Recently, the well-known exchange Bybit was hacked, and about 490,000 Ethereum (ETH) worth up to $1.46 billion were stolen, followed by a short-term sharp drop in MNT, SAFE, USDE, etc.
The hacker tampered with the logic of the multisig wallet through a malicious smart contract and emptied the exchange's ETH cold wallet, setting a new record for the highest amount of money stolen in a single transaction in cryptocurrency history.
After the incident, Bybit quickly took countermeasures, including launching the "Bounty Retrieval Program," and receiving assistance from many mainstream exchanges including Gate.io.
Introduction
Last Friday night, Bybit, a well-known trading platform, was targeted by hackers, and 490,000 ETH worth a whopping $1.46 billion were stolen. This not only set a new record for the highest amount of money stolen in a single transaction in the history of cryptocurrency, but also triggered a sharp market shock and a high level of attention inside and outside the industry. This article will provide a comprehensive analysis of this incident, from the background to the crisis response, to the market lessons and experiences, and delve into its far-reaching impact on the crypto ecosystem.
Large ETH theft: The largest hack in crypto history
On the evening of February 21 last week, the cryptocurrency industry ushered in one of the largest hacker thefts in history. At 11:20 p.m. Beijing time, on-chain detective ZachXBT was the first to detect an abnormal fund flow on the Bybit exchange, involving more than $1.46 billion in mETH and stETH assets being exchanged for ETH through a decentralized exchange (DEX).
Bybit founder Ben Zhou quickly confirmed the news on the X platform and started a live broadcast to disclose the details to the community: The hacker maliciously manipulated the multi-signature wallet logic through smart contracts and emptied the exchange's ETH cold wallet.
!
Figure 1 Source: @benbybit
According to preliminary statistics, the hackers stole about 490,000 ETH from Bybit's Ethereum cold wallet. This figure not only raises doubts about Bybit's SAFE multisig scheme, but also makes the attackers hold more ETH than Fidelity and Ethereum founder Vitalik Buterin, becoming the 14th largest ETH holder in the world.
As of the date of writing, the incident can be identified as the largest security incident in Web3 history to date, far exceeding the amount of the 2016 DAO attack (about $150 million, about 1/10) of the amount stolen from Bybit).
After the incident further fermented, the market quickly fell into turmoil. ETH price bore the brunt, falling nearly 8% within eight hours of the news, erasing all of last week's gains.
At the same time, Bybit-backed L2 public chain Mantle (MNT) was not spared, falling as much as 15% on the day, the largest one-day drop since 2024. There is also Gnosis (SAFE), which provides a multi-signature solution, which has undoubtedly been sold off by the market, falling by 10% on a daily basis.
Figure 2 Source: Gate.io
In addition, USDe, a stablecoin protocol partnered with Bybit, was also affected, with its price briefly depeged, falling from $1 to a minimum of $0.965. Issuer Ethena Labs quickly clarified that its assets were held over-the-counter and not on exchanges, and market sentiment calmed down.
Figure 3 Source: Gate.io
Of course, investors' trust in Bybit has been severely tested, with a large number of users initiating withdrawal requests. Within just 24 hours, Bybit faced a withdrawal peak of 23.99 billion US dollars. Fortunately, Bybit has already retrieved 447,000 ETH through various channels, filling the gap caused by the hacking incident, and has announced that new audit proofs will be released soon.
Support from all sides, crisis reversal
In the face of this unprecedented crisis, Bybit quickly took a series of countermeasures, and all parties inside and outside the industry also reached out to help fight against this industry crisis.
After the incident, Bybit officials quickly made a statement to the community through the X platform and started a live broadcast within an hour, conducting real-time communication with users for up to two hours. They soon launched the "Bounty Recovery Plan," indicating that contributors who successfully recover the funds will receive 10% of the stolen funds as a reward.
In addition, a number of major exchanges, including Gate.io, have also provided timely assistance. Gate.io said on the official X platform that it was involved in assisting in the interception and tracking of stolen funds to help Bybit recover as soon as possible. These industry solidarity efforts not only provided Bybit with more than $320 million in direct funding, but also restricted the further flow of stolen funds by freezing hackers' addresses and sharing technical resources, demonstrating the industry's solidarity in the face of the crisis.
!
Figure 4 Source: @Gate.io
At the same time, Bybit announced the suspension of the affected ETH cold wallets, while ensuring the security of other assets and normal withdrawals. Of course, in order to cope with the potential demand for centralized withdrawals, Bybit has successfully met this challenge by using over $20 billion in assets under management and partner bridge loans to secure payments.
With the efforts of many parties, the North Korean hacking group behind the attack has also surfaced.
!
FIGURE 5 SOURCE: ARKHAM
According to public information, the group has been active since 2010 and has stolen more than $6 billion in crypto assets from Ronin Network, Atomic Wallet, Stake.com and other platforms in recent years. After the end of the attack, as usual, most of the assets were transferred and exchanged through the coin mixer EXCH and the cross-chain bridge.
!
Figure 6 Source: exch.cx
Sentiment repair and market reflection are underway
As of the date of writing, the Bybit exchange has fully filled the previous Ethereum reserve gap after a number of efforts, and a new Proof of Reserve (POR) audit report will be released soon, which will prove that Bybit has restored the full 1:1 reserve of customer assets through the Merkle tree.
As a result, market sentiment has gradually stabilized, and the previous collapse in cryptocurrency prices caused by the event has eased, and investor confidence has slowly begun to recover.
To be precise, this hacker has once again highlighted the importance of security in the cryptocurrency industry. Just like the previous explosion of the Mt. Gox exchange, as well as the theft of WazirX, KuCoin and other exchanges in recent years, we are reminded that security protection must be all-round and multi-layered.
!
Figure 7 Source: Gnosis
From a technical perspective, the traditional hardware wallet + multi-signature model like Bybit can no longer effectively ensure the security of large assets:
Weak defense of social workers: Hardware wallets cannot prevent the long-term penetration of APT (Advanced Persistent Threat) attacks into signing devices.
Lack of semantic parsing: The existing scheme only verifies the legitimacy of the address, but does not detect the actual transaction behavior (such as tampering with the contract logic);
Slow response time: 2 hours from exploit to transfer of funds, well above most agencies' emergency response thresholds.
This undoubtedly indicates that the industry needs to strengthen awareness of social engineering prevention, enhance employees' security awareness training, and timely discover and repair potential security risks through security audits and vulnerability scanning of smart contracts.
All in all, although the $1.4 billion ETH theft incident has had a certain impact on the entire market, the market has gradually stabilized through the active response of all parties. In fact, progress has been made in every crypto crisis, from custody and security solutions to corporate governance and transparency, which we believe will drive the crypto industry to pay more attention to security, collaboration, and cooperation with regulatory forces.
Author: Charle Y., Gate.io Researcher
*This article represents the views of the author only and does not constitute any trading advice. Investment is risky, and decisions need to be made carefully.
*The content of this article is original, the copyright is owned by Gate.io, if you need to reprint, please indicate the author and source, otherwise you will be held legally responsible.
This page may contain third-party content, which is provided for information purposes only (not representations/warranties) and should not be considered as an endorsement of its views by Gate, nor as financial or professional advice. See Disclaimer for details.
$1.4 billion in ETH was stolen, and the impact of the incident is understood
!
[TL; DR]:
Recently, the well-known exchange Bybit was hacked, and about 490,000 Ethereum (ETH) worth up to $1.46 billion were stolen, followed by a short-term sharp drop in MNT, SAFE, USDE, etc.
The hacker tampered with the logic of the multisig wallet through a malicious smart contract and emptied the exchange's ETH cold wallet, setting a new record for the highest amount of money stolen in a single transaction in cryptocurrency history.
After the incident, Bybit quickly took countermeasures, including launching the "Bounty Retrieval Program," and receiving assistance from many mainstream exchanges including Gate.io.
Introduction
Last Friday night, Bybit, a well-known trading platform, was targeted by hackers, and 490,000 ETH worth a whopping $1.46 billion were stolen. This not only set a new record for the highest amount of money stolen in a single transaction in the history of cryptocurrency, but also triggered a sharp market shock and a high level of attention inside and outside the industry. This article will provide a comprehensive analysis of this incident, from the background to the crisis response, to the market lessons and experiences, and delve into its far-reaching impact on the crypto ecosystem.
Large ETH theft: The largest hack in crypto history
On the evening of February 21 last week, the cryptocurrency industry ushered in one of the largest hacker thefts in history. At 11:20 p.m. Beijing time, on-chain detective ZachXBT was the first to detect an abnormal fund flow on the Bybit exchange, involving more than $1.46 billion in mETH and stETH assets being exchanged for ETH through a decentralized exchange (DEX).
Bybit founder Ben Zhou quickly confirmed the news on the X platform and started a live broadcast to disclose the details to the community: The hacker maliciously manipulated the multi-signature wallet logic through smart contracts and emptied the exchange's ETH cold wallet. ! Figure 1 Source: @benbybit
According to preliminary statistics, the hackers stole about 490,000 ETH from Bybit's Ethereum cold wallet. This figure not only raises doubts about Bybit's SAFE multisig scheme, but also makes the attackers hold more ETH than Fidelity and Ethereum founder Vitalik Buterin, becoming the 14th largest ETH holder in the world.
As of the date of writing, the incident can be identified as the largest security incident in Web3 history to date, far exceeding the amount of the 2016 DAO attack (about $150 million, about 1/10) of the amount stolen from Bybit).
After the incident further fermented, the market quickly fell into turmoil. ETH price bore the brunt, falling nearly 8% within eight hours of the news, erasing all of last week's gains.
At the same time, Bybit-backed L2 public chain Mantle (MNT) was not spared, falling as much as 15% on the day, the largest one-day drop since 2024. There is also Gnosis (SAFE), which provides a multi-signature solution, which has undoubtedly been sold off by the market, falling by 10% on a daily basis.
Figure 2 Source: Gate.io
In addition, USDe, a stablecoin protocol partnered with Bybit, was also affected, with its price briefly depeged, falling from $1 to a minimum of $0.965. Issuer Ethena Labs quickly clarified that its assets were held over-the-counter and not on exchanges, and market sentiment calmed down.
Figure 3 Source: Gate.io
Of course, investors' trust in Bybit has been severely tested, with a large number of users initiating withdrawal requests. Within just 24 hours, Bybit faced a withdrawal peak of 23.99 billion US dollars. Fortunately, Bybit has already retrieved 447,000 ETH through various channels, filling the gap caused by the hacking incident, and has announced that new audit proofs will be released soon.
Support from all sides, crisis reversal
In the face of this unprecedented crisis, Bybit quickly took a series of countermeasures, and all parties inside and outside the industry also reached out to help fight against this industry crisis.
After the incident, Bybit officials quickly made a statement to the community through the X platform and started a live broadcast within an hour, conducting real-time communication with users for up to two hours. They soon launched the "Bounty Recovery Plan," indicating that contributors who successfully recover the funds will receive 10% of the stolen funds as a reward.
In addition, a number of major exchanges, including Gate.io, have also provided timely assistance. Gate.io said on the official X platform that it was involved in assisting in the interception and tracking of stolen funds to help Bybit recover as soon as possible. These industry solidarity efforts not only provided Bybit with more than $320 million in direct funding, but also restricted the further flow of stolen funds by freezing hackers' addresses and sharing technical resources, demonstrating the industry's solidarity in the face of the crisis. ! Figure 4 Source: @Gate.io
At the same time, Bybit announced the suspension of the affected ETH cold wallets, while ensuring the security of other assets and normal withdrawals. Of course, in order to cope with the potential demand for centralized withdrawals, Bybit has successfully met this challenge by using over $20 billion in assets under management and partner bridge loans to secure payments.
With the efforts of many parties, the North Korean hacking group behind the attack has also surfaced. ! FIGURE 5 SOURCE: ARKHAM
According to public information, the group has been active since 2010 and has stolen more than $6 billion in crypto assets from Ronin Network, Atomic Wallet, Stake.com and other platforms in recent years. After the end of the attack, as usual, most of the assets were transferred and exchanged through the coin mixer EXCH and the cross-chain bridge. ! Figure 6 Source: exch.cx
Sentiment repair and market reflection are underway
As of the date of writing, the Bybit exchange has fully filled the previous Ethereum reserve gap after a number of efforts, and a new Proof of Reserve (POR) audit report will be released soon, which will prove that Bybit has restored the full 1:1 reserve of customer assets through the Merkle tree.
As a result, market sentiment has gradually stabilized, and the previous collapse in cryptocurrency prices caused by the event has eased, and investor confidence has slowly begun to recover.
To be precise, this hacker has once again highlighted the importance of security in the cryptocurrency industry. Just like the previous explosion of the Mt. Gox exchange, as well as the theft of WazirX, KuCoin and other exchanges in recent years, we are reminded that security protection must be all-round and multi-layered. ! Figure 7 Source: Gnosis
From a technical perspective, the traditional hardware wallet + multi-signature model like Bybit can no longer effectively ensure the security of large assets:
Weak defense of social workers: Hardware wallets cannot prevent the long-term penetration of APT (Advanced Persistent Threat) attacks into signing devices.
Lack of semantic parsing: The existing scheme only verifies the legitimacy of the address, but does not detect the actual transaction behavior (such as tampering with the contract logic);
Slow response time: 2 hours from exploit to transfer of funds, well above most agencies' emergency response thresholds.
This undoubtedly indicates that the industry needs to strengthen awareness of social engineering prevention, enhance employees' security awareness training, and timely discover and repair potential security risks through security audits and vulnerability scanning of smart contracts.
All in all, although the $1.4 billion ETH theft incident has had a certain impact on the entire market, the market has gradually stabilized through the active response of all parties. In fact, progress has been made in every crypto crisis, from custody and security solutions to corporate governance and transparency, which we believe will drive the crypto industry to pay more attention to security, collaboration, and cooperation with regulatory forces.
Author: Charle Y., Gate.io Researcher *This article represents the views of the author only and does not constitute any trading advice. Investment is risky, and decisions need to be made carefully. *The content of this article is original, the copyright is owned by Gate.io, if you need to reprint, please indicate the author and source, otherwise you will be held legally responsible.