On the evening of February 21, blockchain investigator ZachXBT reported detecting a suspicious outflow of over $1.46 billion from the cryptocurrency exchange Bybit. The funds, originally in mETH and stETH, were rapidly converted into ETH through decentralized exchanges. If assessed based on the value at the time of the incident, this marks the largest cryptocurrency heist in history.
Coinbase executive Conor Grogan noted that the Bybit breach surpassed even the $1 billion heist of the Central Bank of Iraq, making it ten times larger than the infamous 2016 DAO hack. Speculation has already emerged that the incident could ignite discussions about a potential Ethereum hard fork.
Blockchain analytics firm Arkham reported that ZachXBT provided compelling evidence linking the attack to the North Korea-affiliated Lazarus Group. The report includes test transactions, linked wallet addresses, forensic analysis, and a detailed event timeline. All findings have been shared with Bybit to aid in the ongoing investigation.
Bybit CEO Ben Zhou revealed that hackers manipulated the signing interface of the exchange’s cold wallet, altering the logic of its smart contract. This allowed the attackers to seize control and transfer assets to an unknown address. Zhou reassured users that all other wallets remain secure, and withdrawals are continuing as normal.
Bybit’s official account confirmed the attack, emphasizing that the exploit involved a sophisticated manipulation of the transaction signing interface. The platform’s security team, alongside leading blockchain analysts, is conducting a full-scale investigation. Bybit has assured customers that their personal funds remain unaffected.
Bybit also possesses sufficient reserves to cover the losses. According to the company, its total assets under management exceed $20 billion, and additional liquidity will be secured through external financing.
In response to the incident, Binance and Bitget transferred over 50,000 ETH to Bybit’s cold wallet. Bitget alone contributed a substantial sum—nearly a quarter of its platform’s ETH reserves. Bitget CEO Gracy Chen clarified that the funds belonged to the company, not its users.
Blockchain security firm SlowMist uncovered further details about the breach, confirming that attackers deployed a malicious contract to replace the original Safe wallet smart contract. Through backdoor functions, all assets were siphoned away.
According to Dilation Effect, the breach likely originated through social engineering, enabling hackers to gain control over one of the multisignature keys. The attack was executed in a highly deceptive manner—on the surface, transactions appeared routine, but in reality, they altered the contract’s underlying code.
Amid the turmoil, the stablecoin USDe briefly depegged, dropping to $0.965 before recovering to $0.99. Bybit relies on USDe as collateral for trading operations, but Ethena Labs reassured investors that all supporting assets are securely held in custodial services, not on exchanges.
Binance co-founder Changpeng Zhao (CZ) acknowledged the gravity of the situation, suggesting that a temporary halt in withdrawals might be a necessary security measure. He also offered assistance to Bybit in handling the aftermath. Meanwhile, Safe, the provider of Bybit’s affected wallets, announced an internal investigation, though no signs of compromise within its official infrastructure have been found so far.
Security analysts draw parallels between this attack and previous breaches of Radiant Capital and WazirX, both of which involved transaction signer manipulation. One theory suggests that malware on the signer’s browser or computer tampered with transactions before they were submitted to a hardware wallet. Though the transactions appeared legitimate, they effectively replaced the contract with a fraudulent one.
OneKey researchers proposed that hackers had prior access to at least three of the computers used for the multisignature process, waiting for the opportune moment. At the precise time of a routine transaction, attackers swapped the intended transfer for a contract update containing a backdoor, enabling a full-scale asset drain.
Bybit has assured users that it does not plan to repurchase ETH immediately but will cover losses through partnerships. Due to high withdrawal volumes, transaction processing times may be longer than usual.
Experts at Dilation Effect warn that traditional hardware wallets and multisignature mechanisms no longer provide adequate security for managing large-scale assets. If attackers can compromise multiple signers, there are no additional safeguards in place. Institutional custodial solutions are increasingly viewed as the only viable defense against such advanced attacks.
According to DeFiLlama, Bybit has experienced a net outflow of $2.399 billion in the past 24 hours. Approximately $14 billion remains on the platform, with 70% of it held in Bitcoin and USDT. The exchange has provided investigative materials to law enforcement and is actively collaborating with blockchain analytics firms to track the stolen assets.
The Bybit hack has reignited discussions on a possible Ethereum hard fork. Coinbase’s Conor Grogan dismissed the likelihood of such a move but acknowledged that debate on the matter is inevitable. Investor Arthur Hayes recalled that Ethereum underwent a similar fork following the 2016 DAO hack, implying that another rollback, though improbable, cannot be ruled out entirely.
Further technical analysis of the breach reveals that attackers altered the logic of a smart contract—a program designed to execute automatically under predefined conditions. In this case, the hackers disguised their actions as a legitimate interface for transferring assets from cold storage to hot wallets, presenting the correct recipient address visually while manipulating the actual transaction logic.
Preliminary findings suggest that as early as February 19, the attacker deployed a malicious smart contract, having gained access to three digital signatures from the wallet’s owners. Then, on February 21, using multisignature authorization, they replaced the legitimate Safe smart contract with a compromised version. Due to the intricate nature of the attack, the modification went unnoticed, as contract code is typically immutable unless explicitly designed for updates.
Bybit CEO Ben Zhou speculated that the breach might have been facilitated by a compromise of Safe, the provider of the exchange’s secure crypto wallets. In theory, cold wallets are not connected to the internet, yet attackers still managed to manipulate transactions. Safe, however, maintains that its systems remain uncompromised, though some wallet functions have been temporarily suspended as a precaution.
This incident underscores the inherent risks of smart contracts, which, while offering powerful automation for financial operations, remain susceptible to vulnerabilities in both coding and governance. It is a stark reminder of the necessity for DevSecOps best practices, rigorous contract audits, and Bug Bounty programs—security measures that, unfortunately, failed to prevent this catastrophic breach.
