On February 21, 2025, Bybit, a leading global centralized cryptoasset exchange (CEX) specializing in spot and derivatives trading, experienced a historic breach resulting in the theft of approximately $1.5B. This incident now stands as the largest recorded hack in both crypto and broader internet history, surpassing prior breaches in scale and complexity. The attack targeted Bybit’s Ethereum-based cold wallet infrastructure, exploiting vulnerabilities in multi-signature protocols and transaction verification processes. Immediate remediation efforts by the exchange and industry partners have since stabilized operations, though the event underscores systemic risks in cryptoasset custody.

Inside Bybit’s $1.5B Hack: What We Know So Far

The exploit occurred when a hacker manipulated a wallet signature, tricking Bybit’s system into approving a transaction that altered the smart contract logic of its ETH cold wallet. The attack was disguised or “musked” to appear legitimate, showing the correct address and a trusted URL to Bybit’s team. However, this action inadvertently granted full custodial privileges, enabling the transfer of 401.35K ETH, valued at around $1.4B, and associated liquid staking derivatives (e.g., stETH, cmETH, mETH) to the hacker’s wallet.

The Impact on the Broader Market and ETH

The hack sparked a sell-off driven by investor fears of broader market fallout on the day of the breach. ETH tumbled 8%, sliding from approximately $2.85K to $2.61K, while BTC dropped from just shy of $100K to $95K, and SOL briefly fell below $160. Despite the sharp reaction, the downturn proved short-lived, with all three assets rebounding to close the day within 5% of their opening levels. Although prices initially rebounded, the market faced renewed pressure this week due to the unwinding of several leveraged positions, heightened macroeconomic uncertainty following President Trump’s comments on imposing tariffs, and worsening market sentiment. To provide deeper insights, we will release a detailed report later this week analyzing the key drivers behind the current movements.

Figure 1: BTC, ETH, SOL Price Performance Throughout February 21

Source: 21Shares, Glassnode

Nevertheless, Bybit quickly assured users that all other cold wallets remained secure and that withdrawals were functioning as normal. However, as seen below, this didn’t stop many users from withdrawing their funds from the exchange, adding to a total amount of around $6B in withdrawals.

Figure 2: Bybit Assets under Management vs. Net Flows in February

Source: 21Shares, DeFiLlama

Concurrently, over $566M in crypto long and short positions were liquidated across exchanges on February 21 as investors sought to mitigate risk amidst heightened uncertainty.

Figure 3: Crypto Futures Market Liquidations: Longs & Shorts

Source: 21Shares, Coinglass

Following the initial market volatility, ETH experienced a temporary 3.36% rebound to $2.76K, driven by speculation that Bybit would initiate a large-scale ETH repurchase to address liquidity concerns. As it turned out, they engaged in repurchasing some ETH, while other industry participants supported their efforts by lending them some capital, as we’ll break down later in the report. That said, this upward movement coincided with aggressive accumulation by high-net-worth individuals following the exchange’s public disclosure of the breach, as seen below.

Figure 4: ETH Performance vs. Accumulation by Large Holders

Source: 21Shares Glassnode

Beyond the majors, Ethena’s USDe stablecoin was initially projected to be exposed to the Bybit breach due to $30M in derivative hedging exposure on the exchange, which posed a potential risk to its collateralization framework. However, Ethena’s reserves ($65M as of 24th of February 2025) exceeded this exposure, and its assets—held in off-exchange custody solutions such as Copper’s Clearloop —were insulated from direct losses. Through rapid mitigation, Ethena reduced its exposure to $10M within hours and fully eliminated it by February 22, ensuring USDe remained fully collateralized despite the breach. In fact, Ethena was able to honor the largest un-staking request in its history, worth $250M, without any delays or by causing a severe depeg for the stablecoin, as seen below:

Figure 5: Ethena’s USDe Price vs. Staking and Unstaking Net Flows

Source: Dune

All in all, despite the scale of the attack, Figure 6 shows that the stolen funds represent 7.50% of Bybit’s $20B in assets under management. With deep liquidity and diversified holdings across Bitcoin, stablecoins, and other assets, Bybit remains fully solvent and has already addressed the breach, ensuring continued operations without disruption to user funds.

Figure 6: Pre-Hack Breakdown of Bybit’s Assets under Management

Source: 21Shares, Arkham Intelligence

In addition, thanks to the transparency of blockchain technology, where every transaction can be traced, blockchain security experts quickly identified The Lazarus Group, a North Korean state-backed hacking organization, as the perpetrators behind the Bybit exploit. The group has a long history of executing some of the largest cyber heists in the digital asset space, allegedly using stolen funds to support North Korea’s weapons programs. Lazarus has been linked to several high-profile crypto breaches, including the $625M Ronin Bridge hack (2022). Their operations extend beyond crypto, with their fingerprints on major cyberattacks like the 2014 Sony Pictures hack and the 2016 Bangladesh Bank heist, where they attempted to steal nearly $1B via the SWIFT banking system.

Figure 7: Lazarus Group: Hacking Activity Over the Years

Source: 21Shares, Chainalysis

Where Do We Stand Today?

Bybit has already tracked and recovered approximately $50M in stolen crypto, monitoring real-time fund movements. The exchange is working closely with centralized platforms and stablecoin providers to identify, block, and freeze wallets associated with the hackers, significantly restricting their ability to launder the stolen assets. This rapid response highlights how blockchain’s inherent transparency can be a powerful tool in combating cybercrime.

Further, as of February 24, Bybit has fully replenished its Ethereum reserves with 446.87K ETH worth around $1.23B, independently verified by analytics firm Lookonchain. The reserve restoration was achieved through a combination of CEX purchases, strategic loans from institutional partners, and over-the-counter (OTC) transactions with high-net-worth entities, as illustrated below:

Figure 8: Detailed Breakdown of the Entities that Supported Bybit

Source: LookOnChain

From this perspective, the crypto industry showcased a rapid and unified effort to support Bybit, recognizing its critical role as the fifth-largest exchange in the derivatives market and seeking to avert a crisis akin to the FTX collapse. This assistance extended beyond entities providing capital—whether through unconditional loans or other means—to include a diverse range of service providers working collectively to mitigate the risk of contagion. These included:

Security and Forensic Assistance

1. ZachXBT & Arkham Intelligence: Identified Lazarus Group’s involvement through on-chain analysis of fund laundering patterns
2. Elliptic: Traced stolen funds to North Korean operatives and alerted exchanges to freeze $42.89M in assets.
3. Fireblocks: Conducted forensic analysis of the attack vector (proxy contract exploit).
4. Hacken: Audited Bybit’s proof-of-reserves post-recovery.
5. Chainflip: Monitored Lazarus’ ETH-to-BTC bridge attempts despite decentralized limitations.

Asset Freezes and Anti-Laundering Efforts

1. Tether: Froze $181K in stolen USDT linked to hacker addresses.
2. Mantle Network: Frozen hacker-controlled mETH derivatives to prevent further laundering.

Taking a Step Back…

As seen in Figure 9, Crypto exchange hacks are not new, and history has shown that the scale of these breaches can have lasting impacts. In 2014, Mt. Gox, which at the time handled over 70% of global Bitcoin transactions, suffered one of the most infamous hacks, losing 850K BTC. While worth approximately $450M then, at today’s price of $96K per Bitcoin, that loss would be valued at over $81B. Similarly, Bitfinex experienced a major breach in 2016, losing 119.76K BTC – an amount that was valued at $72M at the time, which would be worth over $11.5B today. These incidents highlight the significant risks of holding assets on centralized exchanges, as security vulnerabilities, insider threats, and external attacks have repeatedly led to catastrophic losses for users. Despite advancements in security practices, these risks persist, making it increasingly clear why institutional investors are turning to regulated investment vehicles like ETPs to gain exposure to digital assets.

Figure 9: Largest Crypto Hacks

Source: 21Shares, Investopedia

Exchange-Traded Products (ETPs): The Secure, Regulated Path to Crypto Exposure

There remain multiple ways to get crypto exposure today, each with its trade-offs, as outlined in Figure 10. Nevertheless, the Bybit hack is another reminder of a fundamental challenge: how to store assets securely without sacrificing accessibility.

Figure 10: Ways to Invest in Cryptoassets

Source: 21Shares

While CEXs may provide instant settlement and greater asset coverage, they expose users to counterparty risk—where a single failure can lead to catastrophic losses. Self-custody, while offering users full control, demands technical expertise to mitigate risks like hacks, mismanagement of keys, and smart contract vulnerabilities. Against this backdrop, ETPs emerge as a solution when it comes to mitigating risk.

Figure 11: How Cryptoassets are Custodied

Source: 21Shares

In the wake of the Bybit hack, and until institutional and mainstream investors are ready to transition to self-custody—a shift that will likely take time—ETPs offer a practical alternative. As seen in Figure 10, ETPs offer a range of benefits, making them an increasingly attractive option for transparent and regulated crypto exposure.

• Regulated Oversight: ETPs are regulated financial instruments that are overseen by financial authorities. This ensures full transparency in asset holdings, security measures, and operational practices, removing risk of fund mismanagement as seen with FTX.

• Institutional-Grade Custody: Assets are held with specialized custodians, largely inaccessible to individual investors, focused solely on digital asset security.

• Multi-Custodian Model: Assets are distributed across multiple custodians, reducing the risk of any single point of failure.

• Ringfenced Assets: Assets are ring-fenced from the issuer, ensuring full protection—even in the event of insolvency.

What To Expect Moving Forward?

The potential liquidation of the stolen ETH by the Lazarus Group could exert significant forced selling pressure on the assets in the short to medium term, especially if large sell-offs occur during periods of low market liquidity. This incident may also accelerate the ongoing migration toward non-custodial infrastructure, mirroring the trend that followed the collapse of FTX, as users increasingly prioritize self-custody overreliance on CEXs, as depicted in Figure 11. Regulatory scrutiny is expected to intensify, particularly targeting mixer services like eXch, which have been exploited for laundering funds. As regulations take shape, centralized exchanges may be required to implement insurance funds similar to protections offered by traditional stock exchanges.

Figure 12: Decentralized to Centralized Exchange Spot Volumes

Source: 21Shares, TheBlock

Much like Mt. Gox collapse in 2014 spurred advancements in exchange security; this hack could serve as a catalyst to strengthen crypto’s infrastructure through standardized custody audits and real-time treasury management systems. The breach also exposed vulnerabilities in multi-signature wallet security, previously considered robust, prompting an industry-wide reassessment of custody solutions and potentially accelerating the adoption of more advanced technologies like multi-party computation (MPC). Smaller exchanges may also struggle to retain user trust in this heightened security environment, likely leading to further consolidation within the industry as users gravitate toward larger platforms with proven safeguards.

The market’s reaction earlier this week suggests a heightened awareness of the persistent risks associated with crypto exposure following the recent hack, prompting some participants to potentially de-risk their positions. As noted, we will provide a more detailed report analyzing the market’s recent behavior in the coming days.

What’s happening this week?

• Thursday, February 27: The main event of ETHDenver starts – it’s a longstanding community-led annual conference that brings Ethereum developers together. Announcements often excite investors.

• Friday, February 28: The monthly reading of the Core PCE Price Index, the Fed’s favorite gauge of inflation. As a macro asset, some Bitcoin investors are usually influenced by inflation data in their investment decisions.

Research Newsletter

Each week the 21Shares Research team will publish our data-driven insights into the crypto asset world through this newsletter. Please direct any comments, questions, and words of feedback to research@21shares.com

Disclaimer

The information provided does not constitute a prospectus or other offering material and does not contain or constitute an offer to sell or a solicitation of any offer to buy securities in any jurisdiction. Some of the information published herein may contain forward-looking statements. Readers are cautioned that any such forward-looking statements are not guarantees of future performance and involve risks and uncertainties and that actual results may differ materially from those in the forward-looking statements as a result of various factors. The information contained herein may not be considered as economic, legal, tax or other advice and users are cautioned to base investment decisions or other decisions solely on the content hereof.