Bybit, one of the world’s largest crypto exchanges, has fallen victim to a highly sophisticated cyberattack, resulting in the theft of nearly $1.5 billion worth of Ethereum (ETH).
The attack exploited a vulnerability in a multisig cold wallet setup, raising serious concerns about security practices in the industry.
How Did This Happen?
Bybit CEO Ben Zhou revealed that the hack was meticulously planned and executed at a time when the exchange was moving funds from cold storage to hot wallets. Every two to three weeks, Bybit transfers a portion of its cold wallet reserves to maintain platform liquidity – a predictable schedule known internally by exchange staff.
The hacker manipulated the signing process using a forged user interface that mimicked Safe, a widely used multisig wallet solution. This tricked Bybit’s authorized signers into approving the transaction, without realizing that they were signing another transaction.
The hacker modified the underlying smart contracts, effectively draining the entire cold wallet. Bybit confirmed that the attack compromised approximately 70% of its managed ETH reserves.
Was Safe Itself Hacked?
Given the nature of the exploit, security experts are investigating whether Safe’s infrastructure was directly compromised.
If the attacker gained access to Safe’s servers, it could put other crypto exchanges and institutional users at risk, as many rely on Safe’s multisig technology.
For now, there is no direct evidence that Safe was breached, but the investigation is ongoing.
What Does This Mean for Bybit Users?
Bybit has reassured users that it holds $16 billion in total reserves, meaning customer funds are not at risk. However, because the exchange does not have enough ETH in reserve, it is currently working with other exchanges to secure a liquidity bridge, ensuring that ETH withdrawals can continue as normal.
Despite these assurances, the hack has triggered a wave of panic withdrawals, commonly referred to as a “bank run.” Many users are moving funds off the exchange, fearing a potential liquidity crisis – a scenario that echoes the collapse of FTX in 2022.
Unlike FTX, however, Bybit has maintained open communication, holding livestream Q&A sessions on X (formerly Twitter) to address concerns and provide transparency.
“We are working around the clock to process all withdrawals and remain fully transparent with our users,” Bybit stated.
Can the Hacker Cash Out the Stolen ETH?
Since all blockchain transactions are public, the hacker now faces a major problem:
✅ Centralized exchanges are blocking flagged addresses, preventing deposits from known hacker wallets.
✅ Stablecoin issuers like USDT and USDC can freeze suspicious wallets, limiting the attacker’s ability to convert funds into stable assets.
The hacker’s remaining options include:
- Using crypto mixers like Tornado Cash to obscure the origin of the stolen ETH.
- Bridging to other blockchains to make tracking harder.
- Trading on decentralized exchanges (DEXs) that don’t require Know Your Customer (KYC) verification.
It remains to be seen whether blockchain analysts can link the stolen funds to an identity or if the assets will disappear into the darknet, making recovery almost impossible.
Key Takeaways: A Wake-Up Call for Crypto Security
This attack highlights a growing vulnerability in the crypto industry – even top-tier exchanges are not immune to sophisticated hacks. The incident raises serious concerns about the security of multisig wallets, particularly when attackers can manipulate both software and human decision-making processes.
For individual crypto holders, this is yet another reminder of the importance of self-custody:
“Not your keys, not your coins.”
While exchanges remain prime targets for hackers, holding crypto in a private hardware wallet significantly reduces the risk of losing funds to an exchange breach.
For those looking to enhance their security, cold storage solutions like the NGRAVE hardware wallet provide maximum protection against both cyberattacks and insider risks.
