StonexHero

StoneX Digital Asset Weekly Commentary - Bybit Hack

StonexHero
David Kroger
By :  ,  Senior Vice President - Digital Data Scientist - Stonex Digital
Feb 27, 2025
Bybit’s $1.5 Billion Hack: Largest Crypto Heist in History Sparks Fork Debate in Ethereum Community
 

image-20250227102835-1

Executive Summary

  • Market trading color: Bitcoin dropped 10% amid ETF outflows, macro headwinds, and ByBit’s $1.4B hack, testing key support.
  • Theme of the week – Lazarus Group hacked Bybit’s Ethereum cold wallet, stealing $1.5B and sparking a contentious Ethereum rollback debate.
  • Links of the week: Bitcoin correction, ETF updates, Lazarus hack, regulatory shifts, and institutional moves shape crypto’s week.

Market Trading Color

It has not been the brightest of weeks for Bitcoin and the digital asset market in general. BTC itself has fallen 10% from above $99,500 to a local low of $82,240. Much of the initial reaction downward was due to Friday’s ByBit fiasco. A fiasco that saw North Korea’s Lazarus group steal $1.4B worth of ETH. Details of the hack here: https://x.com/benbybit/status/1892963530422505586. Bybit has since released screenshots of the forensic report, essentially blaming it on Safe Wallet’s infrastructure here: https://x.com/benbybit/status/1894768736084885929.

Aside from this, and the lack of clear short term positive catalysts for the industry, BTC has been held at liberty to a flailing macro backdrop for risk assets. A backdrop that includes an unfavorable near-term liquidity outlook (rate cuts months away), DOGE whose main goal is to reduce the budget deficit, and the ongoing tariffs. All catalysts for potential near-term economic growth issues do not play into Bitcoin’s hands.

Given the above, we’ve seen record outflows from ETFs on the week, totaling $2.2B. You can certainly attribute a large majority of this selling to the unwinding of existing basis trades which should largely have no impact on price. However, the Coinbase premium shown below hit its largest negative number yesterday, since December as current US appetite for the asset in this environment decreases.

image-20250227102835-2
Source: Coinglass

As far as basis trade, it is currently down to ~5.5% annualized. This comes as CME open interest is on the decline, down around 20% from December’s highs. With leverage still around 6% higher than pre-election, and as appetite from current participants waivers, we could see continued shakeout of this leverage and retest of support at the $81,000 area. If this doesn’t hold, a move downward to the $75,000 range could be on the table with an air gap between $70,000 and $88,000.

image-20250227102835-3
Source: Glassnode

If we do test the $75,000 range, look for new money to step in and play for a reversal to highs. Especially if this comes in the later half of the year with a hopefully better macro backdrop. Patience is preached in these downturns. Despite this price action, many positive headlines have come across the space of late. These include consistent government seat appointments for pro crypto individuals, the repeal of SAB 21, and as of late, what seems like the daily SEC settlements of outstanding lawsuits versus crypto companies. These headlines are the ones the institutions are focused on, not which memecoin was rugged of late. 

Bybit’s $1.5 Billion Hack
The cryptocurrency world witnessed an unprecedented security breach on February 21, 2025, when Dubai-based crypto exchange Bybit disclosed that its Ethereum cold wallet had been drained of nearly $1.5 billion in Ether (ETH) and related tokens. Several blockchain security firms, including Elliptic, Arkham Intelligence, and TRM Labs, quickly attributed the hack to the North Korean state-sponsored Lazarus Group—one of the most notorious and prolific threat actors in the industry.

image-20250227102835-4
Source: Elliptic

In addition to its sheer scale, the Bybit hack has ignited a heated debate over blockchain immutability and a potential Ethereum “rollback”—evoking memories of the 2016 DAO hack and raising questions about the limits of decentralization.

Timeline of Events

The Hack Unfolds

  • February 21, 2025: Bybit’s ETH multisig cold wallet initiates a scheduled transfer to one of its warm wallets.
  • Unbeknownst to the exchange’s signers, the attacker has manipulated the signing interface by displaying a legitimate transaction while secretly altering the underlying smart contract logic.
  • Over 400,000 ETH and stETH (Lido Staked Ether), valued at over $1.5 billion, move to an “unidentified” address controlled by the hackers.

Immediate Aftermath

  • Bybit’s CEO Ben Zhou confirms that all other cold wallets remain secure, and the exchange promptly reports the breach to authorities.
  • Over the next 72 hours, Bybit processes a surge of withdrawal requests, totaling more than $6 billion, amid a wave of user anxiety.
  • Several entities, including Tether, Circle, and other centralized services, freeze a portion of the stolen funds. Despite these efforts, blockchain analytics reveal that the attackers begin moving assets across multiple wallets, decentralized exchanges (DEXs), and cross-chain bridges.

Attribution to Lazarus Group

  • Elliptic, Arkham Intelligence, and TRM Labs separately attribute the hack to the North Korea-linked Lazarus Group, citing on-chain patterns consistent with previous breaches.
  • Independent researcher ZachXBT connects the Bybit hack on-chain to the Phemex and BingX hacks, both believed to be carried out by Lazarus.

How the Hack Happened

Multisig Cold Wallet Exploit

The hackers exploited Bybit’s reliance on a multisig cold wallet setup. While such wallets are typically seen as the gold standard for institutional security, the attackers leveraged front-end manipulation to deceive Bybit’s signers. Specifically:

  1. Malicious Smart Contracts: A trojan contract containing hidden malicious code replaced the original master copy of Bybit’s Gnosis Safe.
  2. Manipulated Interface: During the approval process, the interface showed what appeared to be a standard transfer. Signers, seeing no red flags, approved the transaction.
  3. Backdoor Activation: With the malicious contract in control, the hackers effectively had full authority over Bybit’s wallet, siphoning out ETH and other tokens.

High-Level Social Engineering

Security researchers point out that this breach relied not on brute force attacks or protocol vulnerabilities alone, but on user interface manipulation, tricking human signers who believed they were authorizing a routine transfer. Check Point Research called it “a new phase in attack methods, featuring advanced techniques for manipulating user interfaces.”

Aftermath: Race to Contain the Damage

Bybit’s Liquidity Crunch

In the hack’s wake, Bybit faced a significant liquidity strain:

  • Over $6.1 billion in assets flowed out within three days, dropping Bybit’s total tracked holdings from $17 billion to $10.8 billion.
  • To restore reserves, Bybit took on loans, large deposits from partner entities, and purchased ETH.
image-20250227102835-5
Source: Bybit_Official @ X

Since being hacked, Bybit has received ~446,870 $ETH($1.23B) through loans, whale deposits, and ETH purchases as shown below:

image-20250227102835-6
Source: Lookonchain @ X

Freezes and Partial Recovery

  • Tether froze $181,000 in USDT linked to the hack, while various exchanges and protocols cooperated by blocking suspicious addresses or offering investigative support.
  • However, eXch, a lesser-known cryptocurrency exchange alleged to have handled millions of dollars’ worth of the stolen funds, refused to freeze the hacker’s accounts.
image-20250227102835-7
Source: MistTrack_io @ X

The graphic above is an email exchange between eXch and Bybit, discussing eXch disinterest in freezing transactions.

Lazarus Group’s Laundering

Elliptic’s analysis indicates the hackers swiftly converted large quantities of stETH, cmETH, and other tokens into Ether, then layered them across numerous wallets. The next steps involved cross-chain bridges, centralized exchanges, and swaps into Bitcoin, common techniques the Lazarus Group employs to obscure fund movements and evade asset freezes.

Onchain investigator ZachXBT has linked the Bybit hack to North Korea’s Lazarus Group, citing a shared address used in previous attacks on Phemex and BingX, both attributed to Lazarus. Most recently, ZachXBT discovered that these three breaches also connect to the Poloniex attack.

image-20250227102835-8
Source: ZachXBT @ X

Ethereum Community’s Fork Debate

The hack’s immense scale spurred a controversial discussion about a potential rollback of Ethereum to reverse the theft. Arthur Hayes, co-founder of BitMEX, ignited the debate by publicly asking Ethereum co-founder Vitalik Buterin on X whether he would consider “rolling back” the chain to recover stolen funds.

image-20250227102835-9
Source: CryptoHayes @ X

Community Backlash

  • The Ethereum community quickly pushed back, stressing that any rollback would undermine decentralization and cripple trust in the blockchain’s immutability.
  • Many drew parallels to the 2016 DAO hack, which led to Ethereum’s most contentious hard fork but was not a straightforward rollback; instead, it was an irregular state transition that created two chains: Ethereum and Ethereum Classic.
  • Developers and users alike have noted the drastic differences in the ecosystem’s complexity today versus 2016, any attempt at a rollback could break countless DeFi contracts, NFTs, and other integrated systems.

While no formal response from Buterin or the Ethereum Foundation has emerged endorsing a rollback, multiple core developers reiterated that Ethereum’s design aims for immutability. Buterin has historically championed the concept of “code as law,” making a rollback approach exceedingly unlikely.

Industry Perspectives

  • Binance’s Changpeng Zhao (CZ) highlighted the broader security implications, noting that several major platforms: WazirX, Phemex, and now Bybit, have been breached via multisig cold wallets.
  • CZ also underlined the importance of swift, transparent communication in crisis management, contrasting Bybit’s proactive disclosure with less transparent approaches in past exchange hacks.

Heightened Regulatory Scrutiny

Bybit reported the hack to relevant authorities, and jurisdictions like Singapore have taken the matter “very seriously,” launching collaborative efforts with Interpol to investigate. With North Korea’s Lazarus Group once again in the spotlight, the hack highlights continued concerns around state-sponsored cybercrime, sanctions violations, and the need for tighter regulatory measures in global crypto markets.

Key Takeaways and Looking Ahead

  1. No Cold Wallet is Infallible

    • The Bybit hack demonstrates that even a well-structured multisig cold wallet can be compromised through advanced user interface manipulation.
  2. The Lazarus Group’s Evolving Arsenal
    • North Korean state-sponsored hackers remain a potent force in crypto crime, adapting rapidly to new security measures, laundering billions in stolen crypto since 2017.
  3. Calls for an Ethereum Rollback Falter
    • While some influential figures raised the possibility, the broader Ethereum community’s commitment to decentralization and immutability has rendered the rollback proposal untenable.
  4. Industry-Wide Collaboration
    • Despite ongoing controversies, like eXch’s refusal to freeze funds, most exchanges, analytics firms, and stablecoin issuers responded swiftly to blacklist addresses and freeze portions of stolen assets.
  5. Regulatory and Technological Challenges
    • With investigations spanning multiple countries and agencies, plus the complexities of multi-chain laundering, recovering the bulk of the stolen funds will be challenging. Ongoing efforts from global law enforcement and analytics firms continue, but Lazarus Group’s laundering tactics grow more sophisticated with each heist.

Links of the Week

  • StoneX Digital Top 10 Links of the Week

    • Bitcoin ($BTC): Bitcoin Likely to Head Even Lower, but Seeds of Next Bull Move Are Being Sown (link)
    • Bitcoin ($BTC): Bernstein reiterates $200,000 bitcoin target, sees buying opportunity amid market correction (link)
    • Ethereum ($ETH): Ether on the Verge of ‘Death Cross’ Pattern; SOL, DOGE, BNB Below 200-Day Average (link)
    • Bybit CEO declares ‘war against Lazarus’ after $1.4B hack (link)
    • Crypto’s Grown-Up Response To North Korea’s Historic $1.4B Robbery (link)
    • Crypto ETF updates signal regulatory evolution (link)
    • With a Coinbase dismissal pending, what’s next? (link)
    • Robinhood says it’s free from the SEC (link)
    • Michael Saylor’s crypto framework includes ‘concrete’ proposals: Lawyer (link)
    • Crypto Asset Manager Bitwise Bolsters Balance Sheet With $70M Equity Raise (link)
Related tags: Digital Assets

This material should be construed as market commentary and represents the opinions and viewpoints of the author, and does not reflect tailored advice associated with any specific account.



The views are current only through the date stated and are subject to change at any time based upon market or other conditions, and StoneX Group Inc. (“SGI”) disclaims any responsibility to update such views. Actual results, performance, or achievements may differ materially from those expressed or implied. Information is based on data gathered from what we believe are reliable sources. Past performance does not guarantee future results.



The StoneX Group Inc. group of companies provides financial services worldwide through its subsidiaries, including physical commodities, securities, exchange-traded and over-the-counter derivatives, risk management, global payments and foreign exchange products in accordance with applicable law in the jurisdictions where services are provided.



References to certain OTC products or swaps are made on behalf of StoneX Markets, LLC (SXM), a member of the National Futures Association (NFA) and provisionally registered with the U.S. Commodity Futures Trading Commission (CFTC) as a swap dealer. SXM’s products are designed only for individuals or firms who qualify under CFTC rules as an ‘Eligible Contract Participant’ and who have been accepted as customers of SXM.



StoneX Financial Inc. (SFI) is a member of FINRA/NFA/SIPC and registered with the MSRB. SFI is registered with the U.S. Securities and Exchange Commission (SEC) as a Broker-Dealer and with the CFTC as a Futures Commission Merchant and Commodity Trading Advisor. References to certain securities trading are made on behalf of the BD Division of SFI and are intended only for an audience of institutional clients as defined by FINRA Rule 4512(c). References to certain exchange-traded futures and options are made on behalf of the FCM Division of SFI. Wealth Management is offered through SA Stone Wealth Management Inc., member FINRA/SIPC, and SA Stone Investment Advisors Inc., an SEC-registered investment advisor, both wholly owned subsidiaries of SGI.



StoneX Financial Ltd (SFL) is registered in England and Wales, company no. 5616586. SFL is authorised and regulated by the Financial Conduct Authority (FCA) (registration number FRN:446717) to provide services to professional and eligible customers including: arrangement, execution and, where required, clearing derivative transactions in exchange traded futures and options. SFL is also authorised to engage in the arrangement and execution of transactions in certain OTC products, certain securities trading, precious metals trading and payment services to eligible customers. SFL is authorised and regulated by the FCA under the Payment Services Regulations 2017 for the provision of payment services. SFL is a category 1 ring-dealing member of the London Metal Exchange. In addition SFL also engages in other physically delivered commodities business and other general business activities which are unregulated and not required to be authorised by the FCA.



StoneX APAC Pte. Ltd. (“SAP”) (Co. Reg. No 200616676W) is regulated as a Dealer (PS20190001002) under the Precious Stones and Precious Metals (Prevention of Money Laundering and Terrorism Financing) Act 2019 for purposes of anti-money laundering and countering the financing of terrorism. SAP is an “Approved International Trading Company” authorized to act as a “Spot Commodity Broker” under the Commodity Trading Act.



StoneX Financial Pte Ltd (Co. Reg. No 201130598R) (“SFP”) is regulated by the Monetary Authority of Singapore and is a Capital Markets Service Licensee (for dealing in capital market products), an Exempt Financial Adviser (for advising on investment products and issuing or promulgating analyses/ reports on investment products) and a Major Payment Institution (for cross-border money transfer service).



SFP may distribute analysis/report produced by its respective foreign affiliates within the StoneX Group of companies pursuant to an arrangement under Regulation 32C of the Financial Advisers Regulations Recipients should contact SFP at (65) 6309 1000 for any matters arising from, or in connection with, this webinar.



StoneX Financial (HK) Limited (CE)No.: BCQ152) (“SHK”) is regulated by the Hong Kong Securities and Futures Commission for Dealing in Securities and Dealing in Futures Contracts.



StoneX Financial Pty Ltd (“SFA”)(ACN: 141 774 727) holds an Australian Financial Service License and is regulated by the Australian Securities and Investments Commission (AFSL: 345646).



StoneX Securities Co., Ltd. (“SSJ”)(Co. Reg. No 010401047199) is regulated by the Japanese Financial Services Agency as a Type-I Financial Instruments Business Operator (Kanto Local Finance Bureau (FIBO)No.291’), is a member of the Financial Futures Association of Japan for dealing and broking FX and FX Option transactions, and is a member of the Japan Securities Dealers Association for dealing and broking stock indices and option transactions.



Trading swaps and over-the-counter derivatives, exchange-traded derivatives and options and securities involves substantial risk and is not suitable for all investors. Past performance of any futures or option is not indicative of future success. Indicators are not a trading system and are not published as a specific trade recommendation. The information herein is not a recommendation to trade nor investment research or an offer to buy or sell any derivative or security. It does not take into account your particular investment objectives, financial situation or needs and does not create a binding obligation on any of the StoneX group of companies to enter into any transaction with you. You are advised to perform an independent investigation of any transaction to determine whether any transaction is suitable for you. No part of this material may be copied, photocopied or duplicated in any form by any means or redistributed without the prior written consent of StoneX Group Inc.



The report/analysis herein is not directed to, or intended for distribution to or use by, any person or entity who is a citizen or resident of or located in any locality, state, country or other jurisdiction where such distribution, publication, availability or use would be contrary to law or regulation.



© 2025 StoneX Group Inc. All Rights Reserved.



Discover more insights

Our subscribers have access to comprehensive market analysis from StoneX spanning commodities, equities, currencies and more.
Explore subscriptions
See why StoneX is a partner of choice
Related Articles for Digital Assets
Digital Assets

StoneX Digital Asset Weekly Commentary - Libragate

By David Kroger
Thu, Feb 20, 2025 at 05:48 PM UTC
Digital Assets
Digital Assets

StoneX Digital Asset Weekly Commentary - MegaETH

By David Kroger
Thu, Feb 13, 2025 at 03:24 PM UTC
Digital Assets
Digital Assets

StoneX Digital Asset Weekly Commentary - Crypto in Washington

By David Kroger
Thu, Feb 6, 2025 at 05:41 PM UTC
Digital Assets
Read more
StoneX: We open markets

Our market expertise, advanced platforms, global reach, culture of full transparency and commitment to our clients’ success all set us apart in the financial marketplace.

  • Partnership icon
    Reach

    With access to 40+ derivatives exchanges, 180+ foreign exchange markets, nearly every global securities marketplace and numerous bi-lateral liquidity venues, StoneX’s digital network and deep relationships can take clients anywhere they want to go.

  • Price tag
    Transparency

    As a publicly traded company meeting the highest standards of regulatory compliance in the markets we serve; our financials and record of accomplishment are matters of public record. StoneX’s commitment to “doing the right thing over the easy thing” sets us apart in the industry and helps us build respect, client trust and new partnerships.

  • PC Monitor Blue
    Expertise

    From our proprietary Market Intelligence platform, to “boots on the ground” expertise from award-winning traders and professionals, we connect our clients directly to actionable insights they can use to make more informed decisions and achieve their goals in the global markets.

+
!

By submitting this form, you are sending StoneX Group Inc. and its subsidiaries your personal information to be used for marketing purposes. View our  Privacy notice  to learn more.
+
!

By submitting this form, you are sending StoneX Group Inc. and its subsidiaries your personal information to be used for marketing purposes. View our  Privacy notice  to learn more.