Ben Zhou, CEO: Bybit is solvent, will cover all claims despite a growing withdrawal queue

In light of the $1.5B hack, which drained the exchange’s Ethereum (ETH) cold wallet, Bybit claims it remains solvent. However, the exchange is working through a bank run, with a long queue of withdrawal claims. 

Bybit is covering the damage of its recent hack for $1.5B, working through a queue of thousands of withdrawal claims. Bybit is facing 100 times the usual claims for withdrawals, at one point having a 3,500-4,000 claims queue, which was being processed by the entire team.

‘We have no plans to cancel withdrawals at this stage’, said Ben Zhou in a live stream. Zhou stated up to 70% of claims were processed, but some users may have to wait a few hours. The exchange’s P2P services remain open. Network congestion may still cause delays in withdrawal claims. 

Zhou estimated a loss of around 401,000 ETH, valued at around $1B. Zhou did not provide a full breakdown of other wrapped assets to estimate the exact hack. 

To reassure all depositors, Zhou stated that Bybit will have ETH on hand to repay in kind. Bybit has reached out to its partners and has secured a bridge loan. 

The exchange will not buy ETH on the open market, as this amount would be impossible to source immediately. Instead. Bybit has partnered with Binance, KuCoin, and all other major players to secure a line of credit and provide ETH for all claimants. According to Zhou, in the immediate aftermath of the attack, Bybit secured up to 80% of the potential ETH claims.

Following the hack, Ethereum’s chain went through a congestion episode, with gas fees rising five times from their recent lows. The congestion is further delaying some of the withdrawal claims. The Bybit team warned seeking ETH right now may be difficult. ETH/USDT has fallen rapidly on Bybit, as traders may want to move to other assets that are easier to take off the exchange.

Bybit will also work with law enforcement and regulators to track down and recover as much of the funds as possible. If all else fails, Bybit has prepared to use its treasury as compensation. 

Safe wallet discontinued functions to prevent new hacks

The exact moment and technique by which the hacker compromised Bybit’s wallet remains uncertain. Zhou said he was the last signer of the transaction, checking the correct URL through Safe wallet. The exchange team also verified the destination address before sending it. 

Then, Zhou connected a Ledger device, which did not display a clear destination address. After sending 30,000 ETH, the team did not notice anything amiss. However, 30 minutes later, the entire wallet was compromised and drained. 

The Safe security team said they are investigating the breach to discover where the logic was changed and how the hacker could take over a multi-sig wallet. 

Safe’s security team is working closely with @Bybit_Official on an ongoing investigation.

We have not found evidence that the official Safe frontend was compromised. However, out of caution, Safe{Wallet} is temporarily pausing certain functionalities.

User security is our top…

— Safe.eth (@safe) February 21, 2025

Zhou also suggested the hacker may have compromised the computers of all multi-sig wallet signers, or staged the entire transaction interface. 

SlowMist already discovered the malicious smart contracts, which replaced the legitimate call for a transaction between two wallets. The Ethereum security service also did not clarify when the swap happened. 

According to SafeMist, the hacker prepared the malicious contract on February 19. On the day of the attack, three of the Bybit multisig owners approved the connection to the malicious contract. 

Here are some details of the exploit:

1) A malicious implementation contract was deployed at UTC 2025-02-19 7:15:23: https://t.co/IvWIcyghW0

2) At UTC 2025-02-21 14:13:35, the attacker used three owners to sign a transaction replacing the Safe’s implementation contract with… pic.twitter.com/MbaUOOw2L2

— SlowMist (@SlowMist_Team) February 21, 2025

The SlowMist investigation still did not pinpoint the exact moment of switching the code to the malicious functions, which directly called for draining the Ethereum cold wallet. 

The Bybit hack surpassed the single biggest crypto heist, where $600M was taken from the Ronin bridge. This time, a single large-scale wallet held all funds in one spot, becoming vulnerable to draining. 

Cryptopolitan Academy: FREE Web3 Resume Cheat Sheet - Download Now