At 15:21, Bybit CEO Ben Zhou posted on social media that they had detected a hacker attempting to transfer assets to the BTC network via Chainflip. Bybit hopes the cross-chain bridge project will help them block and prevent further asset movement to other chains. Bybit will soon offer a bounty program to anyone who assists in blocking or tracing the funds leading to asset recovery.

Bybit Sees Over $4 Billion Inflows in the Last 12 Hours, Covering Entire Stolen Funds Gap

According to SoSoValue's statistics and the latest monitoring data from the on-chain security team TenArmor, Bybit's trading platform has seen total inflows of over $4 billion in the past 12 hours, including 63,168.08 ETH, $3.15 billion in USDT, $173 million in USDC, and $525 million in CUSD.

Based on the comparison of the inflow data, this influx has completely covered the funds gap caused by yesterday's hack. Meanwhile, all of Bybit's services, including withdrawals, have returned to normal.

SlowMist Cosine: CZ's Suggestion of Suspending Withdrawals in Attack's Uncertain Cause Is Also Correct

At 14:29, SlowMist's co-founder Cosine posted on social media that from a security perspective, in a situation with an unknown cause, the emergency suggestion to halt the wallet system is right. Bybit's response to this theft was extremely fast, pinpointing the issue also very quickly. SlowMist and some security teams immediately engaged in communication and quickly identified the problem and speculated on the hacker profile. Bybit is fully prepared and there is no problem with promptly resuming withdrawals.

Cosine explained that he believes both CZ's previous suggestion and Bybit's final resolution were correct. Many industry insiders are currently embroiled in this controversy, forgetting that the common enemy should be the North Korean hackers.

Du Jun: Will Transfer 10,000 ETH to Bybit, No Withdrawals for One Month

At 12:32, ABCDE co-founder Du Jun posted on social media that he will transfer 10,000 ETH to Bybit today and will not withdraw for one month.

WSJ: CertiK Confirms Bybit Incident as the Largest Theft in Crypto History

The Wall Street Journal, citing the opinion of the Web3.0 security firm CertiK, stated that the Bybit incident is the largest single theft event in crypto history, with the stolen assets from this hack estimated at over $1.4 billion.

After the incident, Bybit announced that it had reported the case to the relevant authorities. Bybit's CEO, Ben Zhou, stated that all of Bybit's functions and products are still operating normally, the exchange has the ability to fulfill its obligations, and will fully compensate customer losses. As of now, all withdrawal requests on Bybit have been processed, and the withdrawal system has returned to normal speed.

SlowMist's Cai Kexin: Safe Frontend Tampered to Deceive, North Korean Hackers Have Conducted Similar Operations Multiple Times

At 11:40, SlowMist's co-founder, Cai Kexin, posted on social media stating that the Safe contract is not the problem; the issue lies in the non-contract part where the frontend was tampered with to deceive users. This is not an isolated case; North Korean hackers have successfully used this method several times last year, such as in the WazirX incident (stolen $230 million, Safe multisig), Radiant Capital incident (stolen $50 million, Safe multisig), DMM (stolen $305 million, Gonco multisig). This attack method is well-engineered. Other platforms should also be more vigilant as multisig may have similar attack vectors beyond Safe.

Bybit Hacker Holds More ETH Than Fidelity, Vitalik, Becomes the 14th Largest Holder Globally

Coinbase executive Conor Grogan posted on social media that the Bybit hacker (suspected to be from North Korea) has become the 14th largest ETH holder globally, holding approximately 0.42% of the total Ethereum token supply. This amount surpasses the holdings of Fidelity Investment Company, Ethereum co-founder Vitalik Buterin, and is over twice the holdings of the Ethereum Foundation.

Bybit CEO: Withdrawal System Fully Restored, Will Release Comprehensive Incident Report

At 10:51, Bybit CEO Ben Zhou posted that it has been 12 hours since the most severe hack in history. All withdrawals have been processed. Bybit's withdrawal system is now fully restored; users can withdraw any amount without delays. Thanks to users for their patience, Bybit apologizes for the occurrence. Bybit will release a comprehensive incident report and security measures in the next few days.

Bybit Hacker's 15,000 cmETH Unstaking Application Denied, Potential Intercept

At 9:15, according to on-chain data analyst Yu Jin, an hour ago, the Bybit hacker's unstaking application for 15,000 cmETH was rejected by the cmETH withdrawal contract. Subsequently, the hacker performed cmETH transaction approval on DODO but did not proceed with further transactions, possibly due to the shallow liquidity pool for cmETH.

This 15,000 cmETH should have been stoppable. In addition to this 15,000 cmETH, Bybit's stolen ETH amount is 499,000 (approximately $1.37 billion), stored by the hacker in 51 different addresses.

Safe: No Security Vulnerabilities Found After Comprehensive Investigation, No Other Safe Addresses Affected

At 9:08 AM, Safe responded on social media to the issue of "ByBit displayed what seemed like correct transaction information but executed a malicious transaction with all valid signatures" stating:

· No Codebase Leak Found: Thoroughly checked Safe's codebase and found no evidence of leakage or modification.

· No Malicious Dependencies Found: No signs that malicious dependencies in Safe's codebase would affect transaction flow (i.e., a supply chain attack)

· No Unauthorized Infrastructure Access Detected in Logs

· No Other Safe Addresses Affected

Safe stated that it has temporarily disabled the Safe{Wallet} feature to ensure users have absolute confidence in the security of the Safe platform. While the investigation showed no evidence of an intrusion into the Safe{Wallet} frontend itself, we are conducting a more thorough review.

Bybit CEO: 99.99% of Withdrawal Requests Processed

At 8:52 AM, Bybit CEO Ben Zhou posted on social media stating that since the hack incident (10 hours ago), Bybit has experienced the highest number of withdrawals we have ever seen, with over 350,000 withdrawal requests in total, and at present, about 2,100 withdrawal requests are pending. 99.994% of withdrawals have been completed overall. The entire team stayed up all night processing and addressing customer questions and concerns.

Bitget Transferred 40,000 ETH in Loan to Bybit 5 Hours Ago to Alleviate Withdrawal Pressure

Around 9:00 AM, according to on-chain data analyst Yu Jin's monitoring, 5 hours ago, Bitget supported Bybit with a 40,000 ETH loan (approximately $105.9 million) to navigate through the withdrawal rush after the ETH theft, and these ETH were directly transferred from Bitget to Bybit's cold wallet address.

At 7:27, Bybit CEO Ben Zhou responded to the news of "Binance and Bitget cumulatively depositing over 50,000 ETH into Bybit's cold wallet" on social media, thanking Bitget for lending a helping hand at this moment. Bybit is still in communication with Binance and several other partners, and the funds described in the news have no relation to the official Binance.

Bybit: Has Collaborated Extensively with On-Chain Analytics Firms to Limit Hacker's ETH Dump

At 5:07, Bybit's official social media post stated that they have reported the theft to the relevant authorities. Once any further information is obtained, updates will be promptly provided. Meanwhile, Bybit has rapidly and extensively collaborated with on-chain analytics providers to identify all involved addresses. These actions will mitigate and combat bad actors' ability to dispose and dump ETH through legitimate markets, thereby reducing available disposal channels.

North Korea's Lazarus Group Accused of Orchestrating Bybit Hack

At 4:21, Arkham posted on the X platform that ZachXBT submitted evidence at 19:09 UTC, proving that North Korea's Lazarus Group planned the attack. The evidence included test transaction analysis, related wallet links, and forensic charts. This report has been submitted to the Bybit team for investigative assistance.

Bybit CEO: Issue with Multi-Signature Transfer Went Unnoticed, Peak Redemption Pressure Has Passed

At 1:29, Bybit CEO Ben Zhou shared during a livestream that "he was the last signer during the multi-signature transfer, using a ledger device. There was an issue during the signature process, but it went unnoticed, and the destination address was not displayed during signing. Currently, there are 4000 pending withdrawal transactions."

Ben Zhou reiterated during the livestream that Bybit's treasury can cover the loss of 400,000 ETH. "We have processed 70% of the withdrawals, and the peak redemption pressure is over. Large withdrawals are undergoing regular security reviews, and in the next few hours, we are still processing the remaining withdrawals. All customer withdrawals will be processed." Ben Zhou also mentioned considering obtaining a bridging loan from partners to compensate for the stolen funds. "We will not purchase Ethereum; we are considering obtaining a bridging loan from partners to recover the stolen funds, with 80% already secured."

Safe Security Team is Collaborating with Bybit, No Evidence of Safe Frontend Compromise Yet

At 12:47 AM, the Safe Security Team announced that they are working closely with Bybit and conducting an ongoing investigation. Currently, there is no evidence of the official Safe frontend being compromised. However, out of an abundance of caution, Safe{Wallet} has temporarily suspended certain functions. User security is our top priority, and we will provide more updates as soon as possible.

Bybit Hacker Has Dispersed 490,000 ETH to 49 Addresses, with 15,000 cmETH Still Pending Unstaking

At 12:45 AM, according to EmberCN monitoring, Bybit's ETH multisig cold wallet was hacked, with 514,000 ETH stolen, valued at $14.29 billion. The hacker has already dispersed 490,000 ETH to 49 addresses (10,000 ETH each). "Additionally, there are still 15,000 cmETH currently being unstaked by the hacker (with an 8-hour unbonding period, it is uncertain if this can be intercepted)."

Slow Mist Reveals Details of Bybit Hacker's Attack

At 12:36 AM, SlowMist published an article disclosing details of the Bybit hacker's attack:

· The malicious implementation contract was deployed on UTC 2025-02-19 at 7:15:23

0xbDd077f651EBe7f7b3cE16fe5F2b025BE2969516

· The attacker, on UTC 2025-02-21 at 14:13:35, utilized three owners to sign a transaction replacing the Safe implementation contract with the malicious contract

0x46deef0f52e3a983b67abf4714448a41dd7ffd6d32d32da69d62081c68ad7882

· The malicious upgrade logic was embedded in STORAGE[0x0] through a DELEGATECALL

0x96221423681A6d52E184D440a8eFCEbB105C7242

· The attacker used the backdoor functions sweepETH and sweepERC20 in the malicious contract to drain the hot wallet.

He Yi, CZ, Justin Sun Successively Voice Support for Bybit, Willing to Provide Assistance Anytime

At 12:29 AM, Binance co-founder He Yi responded to the Bybit hack on social media, stating, "We are here when you need," offering help at any time.

At 12:34 AM, Binance founder CZ responded to the Bybit hack incident on social media, stating, "This is not an easy situation to deal with. I recommend temporarily suspending all withdrawals as a standard security precaution. If needed, I am willing to provide any assistance. Good luck!"

At 12:39 AM, Huobi HTX Global Advisor and TRON founder Justin Sun responded to the Bybit hack incident on social media, saying, "We have been closely monitoring the Bybit incident and will do our utmost to assist our partners in tracking related funds and providing all support within our capabilities."

Defillama Founder: Net Withdrawal Amount After Bybit Hack Incident Reaches $700 Million

At 12:23 AM, Defillama founder 0xngmi shared on social media, "So far, after the Bybit hack incident, the net withdrawal amount due to user withdrawals has reached $700 million."

Total of 514,723 Native ETH and Various Derivative ETH Stolen from Bybit

According to OnchainLens monitoring, the outflow of stolen funds from Bybit is as follows:

· 401,347 ETH worth $1.12 billion;

· 90,376 stETH worth $253.16 million;

· 15,000 cmETH worth $44.13 million;

· 8,000 mETH worth $23 million.

The total stolen native ETH and various derivative ETH amount to 514,723.

Bybit CEO: Will Soon Host a Livestream to Address All Questions

At 12:20 AM, Bybit CEO Ben Zhou provided an update on X platform, stating, "I will soon start a livestream to answer all questions!! Please stay tuned."

Ethena: Bybit's Hedge Position-Related PNL is Just Under $30 Million, USDe Spot Assets Custodied Outside CEX

At 12:16 AM, Ethena Labs stated, "We have noted the current situation Bybit is in and will continue to monitor the latest developments. Reminder: all USDe-supported spot assets are custodied in solutions outside exchanges, including Bybit's custody through Copper Clearloop, specifically prepared for such scenarios."

There is no USD spot reserve fund deposited on any exchange, including Bybit. Currently, the total unrealized profit and loss (PNL) related to the Bybit hedged position is less than 30 million USD, well below half of the reserve fund. USDe is currently still fully overcollateralized. We will provide updates as more information is received.

ZachXBT: Bybit Hacker Has Dispersed 10,000 ETH to 39 New Addresses, Calls for Immediate Blacklisting

ZachXBT stated that the Bybit hacker has dispersed 10,000 ETH to 39 new addresses. "If you are an exchange or service provider, please blacklist these addresses on all EVM chains."

SlowMist Cosine: Bybit Hacker's Attack Method Similar to North Korean Hackers

SlowMist founder Cosine stated, "Although there is no clear evidence at the moment, from the Safe multi-signature method and the current money laundering method, it resembles the North Korean hackers."

February 21

Bybit Hacker Has Started to Disperse Funds to Multiple Addresses

At 11:57 PM, according to Arkham Monitoring, the Bybit hacker has started to disperse funds to multiple addresses.

Bybit CEO: Platform Withdrawals Normal, Other Cold and Hot Wallets Not Affected; Bybit Has the Ability to Pay, Can Bear This Loss

At 11:53 PM, Bybit CEO Ben Zhou provided an update stating that Bybit's hot wallets, warm wallets, and all other cold wallets were not affected. The only wallet attacked by the hacker was the ETH cold wallet. All withdrawals are functioning normally. It was also emphasized that "Bybit still has the ability to pay, and even if the loss caused by this hacker attack cannot be recovered, all client assets remain 1:1 supported, and we can bear this loss."

Bybit's Total Assets Amount to 15.727 Billion USD, Ethereum Assets Reach 5.18 Billion USD

As of 11:54 PM on February 21, according to Defillama data, Bybit's total assets amount to 15.727 billion USD, including:

· 6.263 billion USD in Bitcoin;

· $51.8 billion in Ethereum;

· $13.5 billion in SOL;

· $11.43 billion in TRON.

Bybit CEO: Hacker Controls Specific ETH Cold Wallet, Other Cold Wallets Secure and Withdrawals Operating Normally

At 11:44 PM, Bybit Co-Founder and CEO Ben Zhou posted, "About an hour ago, Bybit's ETH multisig cold wallet transferred to our hot wallet. This transaction appears to be spoofed, and all signers saw the spoofed interface showing the correct address, with the URL coming from Safe.

However, the signature message was to change the logic of our ETH cold wallet's smart contract. This caused the hacker to control a specific ETH cold wallet we signed for and move all ETH in the wallet to this unconfirmed address.

Rest assured, all other cold wallets are secure. All withdrawals are operating normally. I will continue to update as more information comes to light. Any team that can assist in tracking the stolen funds would be greatly appreciated."

Bybit Multisig Address Transfers $15 Billion Worth of ETH and Converts LSD Assets to Native ETH Using DEX

A few minutes later, crypto influencer Finish posted that according to on-chain data, Bybit's multisig address transferred $15 billion worth of ETH to a new address. The funds arrived at the new address 0x47666fab8bd0ac7003bce3f5c3585383f09486e2, then were moved to 0xa4b2fd68593b6f34e51cb9edb66e71c1b4ab449e, where 0xa4 is currently swapping stETH and mETH for ETH.

"Currently this address is using 4 different DEX. If they're just swapping LSD for native ETH, the execution would be horrible (slippage would be immense). This scale is usually conducted OTC, so this is very unusual."

Zachxbt Monitors Bybit's Suspected Suspicious Fund Outflow

Around 11:27 PM on February 21, the Zachxbt monitoring channel stated that they are currently monitoring suspicious funds flowing out of Bybit, totaling over $14.6 billion.

欢迎加入律动 BlockBeats 官方社群：

Telegram 订阅群：https://t.me/theblockbeats

Telegram 交流群：https://t.me/BlockBeats_App

Twitter 官方账号：https://twitter.com/BlockBeatsAsia