Bybit has nearly fully restored its Ethereum (ETH) reserves following one of the largest cryptocurrency hacks in history.
The attack, which was linked to North Korea’s Lazarus Group, resulted in the theft of $1.46 billion in ETH and stETH from the exchange’s cold wallets. However, Bybit CEO Ben Zhou confirmed that the platform has now closed the ETH deficit through a combination of loans, whale deposits, and direct purchases.
According to on-chain analytics platform Lookonchain, Bybit has acquired 446,870 ETH, worth approximately $1.23 billion, bringing the exchange’s total replenishment to nearly 88% of the stolen funds. In addition, Bybit has assured users that a new proof-of-reserves report will be published soon, demonstrating that all client assets remain fully backed on a 1:1 basis.
Source: ByBitHow did the ByBit hack happened?
The breach was first detected on February 21, when blockchain investigator ZachXBT reported suspicious outflows from Bybit’s Ethereum cold wallet. The attackers exploited a vulnerability in the exchange’s multisignature security system, using a “masked” transaction that altered the smart contract logic whilst displaying a legitimate recipient address.
As a result, Bybit’s security team unknowingly approved a transaction that handed control of the funds to the attackers. The stolen assets were then transferred to unidentified addresses, with portions swapped for ETH, Bitcoin (BTC), and stablecoins across multiple decentralised exchanges.
Further investigation linked the attack to Lazarus Group, a North Korean cybercriminal organisation known for targeting cryptocurrency firms. Blockchain intelligence firms have also found on-chain connections between the Bybit hack and a recent exploit of the Phemex exchange, suggesting a broader, coordinated attack against multiple trading platforms.
Following the attack, Lazarus Group moved the stolen funds across various DEXs and privacy protocols, making asset recovery more difficult. The stolen ETH was split across multiple wallets, converted into Bitcoin, and further dispersed through privacy mixers and cross-chain bridges.
Blockchain intelligence firm Elliptic has tracked over $140 million of the stolen funds being converted into Bitcoin. Meanwhile, eXch mixer, a crypto mixing service, has refused to cooperate with Bybit’s efforts to trace the funds, complicating further recovery attempts. Despite this, Bybit has led a coordinated effort with major industry partners to freeze $42.89 million of stolen assets.
Source: Ben Zhou (X)What is the status of Bybit now?
In the aftermath of the hack, Bybit faced over $5.3 billion in withdrawals within a single day, significantly impacting the exchange’s liquidity. However, the company took swift action to replenish its reserves.
According to Lookonchain, Bybit purchased large quantities of ETH through over-the-counter (OTC) deals with major crypto investment firms Galaxy Digital, FalconX, and Wintermute, whale deposits from institutional investors and direct purchases from centralised and decentralised exchanges. A wallet linked to Bybit, identified as “0x2E45…1b77”, purchased 157,660 ETH for $437 million in OTC transactions, beginning on February 22. Another wallet, “0xd7CF…A995,” acquired 304,000 ETH, further contributing to closing the deficit.
Bybit has also secured $4 billion in liquidity support from external sources, including 63,168 ETH (~$170 million), $3.15 billion USDT, $173 million USDC, $525 million CUSD, and transfers from Binance, Bitget, and MEXC. As a result, Bybit has fully reopened all deposit and withdrawal services.
In an effort to recover the stolen assets, Bybit has launched a Recovery Bounty Program, offering up to 10% of recovered funds to cybersecurity experts and blockchain analysts who assist in asset retrieval. If the full amount is recovered, this could mean a bounty of up to $140 million.
The program invites ethical hackers, security researchers, and forensic analysts to contribute to the investigation. Interested participants can contact Bybit at [email protected].
