Bybit Recovers from $1.5B Hack by North Korean

• It seems likely that Bybit has recovered from a nearly $1.5 billion Ethereum hack, with customer assets now 100% backed.
• Research suggests North Korean hackers, possibly the Lazarus Group, were involved in the hack.
• The evidence leans toward Bybit using loans, deposits, and purchases to replenish the deficit, closing the ETH gap by February 24, 2025.
• A Proof of Reserve audit is expected soon to confirm solvency, adding a layer of transparency.

The Hack and Recovery

On February 21, 2025, Bybit, a major crypto exchange, suffered a hack losing about $1.5 billion in Ethereum, marking the largest crypto heist ever. The attack exploited a cold wallet, and blockchain analysts linked it to North Korean hackers.

By February 24, 2025, Bybit’s CEO, Ben Zhou, announced the exchange had fully recovered, ensuring customer assets are 100% backed again. This recovery involved securing bridge loans, receiving whale deposits, and making direct Ethereum purchases.

Interestingly, the crypto community rallied, with platforms like Binance and Bitget depositing over 50,000 ETH into Bybit’s wallets, showcasing industry support during the crisis.

This incident highlights the need for stronger security in crypto exchanges and may lead to increased regulatory scrutiny. Bybit’s swift action and the upcoming Proof of Reserve audit aim to restore user trust, with over 580,000 withdrawals processed post-hack, indicating operational resilience.

Details of the Hack

This incident, detailed in reports from Bloomberg, marked the largest crypto heist in history, surpassing previous records like the $624 million Ronin Network hack in 2022. The scale of the breach, involving 401,347 ETH, underscored persistent security vulnerabilities in the industry, as noted by TechCrunch.

The hack occurred during a routine transfer from Bybit’s ETH multi-signature cold wallet to its warm wallet, a process designed for security. However, attackers employed a sophisticated method, manipulating the transaction by masking the signing interface, as reported by The Hacker News.

This deception altered the underlying smart contract logic, enabling unauthorized access. Blockchain analysis, as per Business Insider, traced the stolen funds, with on-chain investigator ZachXBT connecting the attack to the Lazarus Group, a North Korean hacker entity notorious for crypto heists.

Recovery Efforts and Financial Measures

In response, Bybit’s CEO, Ben Zhou, took immediate action, assuring users via X posts that the exchange remained solvent and could cover the loss. Zhou emphasized that all client assets were 1:1 backed, even if the stolen funds weren’t recovered.

To achieve this, Bybit secured bridge loans and received support from the crypto community, with Binance and Bitget depositing over 50,000 ETH into Bybit’s cold wallets, as noted in CryptoBriefing. Additionally, the exchange made direct ETH purchases and leveraged investor deposits, with reports indicating they covered approximately 80% of the loss initially, as per Forbes.

By February 24, 2025, Bybit announced it had fully closed the ETH gap, with Zhou confirming via The Crypto Basic that the exchange had recovered its holdings.

This recovery was facilitated by emergency funding and a recovery bounty program, offering up to 10% of retrieved funds to cybersecurity experts. A new Proof of Reserve (PoR) audit is expected soon to confirm solvency, adding transparency, as mentioned in Coinbackyard.

Current Status of Stolen Funds

As of today, February 26, 2025, hackers have laundered $335 million of the stolen ETH, meaning they’ve converted or moved it to obscure its origin. In the last 24 hours, they’ve moved an additional $110 million, suggesting active efforts to liquidate or hide funds. However, $900 million worth of ETH still remains, which might be yet to be moved or in transit, though exact figures show some complexity due to price fluctuations.

Bybit’s Response and the Hackers

Bybit has declared war on the hacking group, identified as the Lazarus Group from North Korea, known for state-sponsored cyberattacks (Chainalysis). They’re collaborating with blockchain forensics firms and law enforcement, offering a 10% recovery bounty to assist in retrieving the stolen crypto. This response is crucial given Lazarus’s history of funding military programs with stolen crypto, totaling over $6 billion since 2017.

Safe Wallet’s Responsibility and Post-Mortem

Safe released a post-mortem update on February 26, 2025, stating that the breach did not involve vulnerabilities in their smart contracts or front-end portal code, but rather a compromised developer machine (CoinTelegraph). The machine was modified to target ByBit’s Safe and divert transactions to a different hardware wallet, as noted by Martin Köppelmann, co-founder of the Gnosis blockchain network (StartupNews.fyi).

However, this update drew criticism from Binance co-founder Changpeng “CZ” Zhao. In an X post (CZ BNB), CZ stated, “This update from Safe is not that great. It uses vague language to brush over the issues. I have more questions than answers after reading it.”