Bybit experienced the largest hack in crypto history, losing $1.4 billion worth of ETH due to a frontend vulnerability in the wallet interface.
The crypto community responded swiftly, with CEXs providing liquidity support, security researchers tracking stolen funds, and DeFi protocols implementing protective measures.
mETH Protocol successfully recovered $42 million worth of ETH from the hacker thanks to its built-in withdrawal delay and quick response.
The incident highlighted the crypto industry's ability to coordinate openly during crises, with various entities working together to mitigate the situation.
Bybit experiened the most severe hack in the crypto history resulting in the theft of approximately $1.4 billion worth of crypto assets. This accounts for 8.64% of Bybit's total reserve. How did this happen, and what followed after the hack?
Source: X (@Sina_21st)
Source: X (@arkham)
On February 21, 2025, 401,347 ETH ($1.4 Billion) was transferred from Bybit’s account to the hacker’s account. The stolen funds represent about 75% of ETH reserve of Bybit. The breach occurred during a routine transfer between Bybit's Ethereum multi-signature cold wallet and warm wallet.
The attackers were able to manipulate the transaction, showing wallet signers a legitimate-looking signing interface with correct addresses and URLs while secretly modifying the underlying smart contract logic. By implementing a malicious contract that intercepted the transaction process, the attackers tricked signers into authorizing what seemed to be a standard transfer. This blind signing vulnerability allowed the hackers to circumvent security protocols and divert funds to their controlled address.
Source: X (@arkham)
Immediately following the hack, Bybit’s CEO, Ben Zhou, confirmed the breach. He explained how that the attack happened and within hours, ZachXBT flagged suspicious outflows totaling $1.46 billion and linked the attack to North Korea’s Lazarus Group, a well-known cybercriminal organization.
Bybit’s communication was swift. Zhou reassured users that only one cold wallet was compromised, other wallets remained secure, and client assets were fully backed 1-to-1, meaning the exchange could absorb the loss if necessary. However, the scale of the theft triggered a massive wave of withdrawal requests, with Zhou later reporting over 350,000 withdrawals in the first 10 hours, nearly 100 times the normal volume. Despite the pressure, Bybit maintained that operations continued normally, though ETH withdrawals were briefly delayed due to the specific targeting of their Ethereum reserves.
Source: X (@Bybit_Official)
Bybit also announced they had reported the incident to law enforcement and were collaborating with on-chain analytics providers to track the stolen funds. The hackers began moving the ETH, distributing it across 53 wallets to obscure their trail, and swapped significant amounts of stETH for ETH on DEXs, liquidating around $200 million worth. The crypto community rallied in support, with exchanges like Bitget providing loans to Bybit, while Arkham Intelligence posted a ARKM bounty to identify the hackers.
By February 22, roughly 12 hours after the hack, Zhou announced that all withdrawal requests had been processed, restoring the system to full capacity with no delays or amount restrictions. As of February 24th, Bybit has already fully closed the ETH gap, from loans and OTC purchases.
Although further situation needs to be monitored, the biggest crypto hack in history, resolved without much panic in the market.
Source: Bybit Hack by the Numbers - Kaiko - Research
In TradFi, a comparable event would trigger panic, sell-offs, and regulatory overreach. But in crypto, the participants understand that setbacks are inevitable in an emerging technology, yet the fundamentals remain unchanged. Liquidity remains deep, innovation continues, and the strongest players adapt. This isn’t fragility; it’s proof that DeFi is evolving into an antifragile system—one that absorbs shocks, learns, and emerges stronger.
A $1.4 Billion worth of hack of one of the largest CEX, is enough to panick the market. However, the CEO quickly reassured users while other major CEXs stepped in to provide support. Security researchers began tracking the stolen funds, and related projects swiftly froze the hacker's assets. Other DeFi protocols entered war room mode to prepare for the worst-case scenarios, while researchers and data analysts shared real-time information about the hack.
This exemplifies the kind of open coordination we can only observe in crypto—not just empty PR statements while waiting for official updates. This incident showcased crypto's ability to coordinate swiflty and openly during crises.
Multiple entities worked together to mitigate the panic.
2.1.1 Safe: Technical First Responder
The hack happened since victims believed they were approving legitimate transactions in Safe frontend interface, but in reality, they signed a fraudulent one. As news of the breach spread, Safe got involved to look into the situation. The protocol's CTO Lukas Schor went into review the service and receommended to use other frontends like palmera, and proto.
A recent forensic report on the hack revealed that malicious code inserted into the app.safe.global frontend caused the breach. While Safe's smart contract remains unaffected, the detailed root cause is still under investigation.
Source: X (@SchorLukas)
2.1.2 CEXs - Provide the Liquidity
Within the critical first 24 hours, KuCoin, MEXC Global, OKX, and Bitget announced their support for Bybit. This swift action prevented withdrawl halt or impact on the ETH market. According to LookOnChain, large transfers from MEXC and Bitget have been made.
Source: X (@lookonchain)
2.1.3 Security Researchers - Track On-Chain Data
In the aftermath of the breach, ZachXBT emerged as a crucial incident commander, with his network of white-hat hackers and exchange compliance teams. By publishing findings through the Chainabuse platform, ZachXBT enabled crowdsourced analysis that revealed the addresses associated with the hacker. Also, the Security Alliance (SEAL) immediately released detailed advisories about North Korean hacker tactics targeting exchange hot wallets.
2.1.4 Protocols - Recover the Loss
In response to the hack, several projects took immediate action: mETH Protocol leveraged its withdrawal delays and blacklisted the hacker’s addresses, recovering $42 Million worth of ETH. Also, Tether froze 181,000 USDT, Chainflip disabled frontend services and enhanced screening. The collaborative effort was possible since security researchers put out the hacker’s addresses and protocols tried to follow-up with the hack.
Source: X (@Bybit_Official)
2.1.5 DeFi Protocols - Being Transparent About the Situation
In response to the hack, major DeFi protocols took swift action. Guy, CEO at Ethena Labs, assured the market that Ethena successfully handled its largest single day of redemptions and unwound all unrealized exposure to Bybit within an hour of the news breaking. The whole incidient on how Ethena handled the situation has been published publicly.
Chaos Labs and AAVE entered a war room to assess potential risks to AAVE if USDe depegs. The main concerns focused on USDe's impact. While USDe remained solvent, the oracle amplified risks because the off-chain price feed differed from the on-chain price. The key lesson: risk, price, and proof of reserves data must work together—not in silos—to secure value and maintain DeFi system resilience under stress. This lesson was immediately shared by Omer Goldberg, CEO at Chaos Labs.
Source: Ethena and Exchange Risk: Bybit Case Study — Ethena Labs
*The situation is still ongoing. There are more teams working in the background to support Bybit.
Source: mETH Protocol Update Regarding Bybit Security Incident | mETH Protocol
The mETH Protocol swiftly acted to recover $42 million worth of ETH from the hacker, equivalent to about 3% of the total hack. Their 8-hour withdrawal delay proved crucial, allowing the protocol team to detect the unauthorized withdrawal attempt before processing. This delay prevented the hacker from immediately moving 15,000 cmETH and gave the protocol time to respond. After detecting the suspicious activity, the protocol paused the cmETH contract, halting all withdrawals. This security measure is standard practice in DeFi protocols to prevent rapid fund drainage during exploits.
Other additional measures were taken to further weaken the impact.
Address Blacklisting: The blacklisting of the exploiter's wallet addresses was a direct response to isolate the hacker. By preventing further interactions, the protocol ensured that the hacker could not initiate new transactions or attempt to move cmETH.
Reduced Liquidity: Reducing cmETH liquidity on Mantle Network L2 was an additional layer of security to limit the token's availability for trading. This step likely aimed to restrict the hacker's ability to swap or sell cmETH on DEXs, as noted in reports where the hacker swapped mETH for ETH. This measure helped contain the potential spread of the exploit.
After the report on how the hack happened, there have been discussions on how this could have been prevented. Since this was due to a frontend bug by a 3rd party and an operational culture issue, more thorough measures could have prevented this incident. For example, having a locally-hosted frontend and implementing multi-layer verification.
What's done is done. Lessons should be taken and implemented by all exchanges, DAOs, and onchain traders. Now, there are many guides on how to prevent this kind of incident. Morpho shared its code on signing Safe transactions more securely, and John Rising shared how this asset management system could be built better, among others.
On the bright side, we observed how crypto demonstrated its ability to coordinate openly and transparently in its own way. This is only possible in crypto. All participants rallied to support each other and focused on minimizing potential damage to the industry. As a result, while this hack was a huge loss, we've seen that we're moving toward building more collaborative and professional system.
Related Articles, News, Tweets etc. :
