How ByBit Exchange Hacked & $1.5B Stolen? Understand Here

ByBit speech has turned unfortunate to, what seems to beryllium 1 of the biggest crypto hacks truthful far, with the exchange losing implicit $1.5 billion of ETH connected February 21.

While not affecting the full platform, 1 of the exchange’s multi-signature acold wallets has been severely compromised with the hacker withdrawing billions of assets portion managing to fool Bybit squad members. 

The 2025 Bybit hack modus operandi is an eerie reminder of different infamous hack of WazirX exchange past twelvemonth wherever hackers exploited its multisig acold wallet to bargain $234.9 million.

As of now, Bybit has reassured users that their funds reserves are successful the ratio 1:1. Yet respective cardinal users of Bybit speech are presently successful anxiousness regarding the presumption of their funds.

Here is simply a elaborate breakdown connected however the Bybit hack occurred and what imaginable outcomes it could produce.

How did the ByBit hack happen? 

Similar to each large hacking incidental successful the crypto space, acold wallets and multisig wallets are astatine the halfway of this breach. ByBit and each different crypto exchanges usage multisig wallets to adhd a furniture of information successful protecting exchange-held idiosyncratic funds. These specialized wallets necessitate aggregate approvals from antithetic radical to execute transactions. 

Musking

Outpassing this information feature, hackers employed a blase method called “Musking,” arsenic defined by Bybit CEO Ben Zhou. Musking refers to a signifier of UI spoofing wherever the transaction details shown to signers are altered oregon masked and it processes malicious output connected last execution. 

This maneuver tricked Bybit’s multisig wallet signers into believing successful a spoofed multisig dashboard, which hackers managed to update with a malicious astute contract. Here is the casual unfolding;

1. Fake Transaction Interface 

The hackers manipulated Bybit’s transaction interface – which was provided by the salient information steadfast Safe – and replaced it with a morganatic looking transaction request.

2. Approval from Bybit multisig signers 

The Bybit squad signed the transaction portion believing that it could beryllium a accustomed transportation of funds that speech makes everyday. As the squad has not shared afloat details, it could beryllium assumed that the transaction was involving a smaller magnitude alternatively than the full transportation of $1.3 cardinal of ETH, each astatine once.

3. Control of the wallet

Following the signature approval, hackers gained power implicit the speech wallet and moved retired funds immediately. It besides needs to beryllium noted that not each wallets were affected but the wallet assigned with that peculiar multisig was accessed only. 

4. Transfer of Funds 

Once hackers gained entree to Bybit’s wallet, they statesman moving funds to aggregate chartless addresses. As per Arkham Intelligence, the hacker presently holds $1.3 cardinal of stolen ETH connected 53 antithetic wallets. 

WE’VE COMPILED A LIST OF BYBIT HACKER WALLETS

The Bybit Hacker presently holds $1.37B of ETH and has utilized 53 wallets truthful far.

Wallet database below: pic.twitter.com/oQK1MhYkqg

— Arkham (@arkham) February 21, 2025

What Security Expert Says?

While the incidental looks rather elemental connected the front-end, it takes overmuch effort from a information position to fig retired the nonstop exploitation. One of the blockchain information adept squad Dilation Effect says that lone 1 signer was needed to beryllium taken down successful bid to implicit the onslaught due to the fact that the attacker utilized a blase societal engineering technique.

Experts judge that by analyzing the on-chain transactions, we tin spot that the attacker executes the transportation relation of a malicious declaration done delegatecall. Furthermore, the transportation codification uses the SSTORE acquisition to modify the worth of slot 0, thereby changing the implementation code of the Bybit acold wallet multi-signature declaration to the attacker’s address.

Current Status of Stolen Funds

As the hacker has present swiftly transferred assets to assorted addresses, it has made it hard to way funds. Unlike different hacks, this clip the hacker has not yet sent funds to the crypto mixer Tornado Cash to premix up funds and erase traces connected blockchain. 

This latest hack has erstwhile again raised information concerns wrong the crypto space. Despite the usage of the latest and precocious information techniques, hackers look to person been outsmarting everything. As the funds are inactive held successful Ethereum wallets, it besides raises optimism for imaginable white-hat betterment arsenic hackers are not attempting to vanish funds wholly retired of oculus sights.