Bybit Confirms Hack: Over $1.4 Billion in ETH Stolen from Exchange’s Cold Wallet
Bybit, the Singapore-based centralized crypto exchange, has confirmed a security breach affecting its Ethereum cold wallet, according to CEO Ben Zhou. While Bybit assures users that withdrawals remain operational and other wallets are secure, early estimates indicate that over $1 billion worth of ETH and other tokens have been stolen.
How the Hack Happened
In a post on X, Zhou explained that the breach occurred through a manipulated transaction involving Bybit’s ETH multisig cold wallet.
“Bybit ETH multisig cold wallet just made a transfer to our warm wallet about 1 hour ago. It appears that this specific transaction was ‘musked’—all the signers saw a masked UI displaying the correct address, and the URL was from Safe. However, the actual signing message changed the smart contract logic of our ETH cold wallet,” Zhou wrote.
As a result, the hacker gained control of the ETH cold wallet and transferred all its funds to an unknown address. Zhou emphasized that all other Bybit wallets remain unaffected and that withdrawals are proceeding as usual.
Hacker’s Movements and Fund Transfers
Blockchain analysis reveals that the attacker has been moving the stolen funds across multiple wallets. Initially, an address beginning with 0x476 received over 400,000 ETH (~$1.1 billion), along with 90,000 stETH, 15,000 cmETH, and 8,000 cETH. The hacker employed the “sweep ETH function,” a smart contract mechanism that transfers all available tokens from one contract to another, explaining the round-numbered transactions.
Shortly after, the majority of the funds were transferred to a second address, 0xa4b2, which has been swapping assets on decentralized exchanges like Uniswap, Paraswap, and KyberSwap in an attempt to obfuscate the transactions.
Bybit’s Response and User Impact
Despite the massive loss, Bybit insists that user funds remain safe and that the exchange is financially stable.
“Bybit is solvent even if this hack loss is not recovered. All client assets are 1-to-1 backed, and we can cover the loss,” Zhou stated.
However, BitMEX Research estimates that around 75% of Bybit users’ ETH deposits have been drained—a concerning figure that raises questions about the long-term impact of the breach.
Ongoing Investigation
Security researchers and blockchain analysts are closely monitoring the hacker’s activity. Meanwhile, Bybit has scheduled server maintenance, a move that has sparked speculation among security experts as they investigate the suspicious transactions.
The term “musked,” as used by Zhou, is not commonly recognized in cybersecurity but likely refers to a deceptive UI exploit. The hacker appears to have tricked Bybit’s signers into unknowingly approving a transaction that altered the cold wallet’s smart contract logic, allowing the attacker to take control.
This is a developing story, and further updates will be provided as more details emerge.
