- Attackers manipulated smart contract logic, draining funds to an unknown address; only ETH cold wallet was compromised.
- CEO Ben Zhou reassured users: hot, warm, and other cold wallets remain secure; withdrawals are unaffected.
In a shocking announcement on Friday, February 21, 2025, Ben Zhou, CEO of Bybit—one of the world’s largest cryptocurrency exchanges—revealed via his X account a major security breach that compromised one of the platform’s multisignature Ethereum (ETH) cold wallets, resulting in the loss of over $1.4 billion.
🚨 🚨 🚨 🚨 🚨 🚨 🚨 🚨 🚨 🚨 401,346 #ETH (1,133,327,423 USD) transferred from #Bybit to unknown wallethttps://t.co/z6xWcFxR4H
— Whale Alert (@whale_alert) February 21, 2025
The tweet, posted at 15:44 UTC (10:44 AM CST), ignited widespread concern and speculation within the crypto community, confirming initial suspicions of massive fund movements reported by Arkham hours earlier.
Bybit ETH multisig cold wallet just made a transfer to our warm wallet about 1 hr ago. It appears that this specific transaction was musked, all the signers saw the musked UI which showed the correct address and the URL was from @safe . However the signing message was to change…
— Ben Zhou (@benbybit) February 21, 2025
Attack Details
According to Zhou’s post, the incident occurred roughly an hour before his announcement, when Bybit’s multisignature ETH cold wallet initiated a transfer to a warm wallet. However, the attack involved a sophisticated phishing scheme where transaction signers were shown a masked user interface (UI) displaying legitimate addresses and URLs from @safe, the platform Safe (formerly Gnosis Safe), renowned for its multisignature wallet security.
The critical flaw lay in the fact that the signed message did not match the visible transfer. Instead, the signed code manipulated the logic of the smart contract linked to the ETH cold wallet, granting attackers full control.
Bybit Hot wallet, Warm wallet and all other cold wallets are fine. The only cold wallet that was hacked was ETH cold wallet. ALL withdraws are NORMAL.
— Ben Zhou (@benbybit) February 21, 2025
This allowed the hackers to drain all ETH funds from the compromised wallet to an unknown address. Zhou shared a link (https://t.co/ckwZgma8Lf) with further details, though specifics about the recipient address or the exact amount stolen—beyond the estimated $1.4 billion reported by ETHNews—remain undisclosed.
ALERT: $1B+ OUTFLOWS FROM BYBIT
$1.4B in ETH and stETH outflows from Bybit
The funds have begun to move to new addresses where they are being sold. So far $200M stETH has been sold.
Address: 0x47666Fab8bd0Ac7003bce3f5C3585383F09486E2 pic.twitter.com/TfGm2UCjM5
— Arkham (@arkham) February 21, 2025
Reactions on X
Zhou’s tweet triggered a flood of responses on X, with users expressing disbelief, anxiety, and sarcasm. Accounts like @ari, @DeFiOssi, @ThePaulOla, and @CryptoMasterCom demanded clarity on the safety of remaining funds, invoking terms like “SAFU” (a popular crypto community term for “secure”) to question whether user assets were protected. Others, such as @Stat and @beast_ico, voiced frustration and panic, while @SynquoteIntern shared a humorous image of a man with his hands on his head, reflecting the collective dismay.
In a follow-up tweet at 15:53 UTC, Zhou clarified that only the ETH cold wallet was breached, while Bybit’s hot wallets (internet-connected), warm wallets, and other cold wallets remained secure. He emphasized that all withdrawals were functioning normally in an effort to reassure users and prevent panic-driven sell-offs.
Bybit detected unauthorized activity involving one of our ETH cold wallets. The incident occurred when our ETH multisig cold wallet executed a transfer to our warm wallet. Unfortunately, this transaction was manipulated through a sophisticated attack that masked the signing…
— Bybit (@Bybit_Official) February 21, 2025
Zhou also called for assistance from the community and cybersecurity experts to trace the stolen funds, signaling openness to collaboration with blockchain analysts and law enforcement to recover the assets.
Technical Context and Precedents
This incident highlights vulnerabilities in multisignature wallets, even on platforms like Safe, which are widely regarded as secure. Discussions on forums like Reddit’s r/ethdev note parallels to the 2017 Parity multisignature wallet hack, where an exploit led to the theft of over 150,000 ETH (roughly $360 million at current prices). That breach, caused by a flaw in smart contract logic, spurred significant security protocol upgrades. However, Bybit’s case underscores lingering risks.
Safe, the multisignature solution used by Bybit, is an Ethereum-based platform requiring multiple signatures to authorize transactions, thereby mitigating single points of failure. Yet the phishing attack exploited human verification weaknesses rather than technical flaws, deceiving signers through a fraudulent UI.
Bybit has long emphasized its security commitments. In a 2020 Cointelegraph interview, Zhou detailed the exchange’s “zero-trust” architecture, multi-layered withdrawal controls, and 100% offline cold storage for user assets. Despite these measures, the phishing attack bypassed defenses, showcasing the sophistication of malicious actors in the crypto space.
Legal Implications
The $1.4 billion loss deals a severe financial and reputational blow to Bybit. Zhou assured users that operations remain unaffected and that funds in other wallets are secure. Legally, the breach may spark litigation, particularly in Singapore—where Bybit has a significant presence—given its courts’ crypto-friendly stance.
In 2023, Singapore’s High Court ruled in *ByBit Fintech Ltd v Ho Kai Xin & Ors* that cryptocurrencies qualify as property under law, potentially aiding recovery efforts or lawsuits against involved parties.
Market-wise, Ethereum’s price has seen limited impact so far, though investors are monitoring for additional selling pressure if hackers liquidate stolen funds. The crypto community is also tracking Bybit’s response and potential regulatory fallout.
Bybit now faces the challenge of restoring user trust and tracing the stolen assets. Zhou expressed willingness to partner with external teams to identify perpetrators and recover funds, while the exchange may implement stricter multisignature system audits and anti-phishing training.
Note: This article is based on information available as of 11:04 AM CST on February 21, 2025. Events may evolve. Investors and users are advised to monitor official Bybit updates and trusted sources before making financial decisions.
