A sophisticated 'phishing' for the biggest theft in crypto history: 1.4 billion flew out of the Bybit account

Last Friday, the crypto world went from a state of euphoria, after the SEC dropped its lawsuit against Coinbase , to a deep depression. The industry once again experienced a nightmare that has haunted it throughout its history: Bybit, the second largest exchange in the world by number of transactions and with more than 40 million users worldwide, had been hacked. The company announced that cybercriminals had emptied its ethereum cold wallet, taking some 401 tokens, worth more than $1.4 billion at the time. Panic broke out among investors in the face of what became the largest theft of funds in the history of the industry.

What happened?

Hackers attacked the ethereum cold wallet: also called cold wallet , it is an offline system that stores the access keys to cryptocurrencies and is considered the most secure. In fact, it is a multi-signature wallet, which requires multiple authorizations to approve a transaction. On Friday, the company's executives were transferring funds from their cold wallet to a hot wallet (or hot wallet, which stores the keys in sites connected to the network) within a routine operational process, and which is usually carried out when more liquidity is needed on the platform.

The platform's CEO, Ben Zhou, was the last to validate the transaction , but not the one he thought. The attackers, through a sophisticated system, designed a fake interface that perfectly replicated the wallet management platform used by Bybit. This interface displayed verified addresses and URLs, making the transactions appear legitimate. When the signers approved the transaction, the hackers diverted the funds to an unknown wallet . This attack method was so effective that Bybit's security systems detected anomalies only when it was too late. An extremely sophisticated version of phishing, a technique commonly used by hackers seeking to trick users through identity theft to steal personal information or access online accounts or passwords.

Shortly after the attack, research firm Arkham Intelligence detected that funds had begun to move to new addresses and were being sold. To date, collaboration between Bybit and other platforms has led to nearly $43 million of the stolen funds being blocked and frozen. Others are being laundered through various obfuscation techniques, including chain hopping , which involves converting one form of cryptocurrency into another and moving it across multiple blockchains – TRM Labs estimates that as of Sunday evening, $160 million had been funneled through illicit channels.

Why is ethereum more vulnerable?

The Ethereum network is highly appreciated by the industry for the myriad of use cases it offers. Thanks to the Solidity code, in fact, applications and smart contracts can be created and developed on this blockchain . “But these are also a vertex of vulnerability that hackers take advantage of,” says Javier Pastor, training director at Bit2Me.

Adolfo Contreras, strategic advisor at Blockstream, explains that the problem lies in flaws in the design of Ethereum. This network uses EVM, a virtual machine that is capable of executing a wide range of instructions and runs smart contracts. The expert believes that this system is very complex and generates too many different transactions that cannot be “supported” by the hardware wallet, a small device that allows the private keys to be safeguarded and protected: that is, it does not have enough capacity to interpret the enormous amount of transactions that EVM generates. “The consequence is that when an EVM transaction is signed, if it is too complex and the wallet is not able to interpret it, a blind signature is made . On the small screen of the device you see an alphanumeric sequence and basically whatever appears is signed,” he explains.

What has the company done?

At 16:51 on Friday, the company reported the attack on its social networks. Just over an hour later, the CEO answered the questions of users and investors through a streaming appearance, communicating the details of the attack and the updates that were becoming known. At all times he assured that the other wallets were safe and had not been affected: “ Bybit is solvent. Even if this loss is not recovered , all customer assets are backed up 1 to 1, we can cover the loss,” he added.

They immediately asked for the collaboration of the industry, promising to donate 10% of the stolen funds to those who help them recover these funds. The other exchanges have also taken action, blocking the wallet used by this hacker and all those where part of the stolen funds are sent. “Any movement by the attacker who wants to convert the stolen crypto into money will be blocked by the exchange. These wallets are tagged by software that traces all the hacker's movements, thanks to the blockchain ,” explains Cristina Carrascosa, CEO and founder of ATH21.

This morning, Ben Zhou announced that Bybit had already replenished the stolen funds and that it once again had enough assets to back 100% of its customers’ deposits. The company said it had replenished 446.87 units of Ethereum, worth over $1.2 billion at the current price, through loans, deposits from large investors, and direct purchases of the token.

Who is behind the attack?

Analytics firms like Arkham and TRM Labs have been tracking the stolen funds, with their research pointing to North Korea’s Lazarus Group as the culprit. “The attack followed their well-known playbook, and North Korean hackers don’t hide their tracks because they operate outside the reach of law enforcement,” said Ari Redbord, global director of policy and government affairs at TRM Labs. In a single day, North Korean hackers nearly doubled the amount they stole in 2024: in fact, last year they were responsible for roughly 35% of all stolen funds, amounting to around $800 million in cryptocurrency stolen in high-impact operations. A recent study by Chainalysis puts this figure at $1.34 billion across 47 incidents last year.

Have there been similar cases?

TRM Labs says that attacking hot wallets and smart contracts is common, but cold wallet breaches on this scale are rare. However, there have been other similar attacks. Contreras notes that this latest hack reminds him of the Parity hack in 2017: on that occasion, hackers exploited a vulnerability in the software ’s smart contracts, which allowed the management of multi-signature wallets . The attackers took control of some wallets and diverted the funds : they made off with about 150,000 units of ethereum, about $30 million at the time.

Following this latest incident, experts believe that platforms will devote more budget to cyber defense. Redbord notes that the speed with which attackers are moving such a large amount of money was unimaginable just a year ago. “The scale and speed of this money laundering operation marks a dangerous evolution in how state-sponsored hackers can exploit the cryptocurrency ecosystem, taking advantage of technology and robust money laundering networks. This indicates an urgent need for cross-border law enforcement cooperation.”

However, they acknowledge the company's efficient response to such a large-scale accident. “We are talking about a hack of 1.4 billion euros that did not even cause a problem for the exchange 's liquidity. If we stop to think about it, we are talking about a very high amount, and it was able to continue operating without that amount. It is without a doubt the standard that everyone who works in this sector aims for,” concludes Carrascosa.