StoneX Digital Asset Weekly Commentary - Bybit Hack

Bybit’s $1.5 Billion Hack: Largest Crypto Heist in History Sparks Fork Debate in Ethereum Community

• David Kroger
• Senior Vice President
• StoneX Digital

• david.kroger@stonex.com

Executive Summary

• Market trading color: Bitcoin dropped 10% amid ETF outflows, macro headwinds, and ByBit’s $1.4B hack, testing key support.
• Theme of the week – Lazarus Group hacked Bybit’s Ethereum cold wallet, stealing $1.5B and sparking a contentious Ethereum rollback debate.
• Links of the week: Bitcoin correction, ETF updates, Lazarus hack, regulatory shifts, and institutional moves shape crypto’s week.

Market Trading Color

It has not been the brightest of weeks for Bitcoin and the digital asset market in general. BTC itself has fallen 10% from above $99,500 to a local low of $82,240. Much of the initial reaction downward was due to Friday’s ByBit fiasco. A fiasco that saw North Korea’s Lazarus group steal $1.4B worth of ETH. Details of the hack here: https://x.com/benbybit/status/1892963530422505586. Bybit has since released screenshots of the forensic report, essentially blaming it on Safe Wallet’s infrastructure here: https://x.com/benbybit/status/1894768736084885929.

Aside from this, and the lack of clear short term positive catalysts for the industry, BTC has been held at liberty to a flailing macro backdrop for risk assets. A backdrop that includes an unfavorable near-term liquidity outlook (rate cuts months away), DOGE whose main goal is to reduce the budget deficit, and the ongoing tariffs. All catalysts for potential near-term economic growth issues do not play into Bitcoin’s hands.

Given the above, we’ve seen record outflows from ETFs on the week, totaling $2.2B. You can certainly attribute a large majority of this selling to the unwinding of existing basis trades which should largely have no impact on price. However, the Coinbase premium shown below hit its largest negative number yesterday, since December as current US appetite for the asset in this environment decreases.

Source: Coinglass

As far as basis trade, it is currently down to ~5.5% annualized. This comes as CME open interest is on the decline, down around 20% from December’s highs. With leverage still around 6% higher than pre-election, and as appetite from current participants waivers, we could see continued shakeout of this leverage and retest of support at the $81,000 area. If this doesn’t hold, a move downward to the $75,000 range could be on the table with an air gap between $70,000 and $88,000.

Source: Glassnode

If we do test the $75,000 range, look for new money to step in and play for a reversal to highs. Especially if this comes in the later half of the year with a hopefully better macro backdrop. Patience is preached in these downturns. Despite this price action, many positive headlines have come across the space of late. These include consistent government seat appointments for pro crypto individuals, the repeal of SAB 21, and as of late, what seems like the daily SEC settlements of outstanding lawsuits versus crypto companies. These headlines are the ones the institutions are focused on, not which memecoin was rugged of late. 

Bybit’s $1.5 Billion Hack
The cryptocurrency world witnessed an unprecedented security breach on February 21, 2025, when Dubai-based crypto exchange Bybit disclosed that its Ethereum cold wallet had been drained of nearly $1.5 billion in Ether (ETH) and related tokens. Several blockchain security firms, including Elliptic, Arkham Intelligence, and TRM Labs, quickly attributed the hack to the North Korean state-sponsored Lazarus Group—one of the most notorious and prolific threat actors in the industry.

Source: Elliptic

In addition to its sheer scale, the Bybit hack has ignited a heated debate over blockchain immutability and a potential Ethereum “rollback”—evoking memories of the 2016 DAO hack and raising questions about the limits of decentralization.

Timeline of Events

The Hack Unfolds

• February 21, 2025: Bybit’s ETH multisig cold wallet initiates a scheduled transfer to one of its warm wallets.
• Unbeknownst to the exchange’s signers, the attacker has manipulated the signing interface by displaying a legitimate transaction while secretly altering the underlying smart contract logic.
• Over 400,000 ETH and stETH (Lido Staked Ether), valued at over $1.5 billion, move to an “unidentified” address controlled by the hackers.

Immediate Aftermath

• Bybit’s CEO Ben Zhou confirms that all other cold wallets remain secure, and the exchange promptly reports the breach to authorities.
• Over the next 72 hours, Bybit processes a surge of withdrawal requests, totaling more than $6 billion, amid a wave of user anxiety.
• Several entities, including Tether, Circle, and other centralized services, freeze a portion of the stolen funds. Despite these efforts, blockchain analytics reveal that the attackers begin moving assets across multiple wallets, decentralized exchanges (DEXs), and cross-chain bridges.

Attribution to Lazarus Group

• Elliptic, Arkham Intelligence, and TRM Labs separately attribute the hack to the North Korea-linked Lazarus Group, citing on-chain patterns consistent with previous breaches.
• Independent researcher ZachXBT connects the Bybit hack on-chain to the Phemex and BingX hacks, both believed to be carried out by Lazarus.

How the Hack Happened

Multisig Cold Wallet Exploit

The hackers exploited Bybit’s reliance on a multisig cold wallet setup. While such wallets are typically seen as the gold standard for institutional security, the attackers leveraged front-end manipulation to deceive Bybit’s signers. Specifically:

1. Malicious Smart Contracts: A trojan contract containing hidden malicious code replaced the original master copy of Bybit’s Gnosis Safe.
2. Manipulated Interface: During the approval process, the interface showed what appeared to be a standard transfer. Signers, seeing no red flags, approved the transaction.
3. Backdoor Activation: With the malicious contract in control, the hackers effectively had full authority over Bybit’s wallet, siphoning out ETH and other tokens.

High-Level Social Engineering

Security researchers point out that this breach relied not on brute force attacks or protocol vulnerabilities alone, but on user interface manipulation, tricking human signers who believed they were authorizing a routine transfer. Check Point Research called it “a new phase in attack methods, featuring advanced techniques for manipulating user interfaces.”

Aftermath: Race to Contain the Damage

Bybit’s Liquidity Crunch

In the hack’s wake, Bybit faced a significant liquidity strain:

• Over $6.1 billion in assets flowed out within three days, dropping Bybit’s total tracked holdings from $17 billion to $10.8 billion.
• To restore reserves, Bybit took on loans, large deposits from partner entities, and purchased ETH.

Source: Bybit_Official @ X

Since being hacked, Bybit has received ~446,870 $ETH($1.23B) through loans, whale deposits, and ETH purchases as shown below:

Source: Lookonchain @ X

Freezes and Partial Recovery

• Tether froze $181,000 in USDT linked to the hack, while various exchanges and protocols cooperated by blocking suspicious addresses or offering investigative support.
• However, eXch, a lesser-known cryptocurrency exchange alleged to have handled millions of dollars’ worth of the stolen funds, refused to freeze the hacker’s accounts.

Source: MistTrack_io @ X

The graphic above is an email exchange between eXch and Bybit, discussing eXch disinterest in freezing transactions.

Lazarus Group’s Laundering

Elliptic’s analysis indicates the hackers swiftly converted large quantities of stETH, cmETH, and other tokens into Ether, then layered them across numerous wallets. The next steps involved cross-chain bridges, centralized exchanges, and swaps into Bitcoin, common techniques the Lazarus Group employs to obscure fund movements and evade asset freezes.

Onchain investigator ZachXBT has linked the Bybit hack to North Korea’s Lazarus Group, citing a shared address used in previous attacks on Phemex and BingX, both attributed to Lazarus. Most recently, ZachXBT discovered that these three breaches also connect to the Poloniex attack.

Source: ZachXBT @ X

Ethereum Community’s Fork Debate

The hack’s immense scale spurred a controversial discussion about a potential rollback of Ethereum to reverse the theft. Arthur Hayes, co-founder of BitMEX, ignited the debate by publicly asking Ethereum co-founder Vitalik Buterin on X whether he would consider “rolling back” the chain to recover stolen funds.

Source: CryptoHayes @ X

Community Backlash

• The Ethereum community quickly pushed back, stressing that any rollback would undermine decentralization and cripple trust in the blockchain’s immutability.
• Many drew parallels to the 2016 DAO hack, which led to Ethereum’s most contentious hard fork but was not a straightforward rollback; instead, it was an irregular state transition that created two chains: Ethereum and Ethereum Classic.
• Developers and users alike have noted the drastic differences in the ecosystem’s complexity today versus 2016, any attempt at a rollback could break countless DeFi contracts, NFTs, and other integrated systems.

While no formal response from Buterin or the Ethereum Foundation has emerged endorsing a rollback, multiple core developers reiterated that Ethereum’s design aims for immutability. Buterin has historically championed the concept of “code as law,” making a rollback approach exceedingly unlikely.

Industry Perspectives

• Binance’s Changpeng Zhao (CZ) highlighted the broader security implications, noting that several major platforms: WazirX, Phemex, and now Bybit, have been breached via multisig cold wallets.
• CZ also underlined the importance of swift, transparent communication in crisis management, contrasting Bybit’s proactive disclosure with less transparent approaches in past exchange hacks.

Heightened Regulatory Scrutiny

Bybit reported the hack to relevant authorities, and jurisdictions like Singapore have taken the matter “very seriously,” launching collaborative efforts with Interpol to investigate. With North Korea’s Lazarus Group once again in the spotlight, the hack highlights continued concerns around state-sponsored cybercrime, sanctions violations, and the need for tighter regulatory measures in global crypto markets.

Key Takeaways and Looking Ahead

1. No Cold Wallet is Infallible
   • The Bybit hack demonstrates that even a well-structured multisig cold wallet can be compromised through advanced user interface manipulation.
2. The Lazarus Group’s Evolving Arsenal
   • North Korean state-sponsored hackers remain a potent force in crypto crime, adapting rapidly to new security measures, laundering billions in stolen crypto since 2017.
3. Calls for an Ethereum Rollback Falter
   • While some influential figures raised the possibility, the broader Ethereum community’s commitment to decentralization and immutability has rendered the rollback proposal untenable.
4. Industry-Wide Collaboration
   • Despite ongoing controversies, like eXch’s refusal to freeze funds, most exchanges, analytics firms, and stablecoin issuers responded swiftly to blacklist addresses and freeze portions of stolen assets.
5. Regulatory and Technological Challenges
   • With investigations spanning multiple countries and agencies, plus the complexities of multi-chain laundering, recovering the bulk of the stolen funds will be challenging. Ongoing efforts from global law enforcement and analytics firms continue, but Lazarus Group’s laundering tactics grow more sophisticated with each heist.

Links of the Week

• StoneX Digital Top 10 Links of the Week
  • Bitcoin ($BTC): Bitcoin Likely to Head Even Lower, but Seeds of Next Bull Move Are Being Sown (link)
  • Bitcoin ($BTC): Bernstein reiterates $200,000 bitcoin target, sees buying opportunity amid market correction (link)
  • Ethereum ($ETH): Ether on the Verge of ‘Death Cross’ Pattern; SOL, DOGE, BNB Below 200-Day Average (link)
  • Bybit CEO declares ‘war against Lazarus’ after $1.4B hack (link)
  • Crypto’s Grown-Up Response To North Korea’s Historic $1.4B Robbery (link)
  • Crypto ETF updates signal regulatory evolution (link)
  • With a Coinbase dismissal pending, what’s next? (link)
  • Robinhood says it’s free from the SEC (link)
  • Michael Saylor’s crypto framework includes ‘concrete’ proposals: Lawyer (link)
  • Crypto Asset Manager Bitwise Bolsters Balance Sheet With $70M Equity Raise (link)