All You Need to Know About Bybit’s Hacking Incident
On February 21, 2025, Bybit, one of the world’s largest cryptocurrency exchanges, suffered a significant security breach during a cold-to-warm wallet transfer. The attack exploited a vulnerability in custody operations, allowing hackers to drain 401,000 ETH (valued at approximately $1.5 billion).
This theft triggered a 4% dip in Ethereum’s price, followed by a surge in withdrawal requests as Bybit users feared for their funds’ safety. The breach also raised concerns about custody security, compliance effectiveness, and transaction monitoring in the crypto space.
Global Efforts to Track and Recover the Stolen Funds
As the hack unfolded, authorities, blockchain forensic firms, and security teams mobilized to trace and recover the stolen assets. Using advanced on-chain analytics and wallet clustering, investigators began mapping how the stolen ETH was being laundered.
Blockchain forensic techniques quickly flagged suspicious wallet movements, revealing that the hackers were attempting to obfuscate transactions through multiple chains and mixing services. At this stage, Know Your Transaction (KYT) solutions became a vital tool in tracking the flow of stolen funds in real time.
Who Was Behind the Attack?
Blockchain forensic analysts and intelligence agencies quickly linked the hack to the North Korean cybercrime group, Lazarus Group. Known for their sophisticated cyberattacks on financial institutions and crypto platforms, Lazarus has been responsible for multiple high-profile crypto heists, including the Ronin Bridge and Harmony Horizon Bridge attacks.
Key Indicators Pointing to Lazarus Group:
✓ Use of Chain Hopping & Mixers: The stolen ETH was swiftly routed through Tornado Cash and other coin-mixing services to obscure its origins.
✓ Ties to Previously Compromised Wallets: Some wallet addresses linked to this attack had previous activity tied to state-sponsored hacking campaigns.
✓ North Korean Crypto Laundering Tactics: Funds were partially funneled through decentralized exchanges (DEXs) and over-the-counter (OTC) traders, aligning with Lazarus’s known laundering techniques.
As authorities, blockchain forensic firms, and security teams mobilized to trace and recover the stolen assets, KYT (Know Your Transaction) solutions and mETH Protocol’s security mechanisms played a vital role in tracking and partially reclaiming the hacked funds.
In the wake of the attack, the entire community including mETH Protocol, a liquid staking and restaking solution, identified and froze portions of the stolen ETH that had been moved into its ecosystem, was able to help recover $43 million.
But how was Bybit able to recover funds?
