Overview
Bybit, the world’s second-largest cryptocurrency exchange, has confirmed a major security breach, resulting in the theft of approximately $1.4 billion worth of Ethereum (ETH) from one of its cold wallets—which are generally considered among the safest storage methods for digital assets.
Bybit’s CEO, Ben Zhou, addressed the situation, confirming an ongoing investigation but reassuring users that trading remains operational and customer funds are safe despite the staggering loss.
How Did the Hack Happen?
Cold wallets are designed to be offline to prevent remote cyberattacks. This breach raises serious concerns about whether:
- A sophisticated cyberattack bypassed offline security measures.
- There was an insider threat or internal security failure.
- A combination of social engineering and advanced hacking techniques was used.
At this stage, Bybit has not disclosed how the cold wallet was compromised, but speculation is mounting as experts analyze the attack vectors.
Lazarus Group’s Crypto Trail: How the Hack Was Tracked
February 21 (Day of the Hack)
At 19:09 UTC, Arkham Intelligence tweeted that ZachXBT had submitted on-chain evidence proving Lazarus Group’s involvement. His forensic analysis included:
- Test transactions linking the stolen ETH to Lazarus wallets.
- Connected addresses used in previous hacks.
- Timing patterns indicating a premeditated attack.
February 22: The Phemex Connection
Further investigations revealed that Bybit hackers also executed the recent Phemex hack (Feb 20, 2025).
- The same laundering addresses were used for both heists.
- Overlapping wallet (0x33d057af74779925c4b2e720a820387cb89f8f65) linked funds from Bybit and Phemex.
- Lazarus used Tron-based mixing services to obfuscate stolen assets.
February 22: The BingX Connection
Later that day, ZachXBT uncovered a link between the Bybit, Phemex, and BingX hacks using another shared laundering address (0xd555789b146256253cd4540da28dcff6e44f6e50).
Key Transactions:
- Bybit Hack: 0x4a366130118d750715c2d35fdc07509cf943fcc988fa5e6d02211e3d5472796e
- BingX Hack: 0x93424aa87731bb9b1d8cc1f708d2ac9f3faf914f368a00494d87cba3e7719e8c
This solidified the theory that Lazarus executed all three attacks, stealing billions in crypto assets across multiple platforms.