A vulnerability led to a loss of approximately $1.46 billion, and it happened to a single entity!

This is the catastrophic incident that the trading platform Bybit encountered, with the main reason for the loss of funds being the theft of Bybit's Ethereum cold wallet by the North Korean hacker group Lazarus Group due to a malicious contract upgrade. This theft exceeded the previous $611 million stolen from Poly Network in 2021, as well as the approximately $1 billion stolen by Saddam Hussein from the Central Bank of Iraq in 2003, making it the largest single theft case in history.

After the theft of funds from Bybit, a series of panic and reflection were triggered in the industry. MetaEra will break down the events to restore the "life-and-death speed" that unfolded on Bybit.

Breaking the Common Sense: How Did Hackers Breach the Cold Wallet?

Users familiar with hot wallets and cold wallets know that the withdrawal and transfer of funds from a cold wallet is completely isolated from the internet, requiring strict multi-factor verification and approval. Bybit uses a Safe multi-signature wallet combined with a hardware cold wallet, which sets a 3/3 signature threshold, meaning that all three private key holders must authorize any asset transfer operation.

The strategy of the Lazarus Group to steal funds from the cold wallet was not to directly breach the cold wallet, but rather to successfully infiltrate the computer systems of the three signers in some way. The hackers deployed a backdoored malicious contract three days in advance, and when the signers were performing their daily operations, the hackers quietly replaced the normal transaction requests with their pre-deployed malicious contract.

In summary, the root cause of this vulnerability lies in a successful phishing attack. The hackers tricked the wallet signers into signing malicious transaction data, ultimately leading to the malicious upgrade of the contract, which allowed the hackers to control the cold wallet and transfer all its funds. It is evident that even the coldest security barriers become uncontrollable with human involvement, and decentralization can become relatively centralized, which is one of the hackers' usual breakthroughs.

Community Voting: How Feasible Is It to Roll Back Ethereum to the State Before the Theft?

Due to the astronomical amount of stolen funds involved, calls for executing a "rollback" operation to reload the blockchain are growing louder. Bybit CEO Ben Zhou was asked during a Spaces session on February 22 whether he supported rolling back the Ethereum blockchain to the state before the Lazarus Group hacker attack on February 21. He responded, "I'm not sure if this is a decision for one person. Based on the spirit of blockchain, perhaps this should be a voting process to see what the community wants, but I'm not certain."

Ethereum core developer Tim Beiko explained in a post that rolling back Ethereum is no longer possible today. In the Ethereum ecosystem of 2025, DeFi and cross-chain bridges with other chains mean that any stolen funds can easily be mixed within the application network. For example, stolen funds can be exchanged on decentralized exchanges, and the resulting tokens can be used as collateral in DeFi protocols, with borrowed assets bridged to completely different chains. A complete "rollback" would invalidate all recent on-chain activities, making the situation worse. Any settled transactions, many of which have impacts beyond Ethereum (such as exchange sales, RWA redemptions, etc.), would be revoked, but their off-chain parts cannot be undone. "A single thread can affect the whole fabric," making the impact of an Ethereum rollback even greater, which is not a wise solution.

CZ's Suggestion: The Controversy of Pausing Withdrawals After the Incident

After the Bybit theft incident, Binance co-founder CZ responded to Bybit CEO Ben Zhou on the X platform, stating, "This is not an easy situation to handle. A possible suggestion is to temporarily stop all withdrawals as a standard security precaution. We will provide any assistance if needed."

Nansen CEO Alex Svanevik responded on the X platform to CZ's suggestion for Bybit to pause withdrawals during the security incident, stating, "As a user, the problem with stopping withdrawals is the extreme frustration it shows when an exchange appears powerless over its own funds. Even without a hacker attack, stopping or delaying withdrawals can be very frustrating, which is why many people abandoned Coinbase due to their frequent delays in user withdrawal times."

Bybit CEO Ben Zhou responded on the X platform to some people's doubts about CZ: "I do agree with CZ's point. If this hacker attack had penetrated our internal systems (such as a part of the withdrawal system) or if the hot wallet had been breached, we would immediately pause all withdrawals until we found the root cause of the problem. However, in yesterday's incident, it was the ETH cold wallet that was breached, which has nothing to do with any of our internal systems.

Regarding user withdrawals, Bybit processed all withdrawals within 12 hours after the hacker attack, and the withdrawal system has fully returned to normal speed, allowing users to withdraw any amount without encountering any delays.

Peer Assistance: Multiple Funds/Support Help Bybit Through Difficulties

Two hours after the incident, a Binance whale and Bitget deposited a total of over 50,000 ETH directly into Bybit's cold wallet, with Bitget's deposit being one-fourth of all its ETH. MEXC's hot wallet also transferred 12,652 stETH ($33.75M) directly to Bybit's cold wallet.

Notably, according to statistics from SoSoValue and the latest monitoring data from the on-chain security team TenArmor, Bybit's trading platform saw an influx of over $4 billion in funds within the past 12 hours, specifically including 63,168.08 ETH, $3.15 billion in USDT, $173 million in USDC, and $525 million in CUSD, completely covering the losses caused by the hacker attack.

Meanwhile, in response to the Bybit incident, HashKey expressed support for Bybit on its official Twitter, strongly condemning the hackers' illegal actions and believing that Bybit's security incident would be properly handled and overcome; BitMart founder Sheldon stated on the X platform that he had frozen the relevant addresses, and once any stolen assets flowed into BitMart, he would immediately freeze the relevant assets to support recovery efforts; Justin Sun, global advisor of Huobi HTX and founder of TRON, stated, "We have been closely monitoring the Bybit incident and will do our utmost to assist our partners in tracking the relevant funds, providing all support within our capabilities."

Cold Response: eXch Refuses to Intercept Stolen Funds for Bybit

According to monitoring by Yu Jin, the Bybit hacker has laundered 89,500 ETH ($22.4 million) within two and a half days after the incident, which is 18% of the total ETH stolen (499,000 ETH). At this rate, the hacker could exchange the remaining 410,000 ETH for other assets (BTC/DAI, etc.) in another half month.

On February 22, on-chain detectives discovered that 5,000 stolen ETH were laundered through eXch and converted to Bitcoin via Chainflip. In response to this discovery, Bybit requested eXch to block the funds and track their movements. However, eXch publicly disclosed this request and refused to cooperate. In their reply to Bybit's email, eXch mentioned that they would not provide any assistance because their users had previously been banned by Bybit.

Subsequently, Bybit CEO Ben Zhou tweeted, "At this moment, it is not about Bybit or any entity, but rather our general attitude as part of the industry towards hackers. We sincerely hope eXch can reconsider and help us stop the outflow of funds. We have also received assistance from Interpol and international regulatory agencies to help stop these funds, which is not just about helping Bybit."

eXch's image of "aiding and abetting" is vividly portrayed, but from eXch's response, "maintaining the ideals of decentralization" seems more like a fragile bubble.

The Conclusion: Bybit Fully Recovers and Launches a Bounty Program

After a series of remedies, loans, appeals, and self-rescue actions, Bybit issued an official announcement: Bybit has officially registered with Indian authorities, and all Bybit services (including the ability to open new trades and access all products) have been fully restored for existing users.

Bybit CEO Ben Zhou posted on the X platform that a bounty website for the Lazarus hacker group has been launched, which will display transparent data regarding the money laundering activities of the Lazarus Group. It is reported that the total bounty is 10% of the recovered funds, and if all funds are recovered, the total bounty could reach $140 million. The specific distribution is: 5% to the entity that successfully freezes the funds, and 5% to contributors who help track the funds. More importantly, Bybit has taken a proactive approach, aiming to recover the stolen funds while also setting a new benchmark for the entire industry in responding to security threats.

Although Bybit successfully mitigated the most dangerous risk of a bank run, the next step for the hacker is to liquidate the stolen ETH or exchange it for other currencies, which poses significant selling pressure on the market. The market has entered a state of panic, with prices continuing to decline, and without any short-term positive news, the bearish sentiment in the crypto market is becoming apparent, leading investors to be cautious about future trends.