Bybit records $5.5 billion in outflows after crypto’s biggest hack
Cryptocurrency exchange Bybit has recorded outflows exceeding $5.5 billion following a $1.4 billion security breach that targeted its ether cold wallet.
Hackers reportedly linked to North Korea’s Lazarus Group drained funds from the exchange, prompting Bybit to take immediate action to secure withdrawals and stabilise operations.
According to DeFiLlama, assets tracked in Bybit’s wallets fell from $16.9 billion to $11.2 billion in the wake of the attack. In an X Spaces session, Bybit CEO Ben Zhou explained that following the breach, the company’s team focused on processing withdrawals while continuing to assess the security incident.
The attackers reportedly stole 70% of Bybit’s customer ether holdings, necessitating the company to arrange a loan to maintain liquidity. However, Zhou added that the majority of users were withdrawing stablecoins rather than ether, which raised additional liquidity concerns.
Bybit had sufficient reserves to support the withdrawals, but issues arose when Safe, a decentralised custody protocol, temporarily shut down smart wallet functionalities to assess potential security risks. Safe provides smart contract wallets for digital asset storage and custody.
With $3 billion in USDT in Safe wallets, Bybit faced mounting withdrawal requests. The security team worked overnight to develop manual verification tools to move stablecoins from Safe’s wallets and continue fulfilling withdrawals.
Despite successfully transferring its stablecoin reserves, Bybit still saw a bank run affecting about 50% of total funds on the exchange.
Authorities and security firms track stolen funds
Bybit has engaged law enforcement agencies, including Singaporean authorities and Interpol, to investigate the attack. Chainalysis, a blockchain analytics firm, is also involved in the transfer of stolen ether.
Zhou expressed confidence that the funds are still traceable, and Bybit will continue to monitor their movements in the hope of eventually recovering them.
Ethereum rollback discussed
During the discussion, Zhou mentioned that some in the industry, including BitMEX co-founder Arthur Hayes, suggested a rollback of the Ethereum blockchain to recover the stolen assets.
Bybit’s team has contacted Ethereum co-founder Vitalik Buterin and the Ethereum Foundation to explore possible solutions. However, Zhou acknowledged that any blockchain rollback would require broad community consensus and could not be a unilateral decision.
“I’m not sure it’s a one-man decision based on the spirit of blockchain. It should be a work in process to see what the community wants,” Zhou said.
The network’s smart contract architecture would make it difficult to roll back Ethereum, and would likely require a hard fork.
Investigation into the security breach
Bybit is still investigating the exact cause of the attack. Zhou stated that internal reviews of transaction signers have not identified any suspicious activity.
“We know the cause is definitely around the Safe cold wallet. Whether it’s a problem with our laptops or on Safe’s side, we don’t know,” Zhou said.
Bybit replenishes ether reserves
Bybit has restored a 1:1 backing of client assets after securing additional funds. On-chain tracking service Lookonchain reported that Bybit replenished 446,870 ETH – worth approximately $1.23 billion – through a mix of loans, deposits, and purchases.
Data suggests that Bybit acquired over $400 million in ETH via over-the-counter trades, while $300 million came from exchanges. An additional $300 million was secured through loans, with contributions from cryptocurrency funds.
ETH prices initially rose 4% over the weekend due to increased demand but later fell 2% as market sentiment remained cautious.
Bybit confirmed that as of Sunday, its deposit and withdrawal operations had returned to normal levels, with deposits slightly exceeding withdrawals, signalling an improved market confidence.
North Korea’s Lazarus Group linked to attack
The security breach has been linked to the Lazarus Group, a state-sponsored hacking organisation from North Korea known for targeting cryptocurrency platforms.
Blockchain investigator ZachXBT identified similarities between Bybit’s attack and previous incidents attributed to Lazarus. The group has carried out multiple high-profile cryptocurrency thefts, including:
- The $600 million Ronin Network hack in 2022,
- A $230 million attack on Indian exchange WazirX (2024).
Investigators believe the hackers exploited a manipulated user interface vulnerability to alter smart contract logic, redirecting funds to unknown wallets. The stolen ether was then split across multiple wallets and swapped on decentralised exchanges.
(Image by Pixabay)
See also: AI-driven cryptocurrency scams set to surge in 2025 as fraud tactics evolve.
Want to learn more about blockchain from industry leaders? Check out Blockchain Expo taking place in Amsterdam, California and London.
Explore other upcoming enterprise technology events and webinars powered by TechForge here.
