He carried out what is being considered the BIGGEST hack attack in history, and below I will explain how it all happened.
To put it into context.
On the morning of 21/02/2025, the Bybit exchange was the victim of an unprecedented attack: 400,000 ETH were diverted, totaling approximately US$1.5 billion – the largest hack recorded on a crypto platform to date.
The attack occurred during a routine transfer between internal wallets: a cold (offline) wallet to a hot wallet (used for daily trading).
During this process, the hackers exploited a vulnerability in the digital signature interface.
The technique employed was ingenious: the hackers replicated Bybit’s signature interface.
The signatories thus saw the expected address and amount, without realizing that the smart contract’s logic had been altered.
The last signature was from CEO Ben Zhou.
The interface was “mirrored” to display legitimate information—the recipient’s address and the correct amount—creating a false sense of security.
The moment the signatories approved the transaction, the underlying logic of the contract was changed.
After gaining control, the attackers divided the 400,000 ETH among dozens of addresses (reportedly around 53 wallets, to make tracking difficult).
A renowned on-chain researcher, he identified patterns and connections to previous attacks, linking the operation to the notorious Lazarus group – linked to North Korea.
In his research, he identified transaction tests, connections to previous hacks and more.
Among those involved is Park Jin, a high-level hacker associated with the Lazarus Group, who has already been responsible for previous attacks, such as the attack on Sony Pictures and the robbery at the Central Bank of Bangladesh.
In addition, they have already hacked Axie Infinity and Atomic Wallet.
Due to the "fear" spread among users, Bybit recorded the largest volume of withdrawals in its history.
The "bank run" on Bitcoin reached levels higher than the period of the collapse of FTX.
More than 20 thousand BTC left the exchange over the weekend.
However, the exchange did not collapse like FTX (despite many speculating that it would).
The Bybit team quickly acted by reaching out to partners, securing loans for 80% of the lost ETH reserves and maintaining withdrawals.
In fact, they have just published the Proof-of-reserve audited by Hacken, showing that 100% of ETH reserves have already been restored.
They also showed that all audited assets have more than 100% collateralization in relation to user funds.
Please note that this is an on-chain PoR, not a "trust me" statement. The addresses containing the users' balances are already available in the document that was updated today.
If you are interested, you can check the addresses below. The document also includes the Bitcoin addresses.
Despite everything that happened, the truth is that Bybit gave a lesson in "crisis management", providing transparency to the sector and reporting everything that was happening.
Does this mean that everything is resolved?
No, much of the funds remain with the hackers and BYBIT now has a large debt to pay to its partners.
This indicates that they will still need to manage their credit lines to remain solvent in the long term.
With the hack, the exchange lost more than US$8 billion in assets on its platform, due to the high volume of withdrawals.
Even so, they still have more than US$12 billion in assets and their functionalities remain 100% operational, which demonstrated resilience.
This episode not only shook confidence in the security of exchanges, but also exposed the growing sophistication of cybercriminals’ methods.
This shows that the industry still needs to improve its on-chain security levels and that investors must learn self-custody.