Timeline | Bybit Loses Over 500K ETH in Hack, $1.5 Billion Loss

On the early morning of February 22, on-chain detective Zachxbt detected a suspicious fund outflow incident on Bybit. Subsequent on-chain records showed that a multisig address controlled by Bybit transferred out $1.5 billion worth of ETH and used a DEX to convert LSD assets into native ETH. Possibly due to FUD sentiment, Ethereum briefly dropped below $2,700; Bybit's native platform token MNT briefly fell below $0.9, with a 24-hour decrease of 7.71%.

Bybit CEO Ben Zhou quickly responded, stating that indeed a hacker had control of a specific ETH cold wallet, but the rest of the cold wallets are secure and withdrawals are functioning normally. Ben Zhou also emphasized that Bybit has the ability to make payment and can bear this loss. BlockBeats will continue to monitor and provide real-time updates, as outlined in the timeline below:

Bybit CEO: Will Soon Host a Livestream to Address All Questions

On February 22, Bybit CEO Ben Zhou posted an update on Platform X stating, "I will soon start a livestream to answer all questions!! Please stay tuned."

ZachXBT: Bybit Hacker Has Distributed 10,000 ETH to 39 New Addresses, Urging All Parties to Blacklist Promptly

On February 22, ZachXBT stated that the Bybit hacker had just distributed 10,000 ETH to 39 new addresses. "If you are an exchange platform or service provider, please blacklist these addresses on all EVM chains."

SlowMist Founder: Bybit Hacker's Attack Method Similar to North Korean Hackers

On February 22, SlowMist founder COSMOS published a post saying, "Although there is no direct evidence at the moment, based on the Safe multisig approach and the current laundering method, it resembles North Korean hackers."

Bybit CEO: Platform Withdrawals Operating Normally, Other Cold and Hot Wallets Not Affected; Bybit has Payment Ability and Can Bear This Loss

On February 22, Bybit CEO Ben Zhou posted an update saying that Bybit's hot wallets, warm wallets, and all other cold wallets were not affected. The only wallet compromised was the ETH cold wallet. All withdrawals are operating normally. Additionally, it was emphasized, "Bybit still has the ability to make payments. Even if the loss from this hacker attack cannot be recovered, all client assets remain 1:1 backed, and we can bear this loss."

Bybit Hacker Starts to Disperse Funds to Multiple Addresses

On February 21, according to Arkham Monitoring, the Bybit hacker has started to disperse funds to multiple addresses.

Bybit Platform Total Assets Reach $15.727 Billion, with $5.18 Billion in Ethereum Assets

On February 21, according to Defillama data, the Bybit platform's total assets amount to $15.727 billion, including:

· $6.263 billion in Bitcoin;

· $5.18 billion in Ethereum;

· $1.35 billion in SOL;

· $1.143 billion in TRON.

Bybit CEO: Hacker Controls Specific ETH Cold Wallet, Other Cold Wallets Secure and Withdrawals Operating Normally

On February 21, Bybit Co-Founder and CEO Ben Zhou stated in a post, "Bybit's ETH multisig cold wallet made a transfer to our hot wallet approximately 1 hour ago. It appears the transaction was spoofed, with all signers seeing a spoofed interface displaying the correct address and URL coming from Safe.

However, the signature information was to alter the smart contract logic of our ETH cold wallet. This resulted in the hacker controlling our signed specific ETH cold wallet and moving all ETH in the wallet to this unconfirmed address.

Rest assured, all other cold wallets are secure. All withdrawals are functioning normally. I will continue to update as more unfolds. If there are teams that can assist us in tracking the stolen funds, it would be greatly appreciated."

Bybit Multi-Sig Address Transfers $1.5 Billion Worth of ETH and Swaps LSD Assets for Native ETH Using DEX

On February 21, crypto KOL Finish posted that, according to on-chain data, a Bybit multi-signature address transferred $1.5 billion worth of ETH to a new address. The funds reached the new address 0x47666fab8bd0ac7003bce3f5c3585383f09486e2, then were moved to 0xa4b2fd68593b6f34e51cb9edb66e71c1b4ab449e, where 0xa4 is currently selling stETH and mETH in exchange for ETH.

「Currently, this address is using 4 different DEXs. If they were to simply swap the LSD for native ETH, the transaction execution would be very inefficient (high slippage). This scale of operation is typically done off-chain, so this is very unusual.」

Zachxbt Monitors Bybit for Suspected Fund Outflow

On February 21, the Zachxbt monitoring channel reported that they are currently monitoring a suspicious fund outflow from Bybit, totaling over $1.46 billion.