Key Takeaways
- Bybit lost $1.4 billion due to a phishing attack impacting a cold wallet.
- The attack involved mETH and stETH tokens swapped for ETH through a sophisticated scheme.
Share this article
Crypto exchange Bybit has confirmed a major loss of Ethereum (ETH) from one of its cold wallets, estimated to be over $1.4 billion, due to a highly sophisticated phishing attack.
The incident came to light after on-chain analyst ZachXBT flagged suspicious outflows from Bybit wallets, totaling $1.46 billion at 10:20 AM ET. The investigator also shared a blockchain address associated with the outflows. The large sum of money involved has prompted speculation about a potential security breach or hack. Bybit did not release an official statement at the time.
ZachXBT also pointed out that the suspicious funds were being swapped for ETH on decentralized exchanges. He later learned from sources that it was a security incident.
In less than 30 minutes post-alert, Bybit CEO Ben Zhou confirmed the exploit. In a statement issued after the incident surfaced, he said that attackers employed a technique likely involving a “musked” transaction.
Bybit ETH multisig cold wallet just made a transfer to our warm wallet about 1 hr ago. It appears that this specific transaction was musked, all the signers saw the musked UI which showed the correct address and the URL was from @safe . However the signing message was to change…
— Ben Zhou (@benbybit) February 21, 2025
This involved deceiving Bybit’s team into authorizing a malicious transaction by displaying a legitimate-looking user interface. The UI showed the correct address and URL from Safe, a widely used wallet management platform, making the transaction appear authentic.
However, the actual transaction signed by the Bybit team contained malicious code that altered the smart contract logic of the targeted cold wallet. This effectively granted the attackers control, allowing them to drain the wallet of its ETH holdings.
Bybit emphasized that only one cold wallet was compromised and that all other cold wallets remain secure. The exchange also reassured users that withdrawals are proceeding normally, indicating that the stolen funds represent a portion of their overall reserves.
This is a developing story.
Share this article
