Bybit, a Dubai, United Arab Emirates-headquartered crypto exchange, saw more than $1.4 billion worth of Ethereum stolen from its platform in a smash-and-grab style hacking Friday—one that’s become a historic moment for crypto theft and raised several questions about what the extensive hacking means for the industry.
Starting Friday around 10 a.m., crypto investigator ZachXBT noticed “suspicious outflows” of Ethereum coursing through the platform, he posted in a Telegram channel. In only minutes, the billion in funds were withdrawn in Ethereum, stETH, cmETH and mETH and sent to a wallet, then distributed to 40 or more wallets, according to data analytics firm Nansen. All forms of Ethereum were converted to standard Ethereum before being sent away again in blocks of $27 million to 10 wallets. Nansen tracked the various wallets used and claimed some still contained sums of Ethereum.
Ultimately, the Ethereum was transferred away to an “unidentified address,” according to a statement on X from the company. Bybit also said in the release that the security team is investigating the issue and encouraged experts to help trace the missing sums. A communications director did not immediately respond to a message from Forbes on the hacking.
Only one crypto hacking even compares to the size of Friday’s attack. In 2022, a bridge called Ronin Network was hacked and more than $600 million was lost in what would become the largest hack in crypto’s history.
A few key questions remain, considering the size, speed and situation. Most notably, the company reports that the funds were taken from cold wallets, which are considered impossible to hack by many standards. The cold storage-style wallet exists because it can only be accessed by the wallet’s administrators with a private key they possess, making it nearly impossible to reach without them. Cold wallets are not connected to the internet. After pulling the Ethereum, the attacker sent the amounts to a hot wallet or one connected to the internet.
The hacker “took control of the specific ETH cold wallet we signed and transferred all ETH in the cold wallet to this unidentified address,” CEO Ben Zhou posted on X the morning of the hacking. “Please rest assured that all other cold wallets are secure. All withdraws are NORMAL.”
Considering these factors, it’s hard to identify how the exchange’s cold wallet was accessed and how much exactly it stored in them. On February 20th, Bybit had more than 439,000 WETH (a tokenized version of ETH), more than 30,0000 Ethererum and 111,000 STETH. By Friday afternoon, those amounts were drained, and the exchange only contained more than 20,000 in each of the three categories, according to data from DefiLlama.
“Bybit is Solvent even if this hack loss is not recovered, all of clients assets are 1 to 1 backed, we can cover the loss,” Zhou later added in an X post.
New details on the hacking remain scarce, and the company has not put forth any broader explanations. Because of the private nature of cold wallet technology, some have questioned whether an employee or insider with access to the cold storage wallet could have performed the attack. It’s also possible that a compromised network key could be at play.
“While an insider job is always a possibility, we believe that this is unlikely,” Ido Ben-Natan, the co-founder and CEO of cybersecurity startup Blockaid told Forbes over email. “This modus-operandi has now repeated itself enough times for a pattern to emerge, and this pattern means that this type of cyber-infused attack on onchain assets and infrastructure is likely to become commonplace.”
Ben-Natan explained that the hack also parallels a previous attack on crypto firm Radiant Capital, which resulted in tens of millions lost to a foreign attack in December of 2024. Attackers broke into the platform through employee laptops and the company’s security infrastructure after pretending to be a former employee, according to Coindesk.
Forbes recently placed Bybit 16th among the largest 25 crypto exchanges it ranked, giving it low scores for transparency and audit strength. Our survey reported that at least a third of its considerable 26 million visitors to Bybit came from the Russian-Ukraine war zone, a region subject to US sanctions. The exchange has been known to operate its business in countries prior to getting licensed, and it has been blacklisted in France, banned in Hong Kong, and temporarily suspended in India. According to Forbes ranking, a big part of Bybit’s appeal with end users has been its low fees, which are on par with those of Binance and OKX.
Read the full article here
