At 2:16 PM UTC February 21st 2025, a routine transfer of 30,000 ETH was made from the ByBit Ethereum cold wallet to the ByBit Ethereum warm wallet. ByBit typically does this transfer every 2-3 weeks depending on the current balance of the ETH hot wallet. The warm wallet's balance was getting to a certain parameter which prompted for this transfer of funds from the cold wallet ETH reserve.
ByBit uses a multi signature wallet which is where multiple confirmation signatures need to be given in order for a transaction to be sent. This is a common security measure used by cold wallets or really any high value wallet. ByBit staff received the transaction that prompted to top up the ETH hot wallet through the Safe smart contract. Ben Zhou, CEO of Bybit, stated on a livestream "When we saw the transaction it was business as usual". Ben used his Ledger cold wallet as the last signer for the transaction after he double checked the destination address was correct in the Safe UI, as well as making sure the URL was the official 'Safe.global' site.
Sometime around 2:45PM UTC Ben Zhou received a phone call notifying him that the ByBit cold wallet had been drained.
In a tweet from Ben Zhou he states, "Bybit ETH multisig cold wallet just made a transfer to our warm wallet about 1 hr ago. It appears that this specific transaction was musked, all the signers saw the musked UI which showed the correct address and the URL was from Safe (Their cold wallet provider) . However the signing message was to change the smart contract logic of our ETH cold wallet. This resulted Hacker took control of the specific ETH cold wallet we signed and transferd all ETH in the cold wallet to this unidentified address."
A smart contract is a self-executing program on the blockchain that automatically enforces the set terms of an agreement without needing a middleman. Safe offers a multi-signature smart contract wallet on Ethereum. ByBit uses cold storage for their Ethereum reservers, which keeps the signing keys offline on something like a Ledger or Trezor, while managing assets securely through its smart contract-based wallet on Safe.
The signing message was able to change the logic, or the set terms of the smart contract for ByBits cold storage. The hacker took control of the ETH cold wallet and transferred all 400k ETH in the cold wallet to their own address.
At 3:35PM UTC Arkham Intel noticed significant outflows of ETH from ByBit. The wallet address in question was 0x47666Fa...F09486E2. Arkham began monitoring all transactions and addresses this new wallet was making.
The hacker quickly started interacting with DEX's aka decentralized exchanges. Some of the DEXs used were ParaSwap, Uniswap, and DODO a popular Chinese DEX. This was an attempt to swap all of the STETH and other ETH derivatives for normal ETH.
At 3:56PM UTC the original wallet 0x47666Fa...F09486E2 started to spread its funds across multiple new addresses, sending around 10k ETH ($27M) to each one.
Arkham created a bounty for anyone who can identify the person/organization behind the hack. Three hours later blockchain analysis legend ZachXBT submitted his findings to Arkham that Lazarus was behind the ByBit hack. His submission included a detailed analysis of test transactions and connected wallets used ahead of the exploit, as well as multiple forensics graphs and timing analyses. He mentioned that he was able to connect the ByBit hack to the Phemex hack which is known to have been conducted by North Korea (Lazarus).
He has yet to publicize his findings.
According to CEO Ben Zhou, ByBits total reserves are around $20B. He mentioned multiple times during the livestream that all user funds are backed 1 to 1 which means that they are a solvent exchange. They have since setup a proof of reserves engagement with the Hackenclub team, which will take place every two weeks.