Bybit’s $1.5B Hack: The Largest in Internet History

On February 21, 2025, Bybit, a leading global centralized cryptoasset exchange (CEX) specializing in spot and derivatives trading, experienced a historic breach resulting in the theft of approximately $1.5B. This incident now stands as the largest recorded hack in both crypto and broader internet history, surpassing prior breaches in scale and complexity. The attack targeted Bybit’s Ethereum-based cold wallet infrastructure, exploiting vulnerabilities in multi-signature protocols and transaction verification processes. Immediate remediation efforts by the exchange and industry partners have since stabilized operations, though the event underscores systemic risks in cryptoasset custody.

Inside Bybit’s $1.5B Hack: What We Know So Far

The exploit occurred when a hacker manipulated a wallet signature, tricking Bybit’s system into approving a transaction that altered the smart contract logic of its ETH cold wallet. The attack was disguised or “musked” to appear legitimate, showing the correct address and a trusted URL to Bybit’s team. However, this action inadvertently granted full custodial privileges, enabling the transfer of 401.35K ETH, valued at around $1.4B, and associated liquid staking derivatives (e.g., stETH, cmETH, mETH) to the hacker’s wallet.

The Impact on the Broader Market and ETH

The hack sparked a sell-off, driven by investor fears of broader market fallout on the day of the breach. ETH tumbled 8%, sliding from approximately $2.85K to $2.61K, while BTC dropped from just shy of $100K to $95K, and SOL briefly fell below $160. Despite the sharp reaction, the downturn proved short-lived, with all three assets rebounding to close the day within 5% of their opening levels. Although prices initially rebounded, the market faced renewed pressure this week due to the unwinding of several leveraged positions, heightened macroeconomic uncertainty following President Trump’s comments on imposing tariffs, and worsening market sentiment. To provide deeper insights, we will release a detailed report later this week analyzing the key drivers behind the current movements.

_{Figure 1: BTC, ETH, SOL Price Performance Throughout February}

^{Source: 21Shares, Glassnode}

Nevertheless, Bybit quickly assured users that all other cold wallets remained secure and that withdrawals were functioning as normal. However, this didn’t stop many users from withdrawing their funds from the exchange as seen below, adding to a total amount of around $6B in withdrawals.

_{Figure 2: Bybit Assets under Management vs. Net Flows in February}

^{Source: 21Shares, DeFiLlama}

Concurrently, over $566M in crypto long and short positions were liquidated across exchanges on the 21st, as investors sought to mitigate risk amidst heightened uncertainty.

‍

_{Figure 3: Crypto Futures Market Liquidations: Longs & Shorts}

^{Source: 21Shares, Coinglass}

Following the initial market volatility, ETH experienced a temporary 3.36% rebound to $2.76K, driven by speculation that Bybit would initiate a large-scale ETH repurchase to address liquidity concerns. As it turned out, they engaged in repurchasing some ETH, while other industry participants supported their efforts by lending them some capital, as we’ll break down later in the report. That said, this upward movement coincided with aggressive accumulation by high-net-worth individuals following the exchange’s public disclosure of the breach, as seen below.

‍

_{Figure 4: ETH Performance vs. Accumulation by Large Holders}

^{Source: 21Shares Glassnode}

Beyond the majors, Ethena’s USDe stablecoin was initially projected to be exposed to the Bybit breach due to $30M in derivative hedging exposure on the exchange, which posed a potential risk to its collateralization framework. However, Ethena’s reserves ($65M as of 24th of February 2025) exceeded this exposure, and its assets—held in off-exchange custody solutions such as Copper’s Clearloop —were insulated from direct losses. Through rapid mitigation, Ethena reduced its exposure to $10M within hours and fully eliminated it by February 22, ensuring USDe remained fully collateralized despite the breach. In fact, Ethena was able to honor the largest un-staking request in its history, worth $250M, without any delays or by causing a severe depeg for the stablecoin, as seen below:

_{Figure 5: Ethena's USDe Price vs. Staking and Unstaking Net Flows}

^{Source: Dune}

All in all, despite the scale of the attack, Figure 7 shows that the stolen funds represent 7.50% of Bybit’s $20B in assets under management. With deep liquidity and diversified holdings across Bitcoin, stablecoins, and other assets, Bybit remains fully solvent and has already addressed the breach, ensuring continued operations without disruption to user funds.

_{Figure 6: Pre-Hack Breakdown of Bybit’s Assets under Management}

^{Source: 21Shares, Arkham Intelligence}

In addition, thanks to the transparency of blockchain technology, where every transaction can be traced, blockchain security experts quickly identified The Lazarus Group, a North Korean state-backed hacking organization, as the perpetrators behind the Bybit exploit. The group has a long history of executing some of the largest cyber heists in the digital asset space, allegedly using stolen funds to support North Korea’s weapons programs. Lazarus has been linked to several high-profile crypto breaches, including the $625M Ronin Bridge hack (2022). Their operations extend beyond crypto, with their fingerprints on major cyberattacks like the 2014 Sony Pictures hack and the 2016 Bangladesh Bank heist, where they attempted to steal nearly $1B via the SWIFT banking system.

_{Figure 7: Lazarus Group: Hacking Activity Over the Years}

^{Source: 21Shares, Chainalysis}

Where Do We Stand Today?

Bybit has already tracked and recovered approximately $50M in stolen crypto, monitoring fund movements in real-time. The exchange is working closely with centralized platforms and stablecoin providers to identify, block, and freeze wallets associated with the hackers, significantly restricting their ability to launder the stolen assets. This rapid response highlights how blockchain’s inherent transparency can be a powerful tool in combating cybercrime.

Further, as of February 24, Bybit has fully replenished its Ethereum reserves with 446.87K ETH worth around $1.23B, independently verified by analytics firm Lookonchain. The reserve restoration was achieved through a combination of CEX purchases, strategic loans from institutional partners, and over-the-counter (OTC) transactions with high-net-worth entities, as illustrated below: 

_{Figure 8: Detailed Breakdown of the Entities that Supported Bybit}

^{Source: LookOnChain}

From this perspective, the crypto industry showcased a rapid and unified effort to support Bybit, recognizing its critical role as the fifth-largest exchange in the derivatives market and seeking to avert a crisis akin to the FTX collapse. This assistance extended beyond entities providing capital—whether through unconditional loans or other means—to include a diverse range of service providers working collectively to mitigate the risk of contagion. These included:

Security and Forensic Assistance

1. ZachXBT & Arkham Intelligence: Identified Lazarus Group’s involvement through on-chain analysis of fund laundering patterns
2. Elliptic: Traced stolen funds to North Korean operatives and alerted exchanges to freeze $42.89M in assets.
3. Fireblocks: Conducted forensic analysis of the attack vector (proxy contract exploit).
4. Hacken: Audited Bybit’s proof-of-reserves post-recovery.
5. Chainflip: Monitored Lazarus’ ETH-to-BTC bridge attempts despite decentralized limitations.

Asset Freezes and Anti-Laundering Efforts

1. Tether: Froze $181K in stolen USDT linked to hacker addresses.
2. Mantle Network: Frozen hacker-controlled mETH derivatives to prevent further laundering.

‍

Taking a Step Back...

As seen in Figure 9, Crypto exchange hacks are not new, and history has shown that the scale of these breaches can have lasting impacts. In 2014, Mt. Gox, which at the time handled over 70% of global Bitcoin transactions, suffered one of the most infamous hacks, losing 850K BTC. While worth approximately $450M then, at today’s price of $96K per Bitcoin, that loss would be valued at over $81B. Similarly, Bitfinex experienced a major breach in 2016, losing 119.76K BTC - an amount that was valued at $72M at the time, which would be worth over $11.5B today. These incidents highlight the significant risks of holding assets on centralized exchanges, as security vulnerabilities, insider threats, and external attacks have repeatedly led to catastrophic losses for users. Despite advancements in security practices, these risks persist, making it increasingly clear why institutional investors are turning to regulated investment vehicles like ETPs to gain exposure to digital assets.

_{Figure 9: Largest Hacks in the Crypto Industry}

^{Source: 21Shares, Investopedia}

‍

Exchange-Traded Products (ETPs): The Secure, Regulated Path to Crypto Exposure

There remain multiple ways to get crypto exposure today, each with its trade-offs, as outlined in Figure 10. Nevertheless, the Bybit hack is another reminder of a fundamental challenge: how to store assets securely without sacrificing accessibility.

_{Figure 10: Ways to Invest in Cryptoassets}

^{Source: 21Shares}

While CEXs may provide instant settlement and greater asset coverage, they expose users to counterparty risk—where a single failure can lead to catastrophic losses. Self-custody, while offering users full control, demands technical expertise to mitigate risks like hacks, mismanagement of keys, and smart contract vulnerabilities. Against this backdrop, ETPs emerge as a solution when it comes to mitigating risk.

_{Figure 11: How Cryptoassets are Custodied}

^{Source: 21Shares}

In the wake of the Bybit hack, and until institutional and mainstream investors are ready to transition to self-custody—a shift that will likely take time—ETPs offer a practical alternative. As seen in Figure 10, ETPs offer a range of benefits, making them an increasingly attractive option for transparent and regulated crypto exposure.

• Regulated Oversight: ETPs are regulated financial instruments. This ensures full transparency in asset holdings, security measures, and operational practices, mitigating risk of fund mismanagement as seen with FTX.
• Institutional-Grade Custody: Assets are held with specialized custodians, largely inaccessible to individual investors, focused solely on digital asset security.
• Multi-Custodian Model: Assets are distributed across multiple custodians, reducing the risk of any single point of failure.
• Ringfenced Assets: Assets are ring-fenced from the issuer—even in the event of insolvency.

What to Expect Moving Forward?

The potential liquidation of the stolen ETH by the Lazarus Group could exert significant forced selling pressure on the assets in the short to medium term, especially if large sell-offs occur during periods of low market liquidity. This incident may also accelerate the ongoing migration toward non-custodial infrastructure, mirroring the trend that followed the collapse of FTX, as users increasingly prioritize self-custody overreliance on CEXs, as depicted in Figure 11. Regulatory scrutiny is expected to intensify, particularly targeting mixer services like eXch, which have been exploited for laundering funds. As regulations take shape, centralized exchanges may be required to implement insurance funds similar to protections offered by traditional stock exchanges. 

_{Figure 12: Decentralized to Centralized Exchange Spot Volumes}

^{Source: 21Shares, TheBlock}

Much like Mt. Gox collapse in 2014 spurred advancements in exchange security; this hack could serve as a catalyst to strengthen crypto’s infrastructure through standardized custody audits and real-time treasury management systems. The breach also exposed vulnerabilities in multi-signature wallet security, previously considered robust, prompting an industry-wide reassessment of custody solutions and potentially accelerating the adoption of more advanced technologies like multi-party computation (MPC). Smaller exchanges may also struggle to retain user trust in this heightened security environment, likely leading to further consolidation within the industry as users gravitate toward larger platforms with proven safeguards. 

The market's reaction earlier this week suggests a heightened awareness of the persistent risks associated with crypto exposure following the recent hack, prompting some participants to potentially de-risk their positions. As noted, we will provide a more detailed report analyzing the market's recent behavior in the coming days.

‍