Bybit Hack Report:

Initial Incident:

• On Friday, February 21, 2025, 14:16 UTC, $1.46B worth of assets, including 401,346.76 ETH, 90,375.54 stETH, 8,000 mETH, and 15,000 cmETH, were moved out of Bybit’s cold wallet, 0x1db, to a suspicious address, 0x476.
• All stolen funds in the forms of stETH and mETH have been exchanged for ETH.
• The hacker attempted to unstake 15,000 cmETH but was blocked by the cmETH withdrawal contract, as the liquidity pool for cmETH did not suffice, suggesting that the 15,000 cmETH is likely interceptable.

Current Status:

• The hacker appears to have received gas fees in ETH from Binance.
• The hacker was later identified by the on-chain analyst, @zachxbt, as the LAZARUS GROUP.
• The hacker currently holds 499,000 ETH ($1.34B) across 53 addresses. Track the entity Bybit Exploiter here.

 

Bybit's Status and Activities post-Hack:

• The $1.46B loss represents 8.64% of Bybit’s $16.2B reserves, which technically can be covered.
• At least $200M USDT moved from Bybit’s cold wallet to its hot wallet within 30 minutes after the hack, most likely for customer withdrawals.
• [Update] Despite the hack, withdrawals are still functional, despite a surge in withdrawal demand. Bybit CEO Ben Zhou stated that in the 10 hours following the hack, the exchange saw an unprecedented surge in withdrawals, processing over 350,000 requests, with around 2,100 still pending. Despite the high volume, 99.994% of withdrawals have been completed.

Fig 1. The current holdings of the Bybit Exploiter entity.