Bybit has suffered a devastating security breach, leading to the theft of $1.4 billion in ether from its cold wallet. The attack, allegedly carried out by North Korea’s Lazarus Group, triggered a wave of panic among users, resulting in over $5.5 billion in outflows.

According to DeFiLlama, Bybit’s total tracked assets plummeted from $16.9 billion to $11.2 billion. The exchange immediately took action to process withdrawals and secure funds while investigating the breach.

Hackers Drain 70% of Bybit’s Ether Holdings

The attackers reportedly stole 70% of Bybit’s ether reserves, forcing the exchange to arrange emergency loans to maintain liquidity. CEO Ben Zhou revealed that most users withdrew stablecoins rather than ether, creating additional financial strain.

Complicating matters, decentralised custody provider Safe temporarily shut down smart wallet functionalities to assess potential security risks. Bybit held $3 billion in USDT within Safe wallets, prompting its security team to manually verify and transfer funds to meet withdrawal demands.

Despite replenishing its stablecoin reserves, Bybit faced a “bank run” scenario, with nearly 50% of its total assets withdrawn from the platform.

Authorities and Blockchain Analysts Track Stolen Funds

Bybit has engaged law enforcement agencies, including Singaporean authorities and Interpol, to track the stolen assets. Blockchain analytics firm Chainalysis is also monitoring the movement of stolen ether in an attempt to recover the funds.

Zhou remains optimistic, stating that the stolen assets are still traceable. However, the process of recovery remains uncertain.

Ethereum Rollback Discussed but Unlikely

During an X Spaces discussion, Zhou revealed that some industry figures, including BitMEX co-founder Arthur Hayes, suggested rolling back the Ethereum blockchain to recover stolen funds.

Bybit has reached out to Ethereum co-founder Vitalik Buterin and the Ethereum Foundation to explore possible solutions. However, Zhou acknowledged that a rollback would require broad community consensus and could lead to a hard fork, making it an unlikely resolution.

Bybit Restores Ether Reserves, Market Confidence Returns

Following the attack, Bybit successfully restored a 1:1 backing of client assets by securing additional funds. On-chain data shows the exchange replenished 446,870 ETH (worth $1.23 billion) through a mix of loans, deposits, and purchases.

Of this, $400 million came from OTC trades, $300 million from exchanges, and $300 million through institutional loans. Despite initial market turbulence, Bybit confirmed that deposits had started to exceed withdrawals, signaling a return of user confidence.

Lazarus Group’s Growing Crypto Attacks

Investigators have linked the Bybit hack to Lazarus Group, a North Korean state-sponsored hacking organisation known for high-profile crypto thefts. The group has previously been responsible for:

• The $600 million Ronin Network hack (2022)
• A $230 million breach of Indian exchange WazirX (2024)

Experts believe the hackers manipulated Bybit’s user interface to alter smart contract logic, enabling them to siphon funds to unknown wallets before laundering them through decentralised exchanges.