Bybit reports $1.5B hack to the authorities, working to block stolen ETH sales

Bybit has officially reported the $1.5 billion hack to authorities, launching an aggressive effort to track and block the 401,000 ETH stolen from its cold wallet. The exchange confirmed that law enforcement is involved, and forensic teams are working to demix hacker addresses to limit how the funds can be sold.

Bybit announced the development on X, saying:

“We have reported the case to the appropriate authorities and we will send an update as soon as we have any further information. We have fortunately worked quickly and extensively with on-chain analytics providers to identify and demix the implicated addresses. These actions will mitigate and counter the ability of bad actors in disposing and dumping the ETH on the markets via legitimate marketplace narrowing the available outlets of disposal.”

CEO responds as Bybit fights to control the fallout

Bybit‘s CEO, Ben Zhou, responded within 30 minutes of the first reports of the hack. He confirmed that the 401,000 ETH had been drained from Bybit’s cold wallet but assured users that the exchange remained fully operational.

Zhou followed up with a livestream on X and YouTube, where he answered questions in real time. “We are handling withdrawals as usual,” he told users. “Retail withdrawals are being prioritized, and we are processing thousands of requests per hour.” Bybit‘s transparency helped keep panic under control, with Zhou assuring traders that Bybit’s reserves were 1:1 backed and that no funds were frozen.

The hack targeted Bybit‘s Gnosis Safe multisig wallets, which Zhou admitted was the point of failure. Bybit has since revoked compromised access, but the damage was already done. The hacker, later linked to North Korea’s Lazarus Group, executed the attack through exploited multisig processes.

Bybit confirmed that 4,000 withdrawals were pending immediately after the breach, but Zhou said the exchange secured a bridge loan to maintain smooth operations. “We are processing every withdrawal request as fast as possible,” he said. “The attack was significant, but it does not impact Bybits financial health.”

Bybit didnt just report the hack—it took the fight straight to the hackers. Zhou made it clear that selling the stolen ETH would be extremely difficult, as Bybit had already flagged and blacklisted the wallets involved.

On-chain analyst ZachXBT was the first to link the Bybit exploit to Lazarus Group, the North Korean hacking unit known for previous high-profile attacks. ZachXBT confirmed that Bybits case matched patterns seen in past Phemex and Atomic Wallet hacks.

Bybit also turned to its partners, exchanges, and market makers like Binance and Bitget to prevent the stolen ETH from moving, so they‘ve now blacklisted the wallets. Unlike when FTX needed help during its 2022 collapse, where crypto exchange distanced themselves, Bybit’s industry connections rallied around the exchange.

Bybit took a direct approach with Lazarus , knowing they were likely watching the livestream, and Zhou repeatedly told them that moving the funds would be impossible and urged them to negotiate.

Bybit then told its users that: “We want to assure our users and partners that all other Bybit cold wallets remain fully secure. All client funds are safe, and our operations continue as usual without any disruption. Transparency and security remain our top priorities, and we will provide updates asap.”