English 
Russian 
Spanish 
French 
German 
Blog
Table of Contents
Bybit Security Breach: The $1.5 Billion Loss Uncovered
Early on February 22nd, the cryptocurrency sector was jolted by unverified claims alleging a massive security breach targeting Bybit’s hot wallet, with losses estimated at $1.5 billion. After a little verification, it was found to be true. Subsequently, the details of the incident slowly surfaced with the disclosure of the security audit team in the crypto community and Bybit officials. A multi-signature wallet of Bybit was completely controlled by hackers and about 1.5 billion US dollars of crypto assets were emptied, mainly ETH and stETH and other liquid pledge tokens with a value close to ETH.
Cold Wallet Breach Exposed
Was the cold wallet stolen? At first, it was rumored that the hot wallet was stolen, because most hacker attacks in the past were against hot wallets, and the normalized networking made hot wallets exposed in an unsafe environment less safe.Post-incident analysis confirmed the breach originated from Bybit’s cold wallet due to an operational flaw in standard transaction protocols. Contrary to assumptions of absolute cold storage security, the platform’s audit revealed dependencies on a **multi-sign Safe contract** — underscoring that even air-gapped systems inherit risks from implementation design.”
Safe Contract Failure: How It Happened
Investigation revealed that Bybit’s cold wallet system leveraged Safe contract-based multi-sign framework — a configuration now confirmed as the breach’s critical failure point.. It is reported that Safe was originally named Gnosis Safe, and later changed its name to Safe. So far,It has safeguarded over $100 billion worth of assets within the Ethereum network. Renowned for its robust security features and impeccable track record, this multi-signature wallet has been widely adopted by various project teams, DAOs, and trading platforms for their secure transaction needs. The recent security breach, however, was traced back to the front-end interface of the Safe website or mobile application accessed through Bybit. (the front-end display part of the web page where users operate and access interactions).
Simply put, the hacker tampered with the web page where the Bybit team initiated multi-signatures. The Bybit team operated the transfer normally, but the hacker actually replaced the signed transaction and asked several signers of the Bybit team to sign a “sale contract”, successfully upgrading the multi-signature contract wallet to a malicious contract prepared by the hacker, that is, the team signed their own name, and handed the wallet over to the hacker.
As a result, the private keys associated with the hardware cold wallets used for signing remain secure and uncompromised. Safe has confirmed that no vulnerabilities have been identified within their multi-signature contract, ensuring its continued safety. This incident does not stem from a flaw within the encryption industry itself, but rather originates from a vulnerability in the conventional internet infrastructure.
Hackers Infiltrate
As mentioned above, hackers tampered with the webpage of the Bybit team to access the interactive wallet, but Safe did not find any problems on the server side. It is highly likely that hackers have already lurked in the computers and other related devices of the Bybit team members through Trojans and other means. The tampering method may be hijacking of DNS, Trojans, and browser plug-ins. Under certain conditions, the complexity and difficulty are relatively high. KOLs in the relevant security field believe that the hacker’s method is very sophisticated.
Crypto investigator ZachXBT and blockchain analysis company Arkham currently believe that there is evidence suggesting the attack may have been launched by the hacker organization Lazarus Group, which is suspected to be supported by a certain government and is known for attacking crypto asset platforms.
Someone posted the astonishing achievements of the hacker team on the social platform: from 2017 to 2025, they stole a large amount of funds from multiple trading platforms and crypto projects. For example, they stole 4,000 BTC from Youbit, which directly led to its bankruptcy, stole 300 million US dollars of crypto assets from the Kucoin platform, and stole 620 million US dollars of crypto assets from the Ronin cross-chain bridge, etc. The amount stolen this time was as high as 1.5 billion US dollars, setting a historical record.
Bybit’s Quick Crisis Recovery
Another reason why the crypto market stabilized may be that Bybit handled it properly overnight. The latest announcement of its Chinese official account on X said: “Since the hacking incident (10 hours ago), Bybit has experienced an unprecedented number of withdrawal requests. So far, we have received more than 350,000 withdrawal requests, and the remaining approximately 2,100 withdrawal requests are being processed. Overall, 99.994% of withdrawals have been completed.”
In theory, this incident is comparable to the previous FTX liquidity crisis. Bad news can cause a platform to cease operations or even lead to its collapse, but the strength of the Bybit platform itself and the proper handling of the team seem to have reversed the situation. Bybit not only did not fall into the liquidity “quagmire”, but also obtained a “bridge loan” from its partners, covering 80% of the stolen ETH, or the problem of bank runs has been solved. Post-incident tracking reveals coordinated industry action:
– Liquidity injection: Major exchanges redirected stETH assets to Bybit’s affected wallets.
– Leadership solidarity: Founders of top crypto firms vowed joint crisis management.
– Address containment: Cross-platform security alliances enacted global wallet freezing protocols targeting the hacker.
Bitdeer
Bitmain
BOMBAX
DragonBall
Elphapex
Fluminer
Goldshell
iBelink
Iceriver
Ipollo
Jasminer
Volcminer
Aleo Miner
Bitcoin(BTC) Miner
CKB Miner
ETC Miner
Kaspa(KAS) Miner
Siacoin(SC) Miner