Crypto exchange Bybit confirms hack as over $1.4 billion worth of ETH leaves wallets

In one of the largest crypto heists ever, hackers have reportedly made off with more than $1.4 billion in ETH from Bybit’s cold wallet. Early estimates suggest the exchange has lost over $1 billion worth of ETH and significant quantities of other tokens, though the investigation is ongoing.  

"Bybit ETH multisig cold wallet just made a transfer to our warm wallet about 1 hr ago. It appears that this specific transaction was musked, all the signers saw the musked UI which showed the correct address and the URL was from Safe. However the signing message was to change the smart contract logic of our ETH cold wallet," Bybit co-founder and CEO Ben Zhou posted to X, likely referring to a "masked" URL used to alter code while appearing legitimate. "This resulted Hacker took control of the specific ETH cold wallet we signed and transferred all ETH in the cold wallet to this unidentified address. Please rest assured that all other cold wallets are secure. All withdraws are NORMAL."

In other words, the hacker appears to have tricked Bybit’s ETH cold wallet signers into approving a malicious transaction to surreptitiously gain control of the wallet. 

The ByBit hack is one of the largest — if not the largest — hack of a centralized exchange. The three previous largest hacks on record include Coincheck's 2018 hack where $534 million was lost, Mt. Gox's 2014 hack with $470 million stolen and FTX's 2022 hack that saw $415 million drained while the exchange was entering bankruptcy proceedings. For context, Chainalysis reported that $3.7 billion was stolen across all crypto protocol and exchange attacks in 2022, the largest year for crypto theft ever. This dropped to $1.7 billion in 2023 and $2.2 billion in 2024.

On Tuesday, the exchange announced it would be performing scheduled maintenance on its live server today stretching into tomorrow, which caused controversy as security researchers looked into the suspicious transactions.

Over the past hour, the hacker has split the stolen funds — including several liquid staking derivatives of ETH — into dozens of additional wallets. The funds were initially sent to an address beginning 0x476, which received over 400,000 worth of ETH (~$1.1 billion), 90,000 worth of stETH, 15,000 cmETH and 8,000 cETH. The attacker used the "sweep ETH function," a smart contract mechanism designed to transfer all available tokens from one contract to another, which likely explains why the transferred amounts are round numbers. 

The attacker then moved the majority of the funds into three separate "distribution" addresses — 0xB4a, 0x23Ob, and 0x83Ef5 — which then broke down the funds further into dozens of newly created addresses that began swapping funds using decentralized exchanges including Uniswap, Paraswap and KyberSwap. He also swapped the liquid staking tokens, like stETH, into ETH — a move that some security researchers say could avoid his accounts being frozen.

Data on Arkham Research shows that initial 0x476 "ByBit Hack" only holds about $3.7 million worth of crypto, as of 11:30 a.m. on Friday. 

ByBit says its other hot and cold wallets are unaffected, and only their ETH wallets were impacted. "Bybit is Solvent even if this hack loss is not recovered, all of clients assets are 1 to 1 backed, we can cover the loss," Zhou also posted. 

BitMEX Research estimates that around 75% of Bybit users' ETH deposits were drained. The exchange still holds over $20 billion worth of other crypto tokens, including nearly $6.9 billion in bitcoin, $4.1 billion USDT and $1.2 billion ETH. Arkham shows that the exchange has moved $560 million worth of USDT on Tron from what appears to be a treasury wallet to a hot wallet.

This story is breaking and will be updated as The Block learns more.