Get the best data-driven crypto insights and analysis every week:
Bybit Burglarized For a Billion
By: Tanay Ved, Victor Ramirez
Key Takeaways:
Bybit, a prominent crypto exchange, fell victim to the largest hack in crypto history, draining $1.5B in ETH from its cold wallet.
While hackers remain in possession of stolen assets, dispersing 401,346 ETH across multiple accounts, Bybit has replenished $1.2B of its deficit, bringing ETH reserves to 380,000 ETH.
The market fallout was largely contained, resulting in relatively small and brief price dislocations compared to previous incidents.
Introduction
Over the past 300 issues of State of the Network, we’ve seen many headlines shift, narratives evolve, new projects emerge and fade, and numerous consequential events that shook the crypto industry. Since our founding, Coin Metrics has operated under OPEN values: Open, Pioneering, Elucidating, Neutral. We write State of the Network with a purpose that reflects our values: to elucidate the complex world of public blockchains, to be a pioneer in the frontier of crypto markets, and to remain editorially neutral to maintain the integrity of our research. Our aim is to make SOTN a consistent source of unbiased, timeless and timely data-driven insights that help observers, investors and clients navigate crypto markets and on-chain activity to make informed decisions.
In a cruel twist of irony, as we were mulling what issue #300 would be about and reflecting on the timeless subjects throughout crypto’s history, we experienced an oft-repeated crisis in the industry: The Bybit exchange was victim to what is now the largest exchange hack in history. For this special 300th issue, we’ll turn our attention to the Bybit exchange hack, utilizing on-chain data to analyze exchange reserves, fund flows and contextualize its market impact.
How the Bybit Hack Unfolded
In a shocking turn of events, Bybit, one of the largest crypto exchanges, was hacked for approximately $1.5B in ETH. This incident ranks among the largest crypto hacks of all time, eclipsing even the infamous Mt.Gox collapse and FTX implosion. While broader contagion has been contained, examining the series of events and its on-chain footprints can provide valuable context on the hack and its market impact.
While notable hacks of the past (which we examined back in SOTN #35), stem from a range of security vulnerabilities, Bybit’s attack occurred during a routine transfer of ETH from the platform's multi-signature cold wallet to a hot wallet, amid standard operational procedures for centralized exchanges managing user funds (for a deeper dive into exchange operations and wallet types, see SOTN #184). Shortly after, Bybit CEO Ben Zhou, confirmed the hack and appeared on livestream to reassure users of the exchange’s financial stability and its ability to meet withdrawal requests.
The attack targeted signers of the Bybit cold wallet by “masking” the user interface of a Safe wallet (wallet provider used by Bybit) and altering the underlying smart contract code. This tricked signers into approving a malicious transaction, granting attackers full access to Bybit’s Ethereum cold wallet.
Source: Coin Metrics ATLAS & Address Tagging
By 2:16 pm UTC, shortly after the attacker's account was created, the hacker had gained control of 401,346 ETH (valued at $1.1B), draining the Bybit cold wallet of its funds. The entity’s stolen assets also reportedly include Ethereum staking derivatives like stETH, bringing the total to $1.5B.
While exchanges like Bybit operate as off-chain as centralized entities, on-chain data lets you track exchange wallets, counterparties and fund movements in real time. Coin Metrics tags the often complex operations structure of exchange wallets, allowing us to follow the movement of funds, from the exchange to the hackers wallet and beyond.
Source: Coin Metrics ATLAS & Address Tagging
As seen in the diagram above, 401,347 ETH flowed into the hackers account (0x47…) from Bybit’s cold wallet (0x1d…) after which funds were distributed across 40+ accounts with multiple debits of 10,000 ETH each. While the perpetrator still remains in control of the assets, a portion of funds are being moved to decentralized exchanges (DEXs) and bridged to other networks like Solana to swap into native assets that cannot be frozen in absence of a central authority.
Bybit Exchange Supply & Flows
Source: Coin Metrics Network Data Pro, Exchange Flow Metrics
From the perspective of the exchange, we can see the ~$1.2B in ETH outflows from Bybit as the incident unfolded on February 21st. This brought the total supply of ETH on Bybit from 438,000 to 60,000 ETH by the end of the day. As news of the hack pervaded, Bybit’s exchange supply of BTC also fell by 21,000 BTC (as of Feb 23rd) with user demand for withdrawals ramping up.
However, as seen with the subsequent inflows, Bybit has managed to replenish $1.2B in deficits, by a combination of securing loans, making OTC transactions and incoming user deposits. This was confirmed by a proof of reserves audit conducted by Hacken, verifying that all major assets including the likes of ETH maintain a 100%+ collateralization ratio. As of February 24th, Bybit’s reserves stand at 380,000 ETH.
Source: Coin Metrics Network Data Pro, Exchange Supply Metrics
How Markets Responded to the Bybit Hack
The Bybit hack left an aftershock on markets. Shortly after the hack was announced, ETH had dipped sharply from $2,850 to $2,600 and Bybit’s ETH-USDT market traded at a slight discount for a few hours against other notable markets. The gap between Bybit and other markets closed over the weekend and on early Sunday, ETH had even reclaimed its price level from before the hack.
We’ve written about the market impact from previous hacks in SOTN #35, and the impact from this hack seemed much more muted than in years past. The market has matured to where it can handle shocks of this magnitude without skipping a beat, let alone being an existential risk to an exchange or the industry at large.
Source: Coin Metrics Reference Rates
While a majority of stablecoins maintained their pegs, another notable contagion was a brief depegging of Ethena USD (USDe). USDe dipped below $0.96 but started to recover the following day.
Ethena does rely on exchanges such as Bybit to execute hedging strategies to maintain its peg, but importantly, Ethena USD stores the assets backing its stablecoin in institutional-grade custodians and not inside Bybit (or any exchange). Only the margin required for hedging short positions is deposited on exchanges like Bybit. The bulk of the collateral stays off-exchange and is insulated from Bybit’s direct risks.
(For a deeper dive on the effect Bybit had on Ethena USD, see this thread)
To put this in perspective, we can draw some comparisons to the Silicon Valley Bank (SVB) crisis leading to USDC’s de-peg almost two years ago in March 2023*. USDC depegged for a few days and dipped to $0.88 because of concerns about Circle’s reserves being custodied on SVB.
Coincidentally (and importantly), both incidents happened on a Friday. Whereas USDC holders were vulnerable from the gears of traditional finance coming to a halt outside of business hours, the second order effects from the Bybit hack in the market self-corrected during the weekend. Overall, the contagion remained largely contained. The community came together to ensure that funds were safe and ByBit was able to meet its customer obligations.
While Ethena USD was insulated from exchange risks, USDe (and other stablecoins) are not immune from custodial risks. An exchange hack story is not complete without a cautionary tale on custodial risk, so we’ll end with this evergreen note: not your keys, not your coins.
*Of course, the two events are not entirely comparable: one was a bank run that resulted in a fraction of a stablecoin reserve being locked, while the other was a loss of funds directly from theft. The relative magnitudes of crypto assets “lost” in this case are comparable. $3.3B out of $40B USDC was locked in Circle’s SVB account, while Bybit comprises 15% of USDe ‘backing’, or 15% of ~$6B ~ $900M.
Conclusion
The Bybit hack was another test against the resilience of the crypto industry. In years past, this would be existential to not just an exchange, but the market as a whole. Miraculously, the community pulled together to track the funds flowing to the hacker on-chain, identify the malicious actor, validate the solvency of a custodian in real-time, and mitigate the damage that could result from this crisis. The velocity and efficiency with which this was done would not be possible without public tools, data, and a culture of transparency.
The industry will now have to reckon with a target on its back from hostile state actors and regulators. While the damage within the ecosystem seems mostly contained, this incident will raise national security concerns as crypto grows increasingly integrated with the broader international financial system. It will be up to the industry to address these legitimate concerns and prove the value of permissionless architecture.
Thank you to our loyal readers of SOTN for your time and attention all these years and to past contributors (you know who you are). Here’s to hoping that we’ve only covered the beginning of crypto’s story.
Coin Metrics Updates
We recently introduced Coinbase exchange flows metrics to our Network Data Pro product, allowing users to track BTC & ETH flows for one of the most significant crypto exchanges.
Follow Coin Metrics’ State of the Market newsletter which contextualizes the week’s crypto market movements with concise commentary, rich visuals, and timely data.
As always, if you have any feedback or requests please let us know here.
Subscribe and Past Issues
Coin Metrics’ State of the Network, is an unbiased, weekly view of the crypto market informed by our own network (on-chain) and market data.
If you'd like to get State of the Network in your inbox, please subscribe here. You can see previous issues of State of the Network here.