Ben Zhou, CEO and co-founder of cryptocurrency exchange Bybit, preliminarily explained in a broadcast on social network X what “was the first hack in the history of Bybit and, unfortunately, one of the largest in the history of the industry.” Bybit had around 400,000 ether hacked, belonging to the exchange's users, which is equivalent to around 1 billion dollars.
This is the first such attack on the Bybit exchange. Source: Etherscan.
Ben began his story by pointing out that the exchange was doing “a regular transfer.” The executive described that Bybit has a standard procedure for handling its funds. Every 2-3 weeks, depending on the balance in the hot wallet, Bybit transfers funds from the cold wallet to replenish it. This happens when the Bybit hot wallet pointed out by Ben reaches a “benchmark” (a limit or critical point) that they consider necessary to adjust, either for security, diversification or so that they have enough liquidity for daily asset management.
Bybit was hacked for over 400,000 ETH. Source: X.
That transaction the CEO mentioned was an “initial transaction of approximately 13,000 ETH” from the multisig cold wallet provided by the Safe platform that Bybit uses to store those ether funds. This means that multiple people must approve (“sign”) a transaction before it is executed. In this case, there were multiple signers, and Ben himself was the last to sign the transaction.
Ben explains that he made the last signature from a Ledger hardware wallet, which he saw a URL that looked legitimate and, according to him, verified as the official Safe URL on the Ledger screen. He then signed the transaction to send those ethers from the cold wallet to a warm wallet (a term he uses to refer to a wallet with hybrid cold and hot features) on the exchange.
However, Ben mentions one drawback during the process: the Ledger screen does not clearly display the destination address, but rather a block of code. He reviewed this code, but “not completely in detail.” While he does not clarify it, Ben could have trusted that the multisig process was secure and signed the transaction.
Half an hour after the Bybit CEO signed off, the exchange team received an emergency alert: the Ethereum wallet had been emptied of its ether funds . This implies that the attack occurred during or just after this transfer, and that the hackers managed to divert all the funds to a still unknown address.
Previously, in a first post on X, the CEO of the cryptocurrency exchange had stated that “the signing message was to change the smart contract logic of our ETH cold wallet.” The modification of the smart contract logic caused the hacker to successfully divert the Bybit multi-signature transaction containing over 400 thousand ethers without the signers knowing during the signing of the request in the wallet’s visual interface.
Ultimately, Ben Zhou, during the live broadcast, assured that the exchange has enough assets in its treasury to return the money to investors “even if they fail to recover the stolen ether.” In addition, he said that they will request a loan in which they will provide bitcoin (BTC) and stablecoin reserves as collateral assets to access the necessary ether liquidity and thus return the assets to customers “dvery soon.”
