Bybit confirmed that its multi-sig cold wallet was breached, just hours after the crypto exchange increased access to liquidation data for transparency. Bybit CEO Ben Zhou stated that hackers infiltrated the exchange’s ( ETH ) multi-signature cold wallet, draining nearly $1.5 billion in crypto. The breach was first flagged by renowned on-chain sleuth ZachXBT, who alerted the public to suspicious withdrawals from Bybit. Companies use multi-signature wallets to mitigate single points of failure, as multiple parties must approve a transaction. If one signer is compromised, the others can refuse to authorize fund transfers. However, in this case, the hackers managed to deceive all signers. According to Zhou, the attackers masked a transaction to mislead the wallet’s signers. While the team believed they were approving a legitimate address, they were unknowingly authorizing changes to the smart contract managing Bybit’s ETH cold wallet. You might also like: Bybit opens liquidation data for traders and analysts via API This allowed the hackers to withdraw all Ether and Ether derivatives from Bybit’s wallet to an unknown address. The perpetrators then began swapping the stolen funds for Ethereum tokens on decentralized exchanges, ZachXBT reported. ZachXBT also noted that the hackers split the stolen assets across multiple addresses to evade tracking. The blockchain investigator published a list of these addresses on his official Telegram channel , urging exchanges to blacklist them. Meanwhile, Zhou assured users that the breach was isolated to Bybit’s Ethereum cold wallet. “Please rest assured that all other cold wallets are secure. All withdrawals are NORMAL,” Zhou added. The attack on Feb. 21 may be the largest-ever exploit against a single crypto exchange. At $1.46 billion, the amount stolen accounts for more than 50% of the total crypto value siphoned in 2024. Bybit ETH multisig cold wallet just made a transfer to our warm wallet about 1 hr ago. It appears that this specific transaction was musked, all the signers saw the musked UI which showed the correct address and the URL was from @safe . However the signing message was to change… — Ben Zhou (@benbybit) February 21, 2025 This is a developing story. Read more: Litecoin daily transactions ballooned by ETF buzz
