The Bybit heist took place on February 21, 2025. It was the largest single theft of cryptocurrencies in the industry’s history, as the Dubai-based crypto exchange lost 400,000 ETH worth $1.4B within minutes.
The unprecedented event prompted an equally seismic response, which has reverberated through the blockchain industry, as Bybit acknowledged the theft on the same day, and on February 22, announced its bounty program open to our industry worldwide.
The bounty offered is up to a 10% reward for help in recovering the funds, making it one of the largest rewards of its kind the industry has ever seen. The response potentially provided a masterclass blueprint of how to counter such attacks in the future, as industry role-players worldwide demonstrated solidarity in the face of adversity.
In this webinar, Crystal Intelligence experts took crypto industry participants through the theft the industry response and what it means for the industry. Our team discussed how exchanges can best protect themselves from and respond to future attacks,
The panel was led by Crystal’s VP of Intelligence, Nicholas Smart, and included Federico Paesano, Financial Investigations Specialist, Andrii Sovershennyi, Research Lead, and Nick Steegmans, VP of Training and Investigations, North America.
The timeline of the Bybit heist
- In the days before the attack: A sophisticated and well-coordinated transnational group of hackers used advanced persistent threat (APT) techniques to gain access to Bybit multi-sig wallet information.
- 14.15 UTC Friday, February 21, 2025: The hackers ran a test transaction of 90 USDT to confirm that they had successfully bypassed the security system. The timing was deliberate, as the UAE working day was winding down and limited staff were available to detect and respond to the attack.
- 14.16 UTC: A staggering 401,347 ETH, 90,375 stETH, 15,000 cmETH and 8,000mETH was taken from the original cold wallet.
- 14.29 UTC: A further single ETH test transaction was made to a different address, then stETH, cmETH and mETH tokens were quickly exchanged for Ethereum via DeFi services in cohorts of 10,000 simultaneously across multiple addresses.
- 15.51 UTC: After a frenzied 82 minutes, Bybit acknowledged the attack via the company’s X account, assuring customers that their cold wallets were safe from further harm, and invited blockchain analytics experts to collaborate with them in retrieving the funds.
- February 22: Bybit’s CEO and co-founder, Ben Zhou, announced the recovery bounty program, offering up to a 10% (almost $140 million) incentive of the total funds retrieved as a reward.
- February 26: The US FBI released a public service announcement charging the Democratic People’s Republic of Korea (DPRK, or North Korea) entity, ‘TraderTraitor,’ known more commonly as the Lazarus Group, with the heist.
How the Bybit Hack was carried out
Nick Smart previously explained that the thieves used techniques that allowed them to manipulate Bybit into approving a transaction, which granted them control over assets stored in ‘cold storage.’ Essentially, the attackers succeeded in replacing Bybit’s vault keys with their own, providing them unrestricted access to the assets held there. Once the attack was initiated, Bybit was unable to prevent the siphoning of funds into the attackers’ control.
Watch Federico Paesano’s analysis here for an illustrated technical breakdown of how the attack mechanics were constructed and implemented.
The panel agreed that the attackers’ APT plan was well-executed by a highly capable and resourced crew, and Nick Smart discussed the implications of breaching what has become known as ‘gold standard’ multi wallets.
Andrii Sovershennyi stated that the heist demonstrated that multi-sig and cold wallets were no longer necessarily safe, calling this development a ‘game-changer.’
Nick Steegmans suggested that multi-sig wallet integration with Ethereum was complicated as they always require smart contracts, whereas multi-sig wallets integrate natively with other blockchains.
You can listen to their insights and what solutions they propose here.
How the thieves are trying to launder the money stolen in the Bybit Hack
In the aftermath of the Bybit heist, the attackers face the massive task of laundering this large amount and converting it into fiat currency.
The passage of the funds in this high-profile case is under intense scrutiny from exchanges, analytics firms, law enforcement, and, since the bounty announcement, the entire crypto community.
Nick Smart illustrated a hypothetical scenario in which someone attempts to launder $1.4 billion through Monero, a cryptocurrency valued at approximately $4 billion. This action would consume 25% of the total supply available on exchanges, and it would still require finding a counterparty willing to handle such a high volume of transactions.
Federico Paesano agreed, referring to the much smaller $230M WazirX hack, where attempts to launder the funds through TornadoCash saturated the exchange’s pool of resources.
Federico then gave a visual tour of how the Bybit hackers may be planning to launder their funds using just one of the streams of financial flow, which you can watch here.
Key points discussed included:
- The funds have been dispersed into thousands of wallets addresses in preparation for moving such a large amount.
- A large portion of the funds were converted from Ethereum to Bitcoin and Dai to make tracking them harder.
- They approached anonymity-preferring and uncooperative ‘instant exchanges’ where they hoped to launder funds invisibly.
The discussion touched lightly on possible money laundering solutions for the hackers, which included starting their own exchange and becoming their own bank.
Bybit’s response to the $1.4B crypto hack
The panel rightly lauded Bybit’s actions in the wake of the hack as a ‘masterclass in crisis management.’
Unlike some businesses that have fallen foul of crypto thefts, they responded proactively and transparently. Highlights included:
- Less than two hours after the hack, Bybit publicly confirmed the breach and reassured its customers. It also started working with law enforcement and blockchain analytics firms like Crystal Intelligence.
- As part of their bounty program, they appealed for solidarity in the wider crypto community, setting up an application programming interface (API) to track addresses involved in the hack. The panel did, however, note the potential risk of an information overload because of engaging so many crypto community members.
- Bybit had adequate reserves to absorb the losses and sufficient liquidity to prevent a run on customer withdrawals, illustrating a huge step forward by the crypto industry since the FTX collapse.
What the Bybit hack and response means for the future of crypto
The Bybit hack marked a pivotal moment in the evolution of cybercrime within the cryptocurrency sector and has reshaped how the industry addresses security challenges. The attackers demonstrated remarkable ingenuity, but this will be overshadowed by the industry’s unity and resolve to respond effectively. In the meantime, Bybit’s approach to transparency and crisis management has set a new standard for the industry.
Watch the full webinar here.
