$1.4 Billion of ETH Was Stolen, Analyze the Impact of This Incident in One Article

[TL；DR]:

Recently, the well-known exchange Bybit was attacked by hackers, and about 490,000 Ethereum (ETH) were stolen, with a value of up to $1.46 billion. Subsequently, MNT, SAFE, USDE, etc., experienced a short-term sharp drop.

Hackers tampered with the multi-signature wallet logic through malicious smart contracts and emptied the exchange’s ETH cold wallet, setting a new record for the highest amount of single theft in the history of cryptocurrency.

After the incident, Bybit quickly took countermeasures, including launching a “bounty recovery plan” and received assistance from several mainstream exchanges including Gate.io.

Introduction

Last Friday night, the well-known trading platform Bybit became the target of hacker attacks, and 490,000 ETH worth up to $1.46 billion was stolen. This broke the record for the highest amount of theft in the history of cryptocurrency and caused violent market fluctuations and high attention from both inside and outside the industry. This article will comprehensively analyze this incident, from background introduction to crisis response to market lessons and experience, and deeply explore its far-reaching impact on the crypto eco.

Large Amount of ETH Stolen: the Largest Hacker Attack in Crypto History

On the evening of February 21 last week, the crypto industry experienced the largest hacking incident in history. At 11:20 pm Beijing time, the on-chain detective ZachXBT first detected abnormal fund flows on the Bybit exchange, involving more than $1.46 billion in mETH and stETH assets being converted into ETH through a decentralized exchange (DEX).

Bybit founder Ben Zhou quickly confirmed the news through the X platform and started a live broadcast to disclose the details to the community: hackers tampered with the multi-signature wallet logic through malicious smart contracts and emptied the exchange’s ETH cold wallet.

Source: @benbybit

According to preliminary statistics, hackers stole about 490,000 ETH from Bybit’s Ethereum cold wallet. This number not only makes the SAFE multi-signature scheme adopted by Bybit questioned by the market again but also makes the number of ETH held by the attacker surpass Fidelity and Ethereum founder Vitalik Buterin, becoming the 14th largest ETH holder in the world.

As of the date of writing, this incident can be confirmed as the largest security incident in the history of Web3 to date, with the amount far exceeding the DAO attack in 2016 (about $150 million, about 1/10 of the amount stolen from Bybit).

As the incident further fermented, the market quickly fell into turmoil. ETH prices were the first to be affected, falling nearly 8% within 8 hours after the news came out, wiping out all the gains of last week.

Meanwhile, Mantle (MNT), an L2 public chain supported by Bybit, was not spared, with a daily drop of up to 15%, the largest single-day drop since 2024. Gnosis (SAFE), which provides a multi-signature solution, was undoubtedly sold off by the market, with a daily drop of 10%.

Source: Gate.io

In addition, the stablecoin protocol USDe, which cooperated with Bybit, was also affected, and its price was temporarily decoupled, falling from $1 to a minimum of $0.965. Subsequently, the issuer, Ethena Labs, quickly clarified that its assets were held in custody by over-the-counter institutions and not stored in exchanges, and then market sentiment gradually calmed down.

Source: Gate.io

Of course, investors’ trust in Bybit was severely tested, with a large number of users initiating withdrawal requests. In just 24 hours, Bybit faced a peak withdrawal of $2.399 billion. Fortunately, Bybit has recovered 447,000 ETH through various channels, making up for the gap in the hacker incident, and said that a new audit certificate will be released soon.

Support from All Sides, Crisis Reversed

Faced with this unprecedented crisis, Bybit quickly took a series of countermeasures, and various forces inside and outside the industry also extended a helping hand to jointly resist this industry crisis.

After the incident, Bybit officials spoke to the community through the X platform in a very short time, started a live broadcast within an hour, communicated with users in real time for two hours, and soon launched a “bounty recovery plan”, stating that contributors who successfully recovered the funds would receive 10% of the stolen funds as a reward.

In addition, many mainstream exchanges including Gate.io also provided relevant assistance in a timely manner. Gate.io stated on its official X platform that it participated in assisting in intercepting and tracking stolen funds to help Bybit recover as soon as possible. These mutual assistance actions within the industry not only provided Bybit with more than $320 million in direct financial support, but also restricted the further circulation of stolen funds by freezing hacker addresses and sharing technical resources, reflecting the industry’s spirit of solidarity in the face of crisis.

Source: @gate_io

Meanwhile, Bybit announced the suspension of the affected ETH cold wallets, while ensuring the safety of other assets and normal withdrawals. Of course, in order to cope with the possible concentrated withdrawal needs of users, Bybit used more than $20 billion in assets under management and bridge loans from partners to guarantee repayment and successfully responded to this challenge.

With the efforts of multiple parties, the North Korean hacker organization Lazarus Group, the mastermind behind the attack, also surfaced.

Source: ARKHAM

According to public information, the organization has been active since 2010 and has stolen over $6 billion worth of crypto assets from multiple platforms including Ronin Network, Atomic Wallet, and Stake.com in recent years. After the attack, most of the assets were transferred and exchanged through the mixer exch and cross-chain bridges, similar to the past.

Source: exch.cx

Emotional Repair and Market Reflection in Progress

As of the date of writing, after efforts from all parties, Bybit Exchange has completely made up for the previous Ethereum reserve gap, and a new Proof of Reserve (POR) audit report will be released soon, which will prove through the Merkle tree that Bybit has restored the full 1:1 reserve of customer assets.

As a result, market sentiment has gradually stabilized, the previous plunge in crypto prices caused by the incident has been alleviated, and investors’ confidence has slowly begun to recover.

To be precise, this hacker theft incident highlights the importance of security protection in the crypto industry. Just like the previous explosive incident of Mt. Gox exchange, and the theft cases of WazirX, KuCoin and other exchanges in recent years, they all remind us that security protection must be comprehensive and multi-layered.

Source: Gnosis

From a technical perspective, Bybit’s traditional hardware wallet + multi-signature model can no longer effectively protect the security of large amounts of assets:

Weak social engineering defense: Hardware wallets cannot prevent APT (Advanced Persistent Threat) attacks from long-term penetration of signed devices;

Lack of semantic analysis: The existing solution only verifies the legitimacy of the address, but does not detect the actual transaction behavior (such as tampering with the contract logic);

Slow response speed: It only takes 2 hours from vulnerability exploitation to fund transfer, which far exceeds the emergency response threshold of most institutions.

This undoubtedly shows that the industry needs to strengthen its awareness of prevention against social engineering, improve employees’ security awareness training, and conduct security audits and vulnerability inspections of smart contracts to promptly discover and repair potential security risks.

In summary, although the theft of $1.4 billion in ETH has brought some impact to the entire market, the market has gradually stabilized through the active response of all parties. In fact, whether it is custody and security solutions or corporate governance and transparency, they have made progress in every crypto crisis. I believe that these will prompt the crypto industry to pay more attention to security protection, strengthen collaboration, and actively cooperate with regulatory forces.