker attack on February 21. He responded: "I'm not sure if that's a human decision. Based on the spirit of the blockchain, maybe this should be a voting process to see what the community wants, but I'm not sure."
Ethereum core developer Tim Beiko then wrote an article explaining that rolling back Ethereum is now impossible. In the Ethereum ecosystem of 2025, DeFi and cross-chain bridges with other chains mean that any stolen funds can be easily mixed in the application network. For example, the stolen funds can be exchanged on a decentralized exchange, the obtained tokens can be used as collateral in DeFi protocols, and the borrowed assets can be bridged to a completely different chain. A complete "rollback" would invalidate all recent on-chain activity, and the situation would only get worse. Any settled transactions, many of which have impacts outside of Ethereum (such as exchange sales, RWA redemptions, etc.) would be reversed, but their off-chain portions cannot be. "Pulling one thread and the whole fabric unravels", making the impact of an Ethereum rollback even greater, which is not a wise solution.
CZ's suggestion: Suspending withdrawals after an incident sparks highly controversial debate
After the Bybit theft incident, Binance co-founder CZ responded on the X platform to Bybit CEO Ben Zhou, saying: "This is not an easy situation to handle. The possible suggestion is to temporarily suspend all withdrawals as a standard security precaution. I will provide any assistance if needed."
Nansen CEO Alex Svanevik responded on the X platform to Binance co-founder CZ's suggestion that Bybit suspend withdrawals during the security incident, saying: "As a user, the problem with suspending withdrawals is that the exchange shows an extreme sense of helplessness about its own funds, even without a hack, preventing or delaying withdrawals is extremely frustrating, which is why many people have abandoned Coinbase because they too frequently delay the waiting time for users to withdraw."
Bybit CEO Ben Zhou responded on the X platform to some people's questioning of CZ: "I do agree with CZ's point that if this hacker attack was through penetrating our internal systems (such as a part of the withdrawal system) or the hot wallet was attacked, we would immediately suspend all withdrawals until the root cause is found. But in yesterday's incident, the ETH cold wallet was attacked, which is unrelated to any of our internal systems.
Regarding user withdrawals, Bybit has processed all withdrawals within 12 hours of the hacker attack, and the withdrawal system has fully resumed normal speed, and users can withdraw any amount without any delay.
Assistance from peers: Multi-party funding/support helps Bybit get through the crisis
Within 2 hours of the incident, a Binance whale and Bitget directly deposited over 50,000 ETH into Bybit's cold wallet, with Bitget's deposit being 1/4 of all its ETH. MEXC's hot wallet also directly transferred 12,652 stETH ($33.75M) to Bybit's cold wallet.
It is worth mentioning that according to SoSoValue's statistics and the latest monitoring data from the on-chain security team TenArmor, Bybit's trading platform has received over $4 billion in inflows in the past 12 hours, including 63,168.08 ETH, $3.15 billion USDT, $173 million USDC and $525 million CUSD, fully covering the fund losses caused by the hacker attack.
At the same time, regarding the Bybit incident, HashKey voiced support for Bybit on its Official Twitter, strongly condemning the hackers' illegal actions and believing that Bybit's security incident will be properly handled and overcome; BitMart founder Sheldon posted on the X platform that he had frozen the relevant addresses, and once the stolen assets flow into BitMart, the relevant assets will be immediately frozen to support the recovery efforts; Justin Sun, the global advisor of Huobi HTX and the founder of TRON, said, "We have been closely following the Bybit incident and will make our best efforts to assist our partner in tracking the relevant funds and provide all the support within our capabilities."
The cold response: eXch refuses to intercept the stolen funds for Bybit
According to Ember Monitoring, the Bybit hacker has already washed away 89,500 ETH ($224 million) in two and a half days since the incident, which is 18% of the total ETH stolen (499,000 ETH). At this rate, the hacker will be able to convert the remaining 410,000 ETH into other assets (BTC/DAI, etc.) in about half a month.
On February 22, on-chain detectives found that the stolen 5,000 ETH were being cleaned through eXch and converted to Bitcoin through Chainflip. In response to this discovery, Bybit requested eXch to block the funds and track their movements. However, eXch publicly released this request and refused to cooperate. In the email reply to Bybit, eXch mentioned that they would not provide any assistance because their users had previously been banned by Bybit.
Subsequently, Bybit CEO Ben Zhou tweeted: "At this moment, it is actually not about Bybit or any entity, but about the general attitude of our industry towards hackers. I sincerely hope that eXch will reconsider and help us stop the outflow of funds. We have also received assistance from Interpol and international regulators, and helping to stop these funds is not just helping Bybit."
eXch's "assisting the wicked" image is clear, but from eXch's response, "upholding the ideal of decentralization" seems to be a fragile bubble.
The Final Chapter: Bybit Fully Restored, Launches Bounty Program
After a series of remedial actions, borrowing, appeals, and self-rescue efforts, Bybit has issued an official announcement: Bybit has been officially registered with the Indian authorities, and all Bybit services (including the ability to open new trades and access all products) have been fully restored for existing users.
Bybit CEO Ben Zhou posted on the X platform, stating that a Lazarus hacker group bounty website has been launched, which will display transparent data on the Lazarus Group's money laundering activities. It is reported that the total bounty is 10% of the recovered funds, and if all the funds are recovered, the total bounty could reach as high as $140 million. The specific distribution is: 5% to the entities that successfully froze the funds, and 5% to the contributors who helped track the funds. More importantly, Bybit has taken a proactive approach, aiming to not only recover the stolen funds but also set a new benchmark for the industry in addressing security threats.
Although Bybit has successfully resolved the most dangerous risk of a bank run, the hackers now need to cash out the stolen ETH or convert it into other cryptocurrencies, which will put significant selling pressure on the market. The market has already entered a state of panic, and without a brief positive development, the crypto market is showing signs of a bearish trend, and investors should be cautious about the subsequent market performance.
