After the chaos of last Friday’s hack, the dust has finally settled. The $1.5 billion Bybit hack, allegedly orchestrated by North Korea’s Lazarus Group, sent shockwaves through the crypto community. However, as we now bring you the Bybit hack post-mortem, we can confirm that things are back to normal. We were right in the middle of it, with a lot of funds on Bybit.
We warned our community immediately on X when the news came out. Even tho we support Bybit, our users are important to us and we have to prepare for a potential black swan even in this situation. Luckily, Bybit handled the situation like a true champ and no user funds were lost or ever at risk.
Here’s a breakdown of what happened, how Bybit handled it, and what we’ve learned from this historic breach.
1) Bybit Wasn’t Directly Compromised—Its Wallet Partner Was
When the attack first broke, it seemed like Bybit itself had been breached. However, upon closer investigation, it was revealed that Bybit wasn’t directly compromised. Instead, hackers exploited a vulnerability in Bybit’s wallet partner, Safe.
The Lazarus Group specifically targeted Safe’s AWS S3 bucket and injected malicious JavaScript into its user interface. This allowed the hackers to execute unauthorized transactions without alerting any security alarms. The modified Safe UI tricked Bybit’s signers into approving a seemingly legitimate transaction. In reality, the funds were redirected to the hackers.
This attack demonstrates the increasing sophistication of North Korean cybercriminals. Instead of attacking the exchange directly, they targeted the third-party wallet provider, exploiting a vulnerability in the wallet’s infrastructure.
2) Bybit Hack Post-Mortem Identifies Safe Infrastructure as Exploit Point
In Bybit’s detailed post-mortem analysis, it was confirmed that the Safe infrastructure was the point of failure. Safe, the developer of the wallet used by Bybit, was compromised due to a malicious script injected into its frontend. This script manipulated the user interface to deceive signers into approving the malicious transaction, which led to the theft of funds.
This revelation has sparked significant debate about the security of multisignature wallets and whether they are as secure as previously thought. The breach has led many in the crypto community to call for stronger verification processes and better protection against blind-signing vulnerabilities.
Safe responded by acknowledging that the breach was due to a compromised developer machine. However, many are questioning the adequacy of Safe’s security protocols, as some feel that the explanation lacks clarity and transparency. Binance’s co-founder, Changpeng “CZ” Zhao, expressed concerns over the vague language used in Safe’s report and demanded further clarification on the specifics of the attack.
3) Lazarus Group Launders Funds Stolen from Bybit Hack
The FBI has officially linked the $1.5 billion Bybit hack to North Korea’s state-sponsored Lazarus Group. Following the heist, on-chain data showed that the Lazarus Group quickly transferred over 45,900 ETH, worth approximately $113 million in the first 24 hours alone. This was just the beginning of the laundering process.
As of now, more than 135,000 ETH, valued at around $335 million, has been laundered through various wallets controlled by Lazarus. Blockchain analytics firm Elliptic, along with Bybit, has traced the stolen funds to over 11,000 wallets linked to the Lazarus Group. The group is expected to fully launder the funds within 8-10 days.
The scale and speed of this operation highlight the group’s expertise in moving stolen crypto and obscuring its origins.
Bybit Offers 10% Bounty for Help Tracing Stolen Funds. Find out more here.
4) Bybit ‘Back to 100%’ After Historic $1.5 Billion Hack
Despite the shock of the attack, Bybit quickly reassured its users that they were back to normal. On February 24, Bybit announced that they had replenished their reserve to a 1:1 ratio within just 72 hours of the hack. The exchange conducted a full audit of its assets and confirmed that they held enough reserves to cover all customer assets.
Bybit’s CEO, Ben Zhou, was quick to address the community, expressing his gratitude for the support from industry peers and competitors. He stated that the exchange maintained a dynamic reserve ratio of over 1:1, reaffirming their commitment to customer protection.
Bybit also announced that they had restored all of their crypto holdings, including Bitcoin, Ethereum, and USDT, ensuring a strong financial position moving forward. Despite the initial panic and withdrawals, Bybit was able to maintain liquidity and restore user confidence.
Glassnode has a very detailed report on the outflows and ETH reserve and the market impact.
5) Bybit Records $5.5 Billion in Outflows After Crypto’s Biggest Hack
In the aftermath of the hack, Bybit faced a record bank run, with over $5.5 billion in assets withdrawn from the platform. According to DeFiLlama, the exchange’s assets fell from $16.9 billion to $11.2 billion after the attack. A large portion of these outflows was attributed to users withdrawing Ether, as the hack targeted Bybit’s Ethereum cold wallet.
However, Bybit’s security team worked tirelessly to process withdrawals, and the company arranged a bridge loan to maintain liquidity. Despite the massive outflows, Bybit’s leadership remained calm, focused on ensuring customer safety, and working around the clock to mitigate the impact.
A significant part of the outflows also came from the decentralized custody service provided by Safe. Safe temporarily shut down smart wallet functionalities, causing additional withdrawal delays. Bybit’s security team developed manual verification tools to move stablecoins and continue fulfilling withdrawal requests, ensuring that users were not left in limbo.
6) Great Reaction by Bybit
Bybit’s response to the hack and the subsequent bank run has been widely praised. Despite facing the largest hack in history and an unprecedented level of withdrawals, Bybit handled the situation remarkably well. Here’s what stood out:
- Clear Communication: Bybit’s communication throughout the crisis was exemplary. The CEO hosted live streams, provided updates via social media, and published public audit reports to maintain transparency.
- Record Bankrun Management: Bybit processed all withdrawal requests within 10 hours, minimizing panic and restoring confidence in the platform.
- Restoring Treasury: Bybit used bridge loans and a buyback strategy to replenish its reserves over the weekend, demonstrating financial strength and commitment to customer security.
- Keeping Withdrawals Open: Despite the risk, Bybit chose to keep withdrawals open. Since the attack was limited to a cold wallet and not the exchange itself, Bybit felt confident enough to let users access their funds, helping to prevent further panic.
- Spot liquidity improved: Interestingly, the spot liquidity on Bybit is even better than before the hack.
Will I Keep Trading on Bybit?
After this event, I feel more secure than ever about trading on Bybit. I’ve already deposited my funds back into the platform and am actively trading again. Given the way Bybit handled the situation, I’m confident that no other exchange could have managed the crisis as smoothly. Their proactive approach to communication, security, and customer support was truly impressive.
I’ll continue promoting Bybit and support their efforts to recover from this incident. They’ve proven that they can handle even the toughest situations, and I believe they will emerge stronger from this experience.
We have regular promotions with Bybit, you can find them over here.
Final Thoughts
The Bybit hack, which was the largest in crypto history, shook the industry. However, the aftermath of the hack shows that Bybit has the resilience, transparency, and security protocols needed to recover. The exchange’s handling of the situation is a testament to its commitment to customer protection and its ability to respond to unprecedented challenges.
For now, Bybit has weathered the storm, and things are back to normal. If anything, this incident serves as a reminder of the importance of robust security measures in the cryptocurrency space. And while the hack was a huge setback, it’s clear that Bybit is committed to ensuring that such an event does not happen again.
if you enjoyed this blog, check out our recent article about the Wyckoff pattern on Bitcoin.
If you trust Bybit like we do, might as well claim a bonus!
