Bybit has faced one of the biggest crypto exchange hacks in history, losing $1.4 billion in a sophisticated attack on February 21, 2025. Despite the staggering loss, the exchange has bounced back at an unprecedented pace, securing funds to cover user assets and regaining liquidity faster than expected.
However, the incident has sparked controversy and industry-wide discussions—including debates over a potential Ethereum rollback, concerns raised by Binance’s former CEO Changpeng Zhao (CZ), and the unexpected liquidity crisis that followed.
Bybit’s Rapid Recovery After the Hack
Unlike most exchange breaches, where hot wallets are typically the target, Bybit’s attackers exploited vulnerabilities in the exchange’s cold storage multisig wallet, rerouting Ethereum (ETH) and other digital assets to unknown addresses.
Despite the attack, Bybit has nearly restored its 1:1 asset backing. On-chain data shows that over 446,870 ETH ($1.23 billion) has been recovered through:
- $400 million in OTC trades
- $300 million from exchanges
- $285 million in loans
- The remaining balance sourced from crypto funds
CEO Ben Zhou confirmed that the ETH gap had been fully closed, with an audited Proof of Reserves (PoR) report set to be published soon.
“Bybit is again 100% 1:1 on client assets through Merkle tree verification. Stay tuned.” — Ben Zhou
Blockchain investigators later linked the hack to North Korea’s Lazarus Group, the notorious collective responsible for some of crypto’s largest hacks, including the $600 million Ronin Network breach (2022) and the $234 million WazirX hack (2024).
A Hack That Led to a Liquidity Crisis
Beyond the direct theft, Bybit faced a massive liquidity shock. Following the breach, the exchange saw $6.1 billion in withdrawals, reducing its total tracked assets from $17 billion to $10.8 billion in just three days.
At the height of the crisis:
- 350,000 withdrawal requests flooded Bybit’s system.
- 70% of its ETH reserves were wiped out, but users were withdrawing stablecoins like Tether (USDT) more than ETH.
- $3 billion in Bybit’s stablecoin reserves was temporarily frozen by Safe, a decentralized custody provider, to prevent further exploits.
To navigate the stablecoin freeze, Bybit’s developers manually adapted transaction verification tools to continue processing USDT withdrawals. Bybit also worked with Tether, THORChain, ChangeNOW, and others to freeze $42.89 million in stolen assets.
The Ethereum Rollback Debate
As Bybit stabilized its liquidity, an even bigger question emerged: Should Ethereum roll back its blockchain to recover the stolen funds?
BitMEX co-founder Arthur Hayes was among those advocating for a rollback, referencing Ethereum’s 2016 DAO hack, where the network reversed transactions to restore stolen assets.
“If the community wanted to do it again, I would support it because we already voted no on immutability in 2016. Why not do it again?” — Arthur Hayes
Bybit CEO Ben Zhou revealed that conversations with Ethereum co-founder Vitalik Buterin and the Ethereum Foundation had taken place. However, he acknowledged the complexity of such a move, stating:
“It’s not a one-man decision. It should be a community-driven process.”
Despite the discussion, most industry experts argue that a rollback today would be far more disruptive than in 2016. Given Ethereum’s deep integration into DeFi, NFTs, and staking, such a move could cause liquidations, smart contract failures, and even a hard fork—making it an unlikely solution.
How the Attack Was Executed
Unlike most crypto exchange hacks, which target hot wallets, this attack exploited Bybit’s cold wallet multisig system—a security breach few saw coming.
The four-stage attack involved:
- Deploying malicious smart contracts—Hackers created a trojan contract disguised as a normal transaction and a backdoor contract to override wallet security.
- Tricking Bybit’s security signers—The attack spoofed transaction requests, appearing as legitimate ERC-20 token transfers, leading Bybit’s signers to approve them unknowingly.
- Hijacking Bybit’s wallet controls—The master copy of Bybit’s multisig wallet was replaced, silently handing over control to hackers.
- Draining assets—The hackers executed sweepETH and sweepERC20 commands, withdrawing assets before Bybit could react.
This sophisticated multisig attack has led to industry-wide concerns about the security of cold wallets, which were previously considered the safest way to store funds.
CZ’s Warning on Cold Wallet Vulnerabilities
Binance’s former CEO Changpeng Zhao (CZ) weighed in on the attack, noting that recent exchange hacks—including Bybit, Phemex, and WazirX—have all targeted multi-signature cold storage solutions.
“Hackers were able to steal large amounts of crypto from multi-sig ‘cold storage’ solutions… This was front-end manipulation at its finest.” — CZ
The Bybit case raises troubling questions:
- Are cold wallets truly safe if attackers can manipulate signers into approving fake transactions?
- Should centralized exchanges rethink their asset security models?
Despite his criticisms, CZ praised Zhou for handling the crisis transparently, contrasting it with FTX’s collapse, where the leadership failed to disclose critical information, leading to total loss of user trust.
What’s Next for Bybit and the Industry?
Bybit has managed a remarkable recovery in the face of one of the largest hacks in crypto history. However, the incident has reshaped industry conversations on security, blockchain immutability, and crisis management.
Key takeaways from the Bybit hack:
- A rollback of Ethereum remains highly unlikely, as it could cause widespread market disruption.
- The industry must reassess cold wallet security, as multi-signature storage is no longer invulnerable.
- Bybit’s rapid response has helped maintain user confidence, setting a new standard for crisis management.
While the exchange has recovered its 1:1 reserves, the broader implications of this attack will continue to shape the future of crypto security. Exchanges and wallet providers must now rethink their defense strategies to prevent similar breaches in the future.
