Just after the cryptocurrency industry achieved a milestone victory in the Coinbase-SEC lawsuit on February 21, Bybit crypto exchange experienced the largest security breach in crypto history. The Dubai-based cryptocurrency exchange — the second-largest in the industry by trading volume — lost approximately $1.5 billion in staked Ether (ETH) and other ERC-20 coins. The attack surpassed the previous record, more than twice the size of the $611 million Poly Network attack in 2021 and the at least $600 million Ronin bridge exploit in 2022. According to Tom Robinson, chief scientist and co-founder of blockchain analytics firm Elliptic, the breach may not only be the largest crypto heist ever, but potentially the biggest single theft of any kind. “It’s also potentially the largest single theft of any kind, ever.”
The plot soon deepened when on-chain analyst ZachXBT and Arkham Intelligence identified North Korea’s Lazarus Group as being behind the hack. The group is said to be tied to North Korea’s government and is believed to be responsible for some of the world’s largest cyber warfare and ransomware hacks.
Bybit assets fall by $5.3 billion in wake of hack. The breach was confirmed at 3:53 PM UTC on February 21 by Bybit co-founder and CEO Ben Zhou, who reported on X that a hacker had taken control of an ETH cold wallet and “transferred all ETH in the cold wallet” to an “unidentified address,” presumably controlled by the hacker. Zhou supplied a link to blockchain explorer Etherscan. Etherscan showed that 401,346.77 ETH was transferred from Bybit’s cold wallet to the exploiter’s wallet at 2:16 AM UTC on February 21. Zhou posted multiple times on X in an effort to answer the flood of questions. “Bybit Hot wallet, Warm wallet and all other cold wallets are fine. The only cold wallet that was hacked was the ETH cold wallet. ALL withdrawals are NORMAL,” he said. Indeed, Bybit has processed all withdrawals. At the time of writing, the value of Bybit’s total assets has fallen by over $5.3 billion, according to DefiLlama data — this figure includes the $1.4 billion in stolen assets.
“Bybit is solvent even if this hack loss is not recovered, all of the client’s assets are 1 to 1 backed — we can cover the loss,” Zhou stated in a later post on X. The CEO also said in an X livestream that Bybit had taken out bridge loans with partners and had secured about 80% of the funding needed to cover the losses. Meanwhile, ETH dropped 6.7% during the day, but by 1:00 AM UTC it had mostly recovered. It was only down 2% over the previous 24 hours, according to CoinGecko.
Industry reacts to Bybit hack: Scale is ‘staggering.’ “Today’s hack is the biggest ever,” Maddie Kennedy, vice president of communications at Chainalysis, told Cointelegraph, and accounts for “more than half of the cumulative funds stolen last year.” Was this a new trend? “Trends on hacks are very outlier-driven,” she noted. It may be hard to tell at this point. Not all were taken aback. “The scale of this incident is staggering, but not entirely surprising to those of us who have been tracking the evolving threat landscape,” Rob Behnke, co-founder and executive chairman at Halborn, a blockchain security firm, told Cointelegraph, adding: “We’ve seen the sophistication of attacks grow alongside the value locked in these platforms.” In this instance, the hacker manipulated Bybit’s Ethereum cold wallet “through a spoofed user interface and malicious smart contract alteration,” Behnke continued, in “the kind of advanced tactics we’ve been warning about.” He added: “While the sheer size sets a new benchmark, it aligns with the trend of attackers targeting high-value exchanges with increasingly creative exploits.”
Rising vulnerabilities? “It’s the latest incident for an industry struggling with security concerns that present hurdles to mainstream adoption,” noted Morningstar, while Zhou himself characterized the attack as “part of a rising trend of sophisticated crypto hacks in early 2025, including the ZkLend breach on Starknet.” The breach “highlights both systemic challenges and unique circumstances,” added Behnke. “Crypto exchanges are prime targets because they custody enormous amounts of value, often in complex, multi-layered systems that can harbor unnoticed vulnerabilities.”
“Given the isolated nature of the signing hack, and how well capitalized Bybit is, I don’t expect there to be contagion,” Coinbase’s Conor Grogan wrote on X.
Throughout the day, Zhou appeared determined to be transparent about what had occurred, even posting detailed answers to questions like: “How did hackers gain control?” and “How does one prevent similar attacks?” “How to prevent?” asked Behnke rhetorically. Don’t “blindly sign a TX [transaction] request unless you check every single piece of data you’re signing, especially if it’s securing $1.5 billion of assets.” As for “being open,” the CEO really didn’t have much of a choice, Behnke told Cointelegraph. What else could he do? Still, he was “glad to see him hop into X spaces right away.” Better than going dark. All in all, there probably weren’t any winners Friday apart from the Lazarus Group, but some in the crypto community may agree with Aave’s Stani Kulechov, who posted: “Biggest winner is self custody.”