Original | Odaily Planet Daily ( @OdailyChina )
Author: Wenser ( @wenser 2010 )
The incident that happened last weekend, in which Bybit was stolen over $1.5 billion and more than 500,000 ETH-related assets, almost became another FTX moment for the crypto industry.
Fortunately, thanks to Bybits quick and effective post-processing, the support of the crypto industry and the strong support of the security team, the situation of this largest theft in history has been basically under control, but the subsequent Lazarus Group hackers fund movement, Bybits further processing and the recovery of the stolen funds are still a concern for people in the crypto industry. After all, such a large amount of ETH has a significant impact on the market.
Odaily Planet Daily will sort out the latest developments of the incident in this article for readers reference.
For a brief introduction, see Black Swan of the Bull Market: Over $1.5 billion worth of assets were stolen from Bybit, and 514,000 ETH were dumped directly into the market?
Bybit stolen key data: loss exceeds $1.5 billion, hackers have sold 57,000 ETH worth $142 million
At present, there is some disagreement in the market about the specific amount of the Bybit theft, partly because the stolen assets include native ETH and derivative assets, which have certain price fluctuations. According to the first public announcement released by Bybit officials, the amount is over 1.5 billion US dollars.
Bybit loss amount: total value exceeds 1.5 billion US dollars, including more than 510,000 ETH and derivative assets
Earlier, the Wall Street Journal quoted the security agency CertiK as saying that the Bybit theft was the largest single theft in the history of encryption, and the stolen assets resulting from this hacker attack were valued at more than US$1.4 billion.
According to the monitoring statistics of the security agency Beosin Trace, a total of 514,723 ETH and derivatives were stolen, including:
401,347 ETH, worth $1.12 billion;
90,376 stETH, valued at $253.16 million;
15,000 cmETH, worth $44.13 million;
8,000 mETH, worth $23 million.
In addition, according to the DefiLlama website hacker incident panel, Bybit’s theft of more than $1.4 billion in assets is the largest security incident in the history of cryptocurrency, accounting for about 14% of the stolen amount in all security incidents in the history of cryptocurrency. The panel data shows that the cumulative amount of stolen assets in the history of cryptocurrency exceeds $10.62 billion, of which DeFi-related stolen assets amount to $6.31 billion, and various bridge projects have stolen assets amounting to $2.87 billion.
DefiLlama Dashboard
Latest developments: Hackers have sold 57,000 ETH, and the remaining assets are still as high as $1.26 billion
According to on-chain analyst Ember , the Bybit hacker has now sold 50,700 ETH (US$142 million) in exchange for DAI and other on-chain assets (BTC, etc.).
It currently holds 448,600 ETH (US$1.26 billion).
In addition, 15,000 cmETH (worth $43 million) were promptly processed by the mETH Protocol officials, and the funds have been restored and recovered, which has also been confirmed by the mETH Protocol officials .
Hackers’ money laundering channels: coin mixers, cross-chain bridges, and even Meme coins
It is worth noting that after the Bybit theft, Lazarus Group has adopted more diverse methods to launder the stolen funds: in addition to the conventional cross-chain exchange of ETH assets for BTC and other assets through mixers and cross-chain bridge protocols such as Chainflip, THORChain, LiFi, DLN and eXch, hackers also chose to issue Meme coins as a way to launder money.
According to on-chain data, the Bybit attacker transferred SOL tokens to a certain address and launched the Meme coin. The current market value of the relevant Meme coin has reached approximately US$2.2 million, with a trading volume of approximately US$26 million, but the liquidity is low, reminding community users to be vigilant in interactions.
According to ZachXBT, the attacker received $1.08 million in funds from the Bybit hacking incident through the address 0x363908...d7d1 , and then transferred USDC to the Solana chain across the chain. The address EFmgz8...dq2P transferred all USDC on the Solana chain across the chain to two addresses on the BSC chain. The two BSC addresses dispersed USDC to more than 30 addresses through programmatic operations, and finally aggregated to the address 0x0be9...5a3 . The money launderer exchanged the obtained SOL for meme coins.
Bybit official response: Raised 254,800 ETH and released a 10% hacker bounty plan
After the incident, Bybit’s official further handling was also remarkable. Specifically, it can be divided into the following three aspects:
ETH Reserve: 446,800 ETH raised, worth $1.23 billion
The address of Bybit or its affiliates ( 0x2E4...b77 ) purchased a total of 157,600 ETH (worth US$441 million) through three brokers, Galaxy Digital, FalconX, and Wintermute, in the past two days and then transferred them to Bybit.
According to Spot On Chain, Bybit raised 254,830 ETH ($693 million) within 48 hours after the hack, including:
132,178 ETH ($367 million), likely acquired through OTC transactions with Galaxy Digital, FalconX, and Wintermute;
122,652 ETH (US$326 million), loans from trading platforms/institutions such as Bitget, MEXC, Binance and DWF Labs (it may also be personal borrowing behavior of some whales).
According to LookonChain monitoring , since the attack, Bybit has accumulated 446,870 ETH, worth approximately US$1.23 billion, through loans, whale deposits and purchases.
The latest news is that Bybit CEO Ben Zhou said in a post , Bybit has completely filled the ETH gap, and a new audit POR (Proof of Reserves) report will be released soon.
A total of more than 440,000 ETH have been raised, worth $1.226 billion
Funds freezing and recovery: USD 42.89 million frozen within 24 hours
At around 11 p.m. on February 23, Bybit officially announced that through the coordinated efforts of multiple parties, $42.89 million in stolen funds were successfully frozen in one day.
The institutions providing assistance and the specific amounts are:
Tether-blacklisted related addresses and froze 182,000 USDT;
THORChain-blacklist and mark relevant addresses;
ChangeNOW- 34 ETH frozen;
FixedFloat-frozen USDC and USDT worth $120,000;
Avax- 0.38755 BTC frozen;
CoinEx-blacklisted related addresses and provided key assistance;
Bitget-blacklisted the relevant addresses and froze 84 USDT;
Circle-Assists in connection and provides key clues, etc.
Bounty Program: 10% of recovered funds reward, with a total value of over $140 million
On February 22, the day after the theft, Bybit officials said , As part of the investigation and recovery efforts, Bybit is committed to using 10% of the recovered funds to reward ethical network and cybersecurity experts who actively recovered the stolen cryptocurrencies during the incident.
Subsequently, Bybit officially reconfirmed the bounty and simultaneously updated the hacker wallet address blacklist API plan . It is understood that the API will help various project parties and security experts track and recover stolen funds more efficiently under time pressure. This list of suspicious addresses was compiled by industry white hat hackers and investigators within three days after the hacker attack. Bybit has received thousands of clues from industry colleagues so far. For contributors who successfully intercept and recover funds, Bybit will provide a 10% bounty reward.
In addition, Bybit is developing the HackBounty platform and will make an announcement at the appropriate time. This platform aims to empower the entire industry to jointly track the actions of hackers and encourage all security experts to continue to pay attention to the latest progress of this innovative program. Bybit will also continue to update the blacklist to help partners intercept illegal capital flows.
In addition, the above progress is inseparable from the Bybit team, especially the close communication and cooperation between co-founder and CEO Ben Zhou and the outside world, especially calling out to the outside world and seeking help. This is also the reason why the industry did not usher in a new round of market crash after Bybit was stolen for more than US$1.5 billion.
Possible follow-up: Some are pessimistic, some are optimistic, and some think it will be a protracted war
After the Bybit theft, there were some differences in the market’s views on the future of the crypto industry, especially the subsequent trend of ETH. The representative views are as follows:
Optimist: Zhusu believes ETH will hit a record high
Previously, Zhu Su wrote that a large number of traders opened short orders out of panic over the theft of Bybit ETH assets, and now ETH finally has a narrative of setting a new all-time high (i.e., short squeeze).
Pessimistic: Santiment believes the market is already in a state of panic
Santiment previously stated that due to the shock caused by the Bybit hack in the crypto field, coupled with worrying news about LIBRA and other contributing factors this week, the crowd showed extreme fear as Bitcoin plummeted. According to the sentiment score, the negative sentiment in the crypto community is the same as before the price rebound on February 17 and 18. Although nothing is certain, and a major exchange hack may have a lasting impact on the crowds perception, remember that the market almost always moves in the opposite direction of what retail traders expect.
BTC price hits short-term low of $91,500
The protracted war: Lazarus Groups stolen goods sales process will take several years
As the hacker group behind the Bybit theft, Lazarus Group has always received a lot of attention. Chainalysis has previously released a report on the organizations disposal of stolen money. Generally speaking, Lazarus Group will take three steps to dispose of the stolen money: the first step is to convert all ERC 20 (including liquidity derivative tokens such as stETH) into ETH; the second step is to convert ETH into BTC; the third step is to gradually convert BTC into legal currency through Asian exchanges. The whole process may last for many years.
Conclusion: Ethereum will not roll back, Bybit still needs time to recover
Previously, Coinbase director Conor Grogan said that the Bybit hacker has become the 14th largest ETH holder in the world because he holds nearly 500,000 ETH, accounting for 0.42% of the total supply of Ethereum, which exceeds the Ethereum holdings of Fidelity and Vitalik, and is more than twice the ETH holdings of the Ethereum Foundation; despite this, Vitalik and other Ethereum Foundations have not yet made a statement on the matter. Previously, Arthur Hayes and DWF Labs partner Andrei Grachev had expressed curiosity about this.
But things are different now. Ethereum can no longer go back to the moment of The DAO hard fork, and rollback is impossible. After all, in just three days, the number of transactions in the Ethereum ecosystem reached hundreds of millions. What is left for Bybit is the need to fill the funds in a short period of time and recover the stolen funds, as well as good operations for a longer period of time, in order to repair the gap in user trust and funds.
The future is still bright. Although the process will be painful, it is the only way to grow.
