Cyber Incident Victim: Bybit
Date:
Feb 2025
Location:
Cocos (Keeling) Islands
Summary
Bybit experienced unauthorized access to an Ethereum cold wallet during a routine transfer, manipulated by attackers altering smart contract logic and masking the signing interface. This sophisticated attack resulted in the theft of over $1.4 billion worth of ETH and stETH. All other cold wallets and client funds remain secure, unaffected, and fully backed 1:1. Withdrawals are processing normally despite potential delays due to high volume, and the platform continues full operations while investigations with blockchain forensics experts proceed.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On February 21, 2025, at approximately 12:30 PM UTC, Bybit detected unauthorized activity involving one of its Ethereum (ETH) Cold Wallets during a routine transfer process. This transfer was part of a scheduled movement of ETH from the ETH Multisig Cold Wallet to the Hot Wallet. The transaction was manipulated by a sophisticated attack that altered the smart contract logic and masked the signing interface. This manipulation enabled the attacker to gain control of the ETH Cold Wallet. As a direct result of this compromise, over 400,000 ETH and stETH, valued at more than $1.4 billion, were transferred to an unidentified external address. The incident was identified during the routine transfer operation. Bybit immediately confirmed that this was an isolated compromise affecting only the specific ETH Cold Wallet involved in the transfer. All other Bybit Cold Wallets, including those holding assets like BTC, remained secure and unaffected. Client funds held by Bybit were explicitly stated as being unaffected and fully secured.
The financial impact of the incident was the confirmed theft of cryptocurrency assets exceeding $1.4 billion USD in value. Despite the scale of the loss, Bybit assured users that withdrawals were not halted, although processing delays occurred due to a surge in withdrawal requests following the incident announcement; 70% of pending withdrawal requests had already been processed at the time of the update. Bybit emphasized its strong financial position, stating Assets Under Management (AUM) exceeded $20 billion and reserves were 1:1 backed, meaning client assets remained fully secured. The company committed to using a bridge loan if necessary to ensure user fund availability. In response, Bybit initiated an investigation focusing on the root cause, with particular attention given to a potential vulnerability in the user interface of the Safe.global platform that may have been exploited during the transaction process. The company also engaged leading blockchain forensic experts to trace the stolen funds. Bybit confirmed that all platform services, including trading products, cards, and P2P, remained fully operational throughout the incident response. Customer support channels were active to address user concerns while the investigation continued.