North Korea’s “Now You See Me” team pulls off the biggest theft in history: How did Bybit’s “Speed Race” play out?

  • Historic $1.46B Theft: North Korea's Lazarus Group hacked Bybit's Ethereum cold wallet by exploiting a phishing attack, tricking signers into approving a malicious contract upgrade—making it the largest single theft in crypto history.
  • Cold Wallet Breach: Hackers bypassed Bybit's 3/3 multi-signature security by compromising the computers of all three signatories, replacing legitimate transactions with a backdoored contract.
  • Ethereum Rollback Debate: Calls to revert Ethereum's blockchain pre-theft were dismissed as impractical due to the irreversible ripple effects on DeFi, cross-chain transactions, and off-chain settlements.
  • Industry Response:
    • Binance's CZ suggested suspending withdrawals, sparking debate over user trust vs. security.
    • Competitors like Binance, Bitget, and MEXC injected over $4B in funds to stabilize Bybit.
    • Exchanges like HashKey and BitMart pledged support, while eXch refused to freeze stolen ETH, citing past conflicts.
  • Recovery & Bounty: Bybit fully restored services, launched a $140M bounty (10% of recovered funds) to track Lazarus Group's laundering, and collaborated with Interpol and regulators.
  • Market Impact: Despite Bybit's recovery, the stolen ETH's potential sell-off risks further depressing the already bearish crypto market.

Key Takeaway: The attack underscores vulnerabilities in human-dependent security, prompting industry-wide reflection on decentralized safeguards and crisis response protocols.

Summary

One vulnerability resulted in a loss of approximately $1.46 billion, and it happened to a single individual!

This is the catastrophic accident that the trading platform Bybit encountered. The main reason for the loss of funds was that Bybit's Ethereum cold wallet was stolen by the North Korean hacker group Lazarus Group due to a malicious contract upgrade. This theft exceeded the previous $611 million stolen from Poly Network in 2021 and the approximately $1 billion stolen from the Central Bank of Iraq by Saddam Hussein in 2003, becoming the largest single theft case.

After Bybit’s funds were stolen, it triggered a series of panic and reflection in the industry. MetaEra will dismantle them one by one to restore the “Speed of Life and Death” staged by Bybit.

Breaking common sense: When a cold wallet is attacked, how do hackers break through this iron wall?

Users who are familiar with hot wallets and cold wallets know that the withdrawal and transfer of funds from cold wallets are completely isolated from the Internet, and the withdrawal of funds requires strict multiple verifications and approvals. Bybit uses the Safe multi-signature wallet combined with a hardware cold wallet. This solution sets a 3/3 signature threshold, which means that all three private key holders must authorize at the same time to perform any asset transfer operation.

The hacker group Lazarus Group did not steal the cold wallet funds by directly breaking into the cold wallet, but by successfully hacking into the computer systems of the three signatories in some way. The hacker deployed a malicious contract with a backdoor three days in advance. When the signers were performing daily operations, the hacker quietly replaced the normal transaction requests with the malicious contract they had deployed in advance.

In summary, the root cause of this vulnerability lies in a successful phishing attack. The hacker tricked the wallet signer into signing malicious transaction data, which eventually led to a malicious upgrade of the contract. This upgrade allowed the hacker to control the cold wallet and transfer all its funds. It can be seen that even the coldest security barriers, as long as there is human involvement, things will become uncontrollable, and decentralization will become relatively centralized. This is one of the usual breakthroughs used by hackers.

Community vote: How feasible is it to roll back Ethereum to the time before the theft?

Because the stolen funds involved are astronomical, calls for a "rollback" operation to reload the blockchain are growing louder. Ben Zhou, CEO of Bybit, was asked in Spaces on February 22 whether he supports rolling back the Ethereum blockchain to the state before the Lazarus Group hack on February 21. He responded: "I'm not sure if this is a decision made by one person. Based on the spirit of blockchain, maybe this should be a voting process to see what the community wants, but I'm not sure."

Ethereum core developer Tim Beiko wrote an article to explain: Ethereum rollback is impossible today. In the Ethereum ecosystem of 2025, DeFi and cross-chain bridges with other chains mean that any stolen funds can be easily mixed in the application network. For example, stolen funds can be exchanged on a decentralized exchange, the resulting tokens can be used as collateral in the DeFi protocol, and the borrowed assets are bridged to a completely different chain. A complete "rollback" will invalidate all recent on-chain activities, and the situation will only get worse. Any settled transactions, many of which have impacts outside of Ethereum (such as exchange sales, RWA redemptions, etc.), will be revoked, but their off-chain parts cannot be revoked. "One move affects the whole body", making the impact of Ethereum rollback even greater, which is not a wise solution.

CZ's suggestion: Suspending withdrawals after an incident sparks a highly divisive debate

After the Bybit theft, Binance co-founder CZ responded to Bybit CEO Ben Zhou on the X platform, saying: "This is not an easy situation to handle. The possible suggestion is to temporarily stop all withdrawals as a standard security precaution. Any help will be provided if needed."

Nansen CEO Alex Svanevik responded to Binance Co-founder CZ's suggestion that Bybit suspend withdrawals during security incidents on the X platform. He said: "As a user, the problem with stopping withdrawals is the extreme frustration caused by the exchange showing that they are powerless to do anything about their funds. Even if there is no hacker attack, withdrawals being blocked or delayed can be very frustrating. This is why many people give up Coinbase because they delay the waiting time for users to withdraw too frequently."

Bybit CEO Ben Zhou responded to some people’s doubts about CZ on the X platform: “I do agree with CZ’s point of view. If the hacker attack was through infiltrating our internal system (such as a part of the withdrawal system) or the hot wallet was breached, all withdrawals would be suspended immediately until the root cause of the problem is found. But in yesterday’s incident, it was the ETH cold wallet that was breached, which has nothing to do with any of our internal systems.

In terms of user withdrawals, Bybit has processed all withdrawals within 12 hours of the hacker attack, and the withdrawal system has fully returned to normal speed. Users can withdraw any amount without any delays.

Assistance from peers: Multiple sources of funding/support helped Bybit overcome difficulties

Two hours after the incident, a Binance whale and Bitget deposited a total of more than 50,000 ETH directly into Bybit's cold wallet, of which Bitget's deposit was 1/4 of all its ETH. MEXC hot wallet also transferred 12,652 stETH ($33.75M) directly to Bybit's cold wallet.

It is worth mentioning that according to SoSoValue statistics and the latest monitoring data from the on-chain security team TenArmor, the Bybit trading platform has received a total inflow of more than US$4 billion in the past 12 hours, including 63,168.08 ETH, US$3.15 billion in USDT, US$173 million in USDC and US$525 million in CUSD. The inflow of funds has completely covered the financial losses caused by hacker attacks.

At the same time, in response to the Bybit incident, HashKey expressed support for Bybit on its official Twitter account, strongly condemned the hacker's illegal behavior, and believed that Bybit's security incident would be properly handled and overcome the difficulties; Sheldon, the founder of BitMart, posted on the X platform that the relevant addresses have been frozen, and once the stolen assets flow into BitMart, the relevant assets will be frozen immediately to support the recovery work; Justin Sun, global advisor of Huobi HTX and founder of TRON, said, "We have been paying close attention to the Bybit incident and will do our best to assist our partners in tracking the relevant funds and provide all support within our capabilities."

Cold response: eXch refuses to intercept stolen funds for Bybit

According to Ember’s monitoring, the Bybit hacker has laundered 89,500 ETH (US$224 million) in the two and a half days after the incident, which is 18% of the total ETH he stole (499,000). At this rate, the hacker will be able to exchange the remaining 410,000 ETH for other assets (BTC/DAI, etc.) in half a month.

On February 22, on-chain detectives discovered that the 5,000 stolen ETH was laundered through eXch and converted to Bitcoin through Chainflip. In response to this discovery, Bybit asked eXch to block the funds and track their movements. However, eXch made the request public and refused to cooperate. In its reply to Bybit, eXch mentioned that since its users had been banned by Bybit, they would not provide any help.

Later, Bybit CEO Ben Zhou tweeted: “At this moment, it’s not about Bybit or any entity, but our general attitude towards hackers as an industry. We sincerely hope that eXch can reconsider and help us stop the outflow of funds. We have also received help from Interpool and international regulators. Helping to stop these funds is not just helping Bybit.”

The image of eXch as an “aider and abettor” is vividly portrayed on paper, but judging from eXch’s response, “upholding the ideal of decentralization” seems more like a bubble that can be blown away.

The end of the incident: Bybit fully recovered and launched a bounty program

After a series of remediation, borrowing, appeals, and self-rescue actions, Bybit issued an official announcement: Bybit has been officially registered with the Indian authorities, and all Bybit services (including the ability to open new transactions and access all products) have been fully restored for existing users.

Ben Zhou, CEO of Bybit, posted on the X platform that the Lazarus hacker group bounty website has been launched, which will display transparent data about the Lazarus Group's money laundering activities. It is reported that the total bounty is 10% of the recovered funds. If all funds are recovered, the total bounty may be as high as 140 million US dollars. The specific distribution is: 5% to the entity that successfully freezes the funds, and 5% to the contributors who help track the funds. More importantly, Bybit has taken a proactive attitude, aiming to recover the stolen funds while also setting a new benchmark for the entire industry in dealing with security threats.

Although Bybit has successfully resolved the most dangerous risk of a bank run, hackers will need to cash out the stolen ETH or exchange it for other currencies, which will put a huge selling pressure on the market. The market has been sluggish and downward, and the market has entered a state of panic. There is no short-term positive news, and the crypto market is beginning to show a bearish trend. Investors should be cautious about subsequent market conditions.

Share to:

Author: ME

This article represents the views of PANews columnist and does not represent PANews' position or legal liability.

The article and opinions do not constitute investment advice

Image source: ME. Please contact the author for removal if there is infringement.

Follow PANews official accounts, navigate bull and bear markets together
Telegram Discussion Group
Telegram News Channel
@PANews
Recommended Reading
8 hour ago
12 hour ago
13 hour ago
15 hour ago
2025-12-27 00:15
2025-12-26 15:31

Popular Articles

Industry News
Market Trends
Curated Readings
Subscribe

Curated Series

App内阅读