Hackers Drain Bybit’s Ethereum Cold Wallet
On February 21, 2025, hackers carried out the biggest cryptocurrency theft in history, stealing 401,346 ETH—valued at $1.46 billion—from Bybit’s Ethereum cold wallet. The attack has been linked to North Korea’s Lazarus Group, a cybercrime organization known for targeting financial institutions.
How Did the Hack Happen?
Unlike typical private key thefts, this breach exploited a vulnerability in Bybit’s multisignature wallet system. The attackers used a masked payload attack, a technique that deceives authorized signers into approving fraudulent transactions.
The attack occurred during a routine transfer from Bybit’s cold wallet to a warm wallet, a common process for managing liquidity. But Bybit assured users that withdrawals would continue as normal.
Where Did the Funds Go?
Shortly after the breach, the stolen Ethereum was distributed across 48 wallets, with 10,000 ETH being sent to crypto mixer eXch to obscure the transaction trail.
However, eXch has denied any involvement in laundering the stolen funds. On-chain investigator ZachXBT reported that eXch processed $35 million of the stolen funds and even accidentally sent 34 ETH ($96,000) to another exchange.
Efforts to Recover the Stolen Crypto
By February 23, over $42 million of the stolen funds had been frozen through a coordinated effort. However, reports indicate that Bybit is facing resistance from eXch in recovering the assets.
What’s Next for Bybit and Crypto Security?
This breach highlights serious vulnerabilities in crypto exchanges’ security models, particularly in multisignature governance. While Bybit has assured users that operations will continue, this attack raises critical questions about the safety of digital assets.