• Bybit sees $5.5 billion outflow after hackers take $1.4 billion from its ether wallet.
• Recovers liquidity, but 50% bank run before operations stabilised.

Cryptocurrency exchange Bybit has experienced total outflows exceeding $5.5 billion after suffering a $1.4 billion security breach, reportedly carried out by hackers linked to North Korea’s Lazarus Group. The attackers targeted the exchange’s ether cold wallet, prompting Bybit to secure emergency funding to maintain withdrawal operations.

Massive withdrawals and emergency response

Data from DeFiLlama showed assets associated with Bybit’s wallets dropped from $16.9 billion to $11.2 billion following the breach. In an X Spaces session, Bybit CEO Ben Zhou stated that as soon as the attack was identified, the exchange prioritised processing withdrawals. According to Zhou, hackers drained 70% of clients’ ether holdings, forcing Bybit to secure loans to maintain withdrawal liquidity. However, stablecoin withdrawals quickly overtook ether, as most users moved their funds to other platforms.

Bybit had the reserves to support withdrawals, but the situation was complicated when Safe, a decentralised custody protocol, temporarily shut down smart wallet functionalities to address security concerns.

Zhou noted that $3 billion in USDT was locked in a Safe wallet, delaying access to important reserves.

Safe stated on social media that while it had not found evidence of a frontend compromise, certain functionalities were paused as a precautionary measure. With mounting withdrawal requests, Bybit’s security team worked to develop software that manually verified transaction signatures, allowing funds to be moved from the Safe wallet. Despite challenges, the exchange managed to transfer its $3 billion in stablecoin reserves, but not before experiencing a 50% bank run.

Authorities and blockchain analysts investigate

Bybit has engaged law enforcement agencies, including Singaporean authorities and Interpol, to track the stolen assets. Blockchain analysis firms, like Chainalysis, have also been asked to assist in identifying the movements of the stolen funds. Zhou emphasised that Bybit is committed to monitoring the attackers’ activities in the hope that the stolen assets can be traced and recovered.

Rolling back ethereum considered

During the session, Zhou acknowledged that some industry figures, including BitMEX co-founder Arthur Hayes, suggested the possibility of an Ethereum blockchain rollback to recover lost funds. Bybit’s team collaborated with Ethereum co-founder Vitalik Buterin and the Ethereum Foundation to explore alternative solutions.

However, Zhou pointed out that such a choice would require community consensus and is unlikely to be taken unilaterally. “I’m not sure it’s a one-man decision based on the spirit of blockchain. It should be a work in process to see what the community wants,” Zhou said.

A rollback on Ethereum would be technically complex, given its smart contract infrastructure. Any attempt to alter the blockchain’s state would likely lead to a contentious hard fork, splitting the network and facing resistance from parts of the community.

Investigation into the attack

Bybit continues to investigate the exact cause of the security breach. Zhou stated that the exchange’s computers were not compromised, and an internal review of transaction signers has so far revealed no irregularities in their activity. “We know the cause is definitely around the Safe cold wallet. Whether it’s a problem with our laptops or on Safe’s side, we don’t know,” they added.

Bybit replenishes ether reserves after hack

Despite its losses, Bybit has restored a 1:1 backing of client assets after securing additional funds. On-chain tracking service Lookonchain reported Bybit has replenished 446,870 ETH – worth approximately $1.23 billion – through a mix of loans, large deposits, and ether purchases. Blockchain activity suggests that Bybit obtained over $400 million in ETH through over-the-counter trades, an additional $300 million from exchanges, and nearly $300 million through cryptocurrency fund-backed loans.

The ETH price initially saw a 4% rise over the weekend due to increased buying activity but later dropped 2% as market sentiment remained cautious. Meanwhile, Bybit stated that as of Sunday, deposits and withdrawals have returned to normal levels, with deposits slightly exceeding withdrawals.

Attack linked to North Korea’s Lazarus group

The security breach has been linked to the Lazarus Group, an alledgedly state-sponsored North Korean hacking collective known for high-profile cryptocurrency attacks. Blockchain analyst ZachXBT identified transaction patterns similar to those used in previous attacks by Lazarus. The hacking group has been responsible for several major incidents, including the $600 million Ronin Network hack (2022), and a $230 million attack on Indian exchange WazirX in 2024.

Hackers reportedly gained access to Bybit’s cold wallet by manipulating a UI vulnerability and altering smart contract logic to redirect funds. The stolen ether was then split across multiple wallets and exchanged for other assets on other decentralised platforms.

Next steps for Bybit

Following the attack, Bybit has moved a large portion of its funds away from Safe cold wallets and is reviewing alternative custody solutions. The exchange continues to assess work with security experts and law enforcement to recover stolen assets. The case underscores ongoing security risks in the cryptocurrency industry, particularly with the increasing sophistication of cyberattacks targeting centralised exchanges.

Want to learn more about blockchain from industry leaders? Check out Blockchain Expo taking place in Amsterdam, California and London.

Explore other upcoming enterprise technology events and webinars powered by TechForge here.