What Really Happened with the 1.4B ByBit Hack

On February 21, 2025, the cryptocurrency world was rocked by one of the largest thefts in its history. Bybit, a Dubai-based cryptocurrency exchange, confirmed that hackers had drained over $1.4 billion worth of Ethereum (ETH) from one of its cold wallets.

Bybit detected unauthorized activity involving one of our ETH cold wallets. The incident occurred when our ETH multisig cold wallet executed a transfer to our warm wallet. Unfortunately, this transaction was manipulated through a sophisticated attack that masked the signing…
— Bybit (@Bybit_Official) February 21, 2025

The breach, described by experts as unprecedented in scale, has thrust the spotlight onto the security infrastructure of centralized exchanges and raised questions about the safety of digital assets in an increasingly volatile landscape. At the heart of this incident lies Safe, a widely-used wallet provider, whose infrastructure may have played a role in the attack. Here’s what we know about the hack, its implications, and what it means for the future of crypto security.

The Attack: A Sophisticated Exploit

The hack occurred during what Bybit described as a routine transfer of funds from a cold wallet—designed to store assets offline for enhanced security—to a warm wallet used for daily operations. According to Bybit CEO Ben Zhou, the attackers executed a highly sophisticated assault that manipulated the transaction process. Zhou revealed that the signing interface, which appeared legitimate to Bybit’s team, was “masked” to conceal malicious smart contract logic. This deception allowed hackers to gain control of the wallet and siphon off approximately 401,000 ETH, valued at over $1.4 billion at the time.

The breach was first flagged by prominent crypto investigator ZachXBT, who observed suspicious outflows exceeding $1.46 billion from Bybit’s wallets. Subsequent blockchain analysis revealed that the stolen ETH was quickly dispersed across dozens of addresses, with some reports indicating the funds were split into batches of 10,000 ETH each. This rapid movement suggests a well-coordinated effort to obscure the trail, a tactic often employed by seasoned cybercriminals.

Bybit’s Response: Damage Control and Reassurance

Bybit is Solvent even if this hack loss is not recovered, all of clients assets are 1 to 1 backed, we can cover the loss.
— Ben Zhou (@benbybit) February 21, 2025

In the wake of the hack, Bybit faced an immediate surge in withdrawal requests as panicked users sought to secure their funds. During a livestream addressing the incident, Zhou reported that the exchange had processed massive withdrawals—nearly 100 times the normal volume—yet maintained that its operations remained intact. “Bybit is one-to-one backed,” he assured customers, emphasizing that the exchange’s assets under management, exceeding $20 billion, were sufficient to cover the loss. Zhou also confirmed that bridge loans had been secured to replace 80% of the stolen ETH, ensuring liquidity for withdrawals.

All pending withdrawal requests will be processed as soon as possible and should take no more than 30 minutes.

Please reach out if you require any assistance, and our team will assist you promptly.
— Bybit (@Bybit_Official) February 22, 2025

Despite the scale of the theft, Bybit has insisted that only one cold wallet was compromised, with all other wallets remaining secure. The exchange has continued to process withdrawals, albeit with some delays due to heightened demand and compliance checks. To aid in recovery efforts, Bybit launched a “recovery bounty program,” offering up to 10% of retrieved funds—an potential payout of $140 million—to cybersecurity experts who assist in tracking down the stolen assets.

Business as usual 👍
— Bybit (@Bybit_Official) February 23, 2025

The Safe Connection

The Verichains report, dated February 24, 2025, outlines a clear timeline of the attack, which began days before the funds were stolen:

February 21, 2025, 14:13:35 UTC: The attack culminated when a multisig transaction, signed by three Bybit signers—including the CEO—upgraded the cold wallet’s logic on Safe to point to the malicious contract (0xbDd077f651EBe7f7b3cE16fe5F2b025BE2969516). The attacker then invoked the backdoor functions, transferring 401,347 ETH, 8,000 mETH, 90,375 stETH, and 15,000 cmETH to addresses like 0xd90071d52f20e85c89802e5dc1ec0a7b6475f92 and 0x0fa09c3a328792253f8dee7116848723b72a6d2e.

February 18, 2025: The attacker laid the groundwork by deploying two malicious smart contracts. At 15:39:11 UTC, the contract at 0x96221423681A6d52E184D440a8eFCEbB105C7242 was created, embedding logic for unauthorized transfers. Later, at 18:00:35 UTC, a second contract at 0xbDd077f651EBe7f7b3cE16fe5F2b025BE2969516 was deployed, featuring backdoor functions sweepETH and sweepERC20 to drain assets.

February 19, 2025: Malicious JavaScript files (_app-52c9031bfa03da47.js and 6514.b556851795a4cbaa.js) were injected into Safe’s frontend (app.safe.global), with timestamps of 15:29:43 GMT and 15:29:25 GMT, respectively. These files, cached in the Wayback Machine, contained code targeting Bybit’s cold wallet (0x1Db92e2EeBC8E0c075a02BeA49a2935BcD2dFCF4).

Verichains’ forensic analysis revealed that the attack hinged on compromised JavaScript files served through Safe’s frontend, likely due to a breach in its AWS S3 or CloudFront infrastructure. The malicious code was surgically designed to target Bybit’s cold wallet and signer addresses, activating only under specific conditions to evade detection by regular users.

The Malicious Payload

The investigation identified three key patches in the JavaScript files:

Patch executeTransaction: This altered the executeTransaction call to redirect transactions to the attacker’s address (0x96221423681A6d52E184D440a8eFCEbB105C7242) when executed by targeted Safe addresses, including Bybit’s cold wallet. The original transaction data was cloned and restored post-execution to mask the tampering.
Patch signTransaction: This modified the signTransaction call similarly, overriding transaction fields (e.g., recipient, operation, and data) to facilitate the attack. It included a page reload mechanism for signer address 0x828424517f9f04015db02169f402cd57b2b07229 (Bybit’s proposer wallet), possibly to disrupt legitimate proposals.
Patch useGasLimit: This returned a hardcoded gas limit (218,207) for targeted transactions, ensuring the malicious operations had sufficient resources to execute.

The code checked for specific Safe and signer addresses—such as 0x1db92e2eebc8e0c075a02bea49a2935bcd2dfcf4 (Bybit’s cold wallet) and 0x828424517f9f04015db02169f402cd57b2b07229 (Bybit’s proposer)—before triggering. If conditions were met, it redirected funds via a delegate call (operation code 1) to the malicious contract, which then drained the wallet.

Evidence from Bybit’s signer machines showed the malicious JavaScript cached in Google Chrome, suggesting the attackers accessed Safe’s infrastructure days earlier. The files were replaced on Safe’s servers by February 19, 2025, and reverted roughly two minutes after the hack (14:15:32 GMT and 14:15:13 GMT), indicating a rapid cover-up. Verichains posits that Safe’s AWS credentials were likely leaked or compromised, enabling the injection.

Safe, which secures over $100 billion in assets across seven million smart accounts, was central to the attack. While its smart contracts remained intact, the compromised frontend exposed a glaring weakness. The Verichains report suggests the breach originated externally, not from Safe’s core systems, but the incident has fueled debate about the provider’s security for institutional clients. Safe took its primary interface offline post-hack, urging users to switch to alternatives, while denying frontend vulnerabilities—yet the evidence points to a supply chain attack via its hosting infrastructure.

Market and Industry Fallout

The hack rattled Ethereum’s market, dropping its price by nearly 4% to $2,641.41 on February 21, though it later stabilized. The stolen 401,347 ETH exceeds Vitalik Buterin’s holdings, posing a risk of market flooding if liquidated. For Bybit, the $1.4 billion loss is 8.6% of its pre-hack reserves ($16.2 billion), a recoverable but damaging blow. The incident echoes past heists like Ronin ($620 million) and surpasses them in scale, contributing to 2024’s $2.2 billion in crypto thefts—a 20% rise from 2023, per Chainalysis.

Implications: A Call for Overhaul

The Bybit hack exposes the fragility of centralized exchanges and third-party infrastructure like Safe. Cold wallets, once deemed secure, proved vulnerable to frontend exploits, highlighting the need for:

Enhanced Frontend Security: Rigorous audits and monitoring of hosting services (e.g., AWS S3, CloudFront) to prevent code injection.
Multisig Safeguards: Stricter validation of transaction signings and UI integrity.
Decentralized Alternatives: A push toward self-custody to reduce reliance on intermediaries.

As investigations continue, the $1.4 billion theft stands as a watershed moment, urging the crypto industry to rethink security in an era of escalating cyber threats.