ZachXBT: $1.46B flowed out of Bybit Ethereum (ETH) cold wallet

Bybit, one of the most active centralized exchanges, has undergone a security incident after its wallet interface was exploited. Over $1.46B has flowed out to four Ethereum addresses, and some of the funds are being swapped on DEX. 

On-chain investigator ZachXBT and other services registered suspicious outflows from Bybit’s wallets. Previously, the exchange was also attacked by address poisoning, with spoof token transactions entering the cold wallet among legitimate inflows. Minutes after the attack, Bybit confirmed the incident, stating it was an exploit during the routine movement of funds from cold to hot wallets.

Bybit detected unauthorized activity involving one of our ETH cold wallets. The incident occurred when our ETH multisig cold wallet executed a transfer to our warm wallet. Unfortunately, this transaction was manipulated through a sophisticated attack that masked the signing…

— Bybit (@Bybit_Official) February 21, 2025

The Bybit attack is the biggest hack so far in 2025 and the first one targeting a major market operator. At the time of the attack, Bybit lost up to 8.64% of its assets out of its total reserves of $16.2B. Bybit was also just funded with additional assets to reimburse the first group of FTX creditors for claims under $50,000. 

Bybit noted its only affected wallet was the ETH cold wallet, which fell under the full control of the hacker. Bybit was affected by what was also known as an upgrade transaction attack, in which a smart contract’s address looks legitimate to the wallet, but sends a malicious instruction to the sender, redirecting funds to a different wallet.

The exchange used the Safe layer on Ethereum to verify the destination wallet. It is possible that Safe displayed the transaction data correctly, but an element of human error led to the signing of a malicious contract. Incident analysis suggests Bybit may have omitted to run either an automated or manual check on the actual destination address and the contents of the transaction. 

No other cold or hot wallets of Bybit were affected, and deposits and withdrawals are still open. The exchange, which gets most of its traffic from the Russian Federation, continues its operations after a series of new listings. 

The Bybit incident was completed in the same way as the hacks of WazirX and Radiant Capital, some of the biggest exploits of 2024. The attack against Bybit happened at a time when overall attacks have slowed down or shifted to other types of exploits. 

Hacking incident leads to $1.46B in losses

The exchange saw outflows of $1.46B for mETH and stETH, which is being swapped back into ETH through DEX. The ETH can then be mixed and remain untraceable, causing one of the first big security incidents against an exchange for 2025. 

ZachXBT tracked the outflow of funds to five addresses on the Ethereum chain. Soon after the attack, some of the funds were split in batches of 10K ETH to 39 addresses. The exploiter is scrambling to hide the tokens while most of the addresses are blacklisted. 

ALERT: BYBIT HACKER SENDING FUNDS TO MULTIPLE NEW ADDRESSES pic.twitter.com/RbQkJxC3Lm

— Arkham (@arkham) February 21, 2025

In the first hour after the attack, the assets continued to split into smaller holdings, though most were linked to the flagged and blacklisted wallets. The attacker is trying to swap some of the funds through DEX, which may be extremely inefficient for a haul valued at close to $1.5B.

Bybit ranks third based on its reputation and trading volumes, lining up after Binance and Coinbase. The exchange recently boosted its transparency with new tools for full reporting of liquidations. The exchange was working on transparency technologies in a trial to produce proof-of-reserves similar to Binance. 

Ben Zhou, the founder and CEO of Bybit, stated that the exchange is solvent and will not cease operations. 

The Bybit hack affected the wider market, breaking the ETH rally. In the past hour, ETH is down by 2.9%, back to $2,752.42. Bitcoin (BTC) sank under $99,000, stalling in its most recent rally.

Cryptopolitan Academy: Want to grow your money in 2025? Learn how to do it with DeFi in our upcoming webclass. Save Your Spot