Bybit Restores $1.4 Billion in Stolen Ether

Hacked crypto exchange Bybit replenished the $1.4 billion in Ether stolen days ago, CEO Ben Zhou said Monday.

See Also: OnDemand | NSM-8 Deadline July 2022:Keys for Quantum-Resistant Algorithms Implementation

A new proof-of-reserves audit will confirm that client assets are back to a 1:1 ratio using a Merkle Tree verification system, Zhou tweeted.

Blockchain analytics firm Lookonchain estimates that Bybit obtained approximately 446,870 Ether, valued at $1.23 billion, through a mix of loans, whale deposits and direct purchases. This amount covers nearly 88% of the funds stolen in the hack attributed to the North Korean Lazarus Group. “In a single day, North Korea’s hackers nearly doubled the amount they stole in 2024,” said TRM Labs.

Lookonchain traced 157,660 Ether, or $437.8 million, purchased by a Bybit-linked wallet from crypto investment firms Galaxy Digital, FalconX and Wintermute through over-the-counter deals. Another wallet acquired about $304 million worth of Ether across centralized and decentralized exchanges.

The $1.4 billion theft is the largest cryptocurrency hack to date, amounting to 60% of all stolen digital assets last year. The Dubai-based crypto platform experienced a surge in customer withdrawals following the breach, which peaked at $5.3 billion on Saturday. Proof-of-reserves auditor Hacken said that Bybit’s holdings still exceed its liabilities, ensuring that user funds remain fully backed.

The Bybit hack “marks a new phase in attack methods featuring advanced techniques for manipulating user interfaces,” Checkpoint said in a blog. Rather than just targeting protocol flaws, the attackers used clever social engineering to trick users, which led to the compromise of a major institutional multisig setup, it said.

The hackers exploited a vulnerability in the Gnosis Safe multisig system. Instead of on-chain voting, Gnosis Safe relies on externally generated signatures, making it vulnerable to UI manipulation, malware and unauthorized signatures. The attacker targeted multisig signers, likely using phishing, malware or a supply-chain compromise to gain access to their devices. Victims unknowingly interacted with a fake UI that mimicked the trusted provider, approving a transaction that gave control of the cold wallet to the attacker. Using stolen keys, the attacker executed a delegate call to a malicious contract, modifying the contract’s behavior and rerouting funds to their own address. This bypassed multisig protections without directly exploiting smart contract vulnerabilities, Checkpoint researchers said.

This attack proves that multisigs aren’t foolproof if signers can be compromised, cold wallets aren’t inherently secure if attackers manipulate what users see, and supply-chain and UI manipulation attacks are becoming more advanced, researchers said. To prevent future breaches, they advised the industry to adopt end-to-end transaction validation, since trust in human decisions alone is no longer enough.

The hackers will likely use mixers to obscure their transaction trail, but the size of this theft may make the process more challenging, said blockchain security firm Elliptic. Lazarus Group follows a predictable laundering pattern, beginning with swapping stolen tokens for a native asset like Ethereum. The hackers are now in the “layering” phase, a process designed to conceal stolen funds. This includes moving assets through multiple wallets, transferring funds between blockchains using cross-chain bridges, swapping assets on decentralized exchanges and employing mixers like Tornado Cash.

The stolen funds were split into 50 wallets within two hours of the attack, each holding about 10,000 ETH. At least 10% of the assets have already been moved, said Elliptic. One unnamed service has allegedly facilitated the laundering process, despite Bybit’s direct requests to block transactions. eXch, a crypto exchange known for anonymous swaps, has been accused of processing tens of millions in stolen Bybit funds – an allegation the exchange denies, while admitting to processing an “insignificant portion of funds.”

Lazarus laundered over $200 million between 2020 and 2023, primarily using mixers and peer-to-peer platforms, but Chainalysis has reported a shift toward cross-chain bridges, as criminals refine their laundering methods.

The company has asked “the brightest minds in cybersecurity and crypto analytics” for help in recovering the hacked funds, offering a reward of 10% of the amount recovered. This could total to $140 million if the entire hacked amount is retrieved.

DefiLlama shows that Bybit held $10.9 billion in total assets at the time of writing this report. The attack initially triggered a sharp decline in Ether’s price, dropping from $2,831 to $2,629, a 7% drop in seven hours. CoinGecko data shows Ether has since rebounded.