Bybit Founder Raises Concerns That Multisig Wallet Provider Safe May Have Been Compromised, Allowing Hackers to Steal $1.4B in ETH

Speaking in a live stream, Zhou explained that the attack targeted Bybit's Ethereum cold wallet, but all other wallets, including its Bitcoin BTC/USD reserves

Cryptocurrency exchange Bybit has fallen victim to a large-scale attack, with hackers making off with a total of $1.4 billion in Ethereum. The attack was carried out by manipulating a multisig wallet transaction, ultimately leading to the theft of the funds from Bybit's Ethereum cold wallet.

According to Bybit founder and CEO Ben Zhou, the attackers were able to alter the signing message during the transaction process, ultimately allowing them to modify the smart contract logic of the cold wallet and gain control over its funds. The attack was carried out in a way that made it appear as a legitimate Safe transaction, with an altered URL that redirected users to the official Safe website.

“It was a normal URL. I double-checked. It was the Safe URL from the official Safe website. We always use the official website,” stated Zhou during a live stream.

As part of standard security measures, Zhou recounted how he personally verified the UI and ensured that the destination address matched Bybit's warm wallet before approving the transfer. However, the manipulation of the signing message went undetected during the approval process.

“The hacker changed that transaction into upgrading or changing the Safe smart contract logic so that he gained control over the entire Ethereum cold wallet,” explained Zhou.

The stolen funds were not limited to Bybit's own holdings, with a significant portion being borrowed from partners to maintain liquidity during the attack. The total amount stolen includes:

Bybit client funds: $340 million

Funds borrowed from Genesis: $290 million

Funds borrowed from BlockFi: $120 million

Funds borrowed from Five Star: $640 million

Despite the large-scale attack, Zhou assured users that withdrawals are still open, although processing times have increased due to a surge in requests. At one point, Bybit was handling nearly 100 times the normal withdrawal volume.

“Withdrawals are still open, but processing times may vary. At the peak, we were handling nearly 100x the normal withdrawal volume,” stated Zhou.

According to the Bybit founder, the exchange is currently relying on a bridge loan from partners to maintain liquidity while they work to resolve the issue.

“We are not currently buying ETH. We secured almost 80% of the stolen amount as a bridge loan to maintain liquidity,” confirmed Zhou.

suggesting that the stolen funds may still be recoverable. Following the attack, Safe has paused its services to conduct further internal investigations.

“It could be that the Safe server was hacked, but we don't know yet. We are actively working with Safe to uncover what happened,” stated Zhou.

In an effort to track and recover the stolen assets, Bybit has received support from several major cryptocurrency exchanges, including Binance, MEXC, and Gate. These exchanges have pledged to assist in monitoring and blocking the movement of the stolen funds.

Additionally, Zhou urged the involvement of security firms and blockchain analysts in hopes of freezing the stolen Ethereum before it could be laundered.

“We hope that security firms and blockchain analysts can help us track this stolen ETH and get it frozen before they can be laundered,” stated Zhou.

Bybit has confirmed that it possesses the financial reserves to cover client losses, with the stolen Ethereum constituting only a fraction of the exchange's total assets. The company also stated that they will continue updating users on the situation as the investigation progresses.

“We will continue enhancing our security measures and keeping you updated on the investigation,” stated Bybit.