After a reasonable track record since FTX’s demise in November 2022, another crypto exchange suffered an embarrassing loss.
Last week, hackers exploited an Ethereum wallet of Bybit – the third-largest exchange in the world – stealing $1.5 billion of ETH (400,000 coins), representing 0.0033% of its circulating supply.
The hackers secretly modified the user interface on the hardware wallet by Bybit’s multi-sig approvers to send 400,000 ETH to a “warm wallet.”
This sophisticated attack deceived the multi-sig team by making them believe they were authorising a legitimate transaction.
Ben Zhao, Bybit’s CEO, explains this in further detail:
Bybit ETH multisig cold wallet just made a transfer to our warm wallet about 1 hr ago. It appears that this specific transaction was musked, all the signers saw the musked UI which showed the correct address and the URL was from @safe . However the signing message was to change…
— Ben Zhou (@benbybit) February 21, 2025
North Korean-based Lazarus is behind this theft, with the FBI also distributing a media release.
As noted in this post by Arkham, a renowned crypto trading and intelligence firm, the group has started washing the coins through DEXes.
BYBIT HACKER LAUNDERING FUNDS
The Bybit Hacker is making 2-3 transactions per minute, and stops every 45 minutes for a 15 minute break. They move ETH from one address at a time, before moving onto the next one.
Did Lazarus get an intern to wash their funds manually? pic.twitter.com/XCS16hMC3i
— Arkham (@arkham) February 24, 2025
In response to this incident, Bybit has established a $140 million hack bounty to improve the traceability of these funds and, ideally, freeze those being transacted through exchanges, mixers and bridges.
So far, roughly 3% ($42.3 million) of the $1.4B stolen has been frozen, mostly via Mantle Network, an Ethereum L2.
Additional thoughts
Will this event lead several crypto holders to lose faith in centralised exchanges and send vast sums to non-custodial wallets, particularly hardware wallets?
Perhaps for a while, but eventually, many people, especially new entrants to this space, will forget about this.
Nonetheless, I expect a boost in hardware wallet sales and an uptick in desktop and mobile NCW downloads.
Where’s the evidence behind this claim?
Articles from The Block, Decrypt and The Cryptonomist noted strong increases in sales of Ledger and Trezor devices following the 2019 Binance Hack and 2022 FTX Collapse.
Remember that these are relatively smaller hacks, so I anticipate a significant uptick in sales, even if it’s just briefly. Plenty of other hardware wallet manufacturers will also benefit from this latest situation.
————————————————————————————————————————
In an X post, Zhou mentioned that all its clients’ funds are backed by 1:1, so the company will fully cover losses.
A separate Bybit press release acknowledged the company restored its reserves within 72 hours of the hack. This communiqué also noted its latest (Feb. 23, 2025) proof-of-reserves audit, as conducted by Hacken, a cybersecurity firm.
Despite this good news, there’s always a risk that some exchanges lack the reserves to readily recoup losses, particularly in the event of multiple hacks in quick succession or something far more destructive. Losing 400,000 ETH in one go is a massive hit.
Ultimately, clients indirectly pay for these hacks through trading fees to help build an exchange’s reserves to cover these losses.
Ledger has published a timeline of the dozens of exchange hacks between 2011 and 2020. Binance, KuCoin, and Mt Gox are a few high-profile examples. Tens (or hundreds) of millions of dollars were lost to fraudulent activity.
Yet Binance, KuCoin, and others listed in the timeline have continued operating without further losses and have grown their user base in line with an expanding market.
Including the FTX collapse and the latest Bybit losses, billions of dollars of crypto have been misappropriated over the years. When accounting for significantly lower prices before 2020, this represents tens of dollars of dollars using current BTC and altcoin prices.
DefiLlama’s hacks dashboard shows that $10.62 billion has been hacked since 2016, covering losses across DeFi, centralised exchanges and (L2) bridges.
Centralised exchanges will stick around as there will always be people who don’t want to deal with protecting one’s private keys and recovery seeds, alongside the need for periodic firmware updates (for regular users).
As always, each to their own.
It’s a timely reminder not to have vast sums of crypto on an exchange. Most people should have digital assets distributed across at least two (preferably three) NCWs.
If you’re strongly opposed to the idea of self-custody, then, as a bare minimum, distribute your crypto across multiple reputable, regulated exchanges.
I hope you haven’t been affected by an exchange hack over the years. When interacting with CEXes, ensure you have multi-factor authentication and that notifications are turned on to reduce the risk of unauthorised account access.
In addition, whitelist and double-check wallet addresses when sending funds from your account. For hardware wallets, check that the latest firmware has been installed and always download software directly from the manufacturer’s website.
Happy investing, and stay safe from these scams.
https://medium.com/me/stats/post/01f8685b10c2
Disclaimers
- N.B. None of this is financial advice; I am not a financial advisor. This information is for educational purposes only. You are ultimately responsible for your investments.
- My opinions in this piece might not reflect those behind any news outlet, person, organisation, or otherwise listed here.
- Please do your own research before investing in any crypto assets, staking, NFTs or other products affiliated with this space.
- ETH accounts for approximately 25% of my portfolio.
Featured image by Andrew Angelov at Shutterstock.