Understand the whitewashing timeline of Bybit's stolen ETH

Author: Yohan Yun, Aaron Wood; Translated by: Deng Tong, Golden Finance

The $1.4 billion hacking attack against Bybit is not only the largest attack in cryptocurrency history, but also a major test of the industry's crisis management capabilities, highlighting the industry's maturity since the FTX crash.

On February 21, North Korea's Lazarus Group stole $1.4 billion worth of Ethereum and related tokens, an incident that initially shuddered the entire cryptocurrency world, but was quickly calmed down as the industry united to support Bybit to manage the consequences.

Let's see how the attack unfolds, how Bybit responds, and where the stolen funds go.

February 21: Bybit is hacked

The Bybit hacking incident was first discovered by on-chain detective ZachXBT, who warned the platform and exchanges to blacklist addresses related to the hack.

Shortly thereafter, Bybit co-founder and CEO Ben Zhou confirmed the vulnerability and began providing the latest news and information about the intrusion.

A post-fact analysis from Chainalysis initially stated that Lazarus carried out a phishing attack to access exchange funds, but the analysis was later updated to the report that hackers controlled Safe developers’ computers rather than hacking Bybit’s systems.

The attacker managed to "rerout" about 401,000 ETHs, worth $1.14 billion at the time of the attack and transferred through the intermediate wallet network.

Hackers use complex wallets, exchanges and cross-chain transfer networks to hide funds. Source: Chainalysis

February 21: Bybit keeps wallet safe, Ethena solvency

The exchange promptly assured users that their remaining wallets were secure, and a few minutes after confirming the vulnerability, the exchange announced that "all other Bybit cold wallets are still completely secure. All customer funds are secure and our operations are going on as usual without any disruption."

Hours after the hack, customer withdrawals remained open. Zhou said in the Q&A session that the exchange had approved and processed 70% of withdrawal requests at that time.

Decentralized financial platform Ethena tells users that its earnings stablecoin USDe is still able to be solved after a hack. The platform reportedly has $30 million in financial derivatives exposure on Bybit, but is able to make up for losses through its reserve fund.

February 22: The cryptocurrency industry lends a helping hand to Bybit,

hackers are blacklisted

Many cryptocurrency exchanges have reached out to help Bybit. Bitget CEO Gracy Chen announced that her exchange had lent to Bybit about 40,000 ETH (about $95 million at the time).

Crypto.com CEO Kris Marszalek said he will direct the company's security team to help.

Other exchanges and institutions have begun to freeze funds related to the hacker attack. Tether CEO Paolo Ardoino posted on X that the company has frozen 181,000 USDt related to the hack. Mudit Gupta, chief information security officer at Polygon, said the Mantle team has recovered about $43 million from the hackers.

Zhou posted a thank you letter on X, referring to some well-known crypto companies that helped Bybit, including Bitget, Galaxy Digital, TON Foundation and Tether.

Bybit also announced a bounty program that rewards up to 10% of the funds recovered, with a total bonus of up to $140 million.

February 22: Withdrawal run, Lazarus transfers funds

After the incident, user withdrawals caused the exchange's total asset value to drop by more than $5.3 billion.

Despite the run of withdrawals, the exchange kept withdrawal requests open, despite delays, Hacken, the independent reserve proof auditor of Bybit, confirmed that the reserves still exceeded liabilities.

Meanwhile, blockchain traces show that Lazarus continues to split funds into intermediary wallets, further confusing the trends of funds.

For example, blockchain analytics firm Lookonchain said Lazarus has transferred nearly $30 million worth of 10,000 ETH to a wallet called "Bybit Exploiter 54" to start laundering money.

Blockchain security firm Elliptic wrote that the funds are likely to be transferred to a coin mixer, a service that hides the connection between blockchain transactions, although “this can be challenging due to the huge number of stolen assets.”

February 23: eXch, Bybit continues to recover funds, and the blacklist

continues to increase

Blockchain analysts ZachXBT and Nick Bax both claim that hackers are able to launder money on eXch, a cryptocurrency exchange that is not “knowing your customers”. ZachXBT claimed eXch laundered $35 million and then accidentally sent 34 ETH to another exchange's hot wallet.

EXch denied North Korea’s money laundering, but admitted to handling “a small portion of the funds from the ByBit hack.”

eXch said the funds “finally entered our address 0xf1da173228fcf015f43f3ea15abbb51f0d8f1123, an isolated case and the only part of our exchange processing from which we will charge fees for the public interest”.

To help identify wallets involved in the event, Bybit released a blacklist wallet application programming interface (API). The exchange said the tool will help white hat hackers implement the bounty program.

Bybit also managed to restore its Ethereum reserves to nearly half of what it was before the hack, mainly by buying spot in over-the-counter trading after the incident, but also includes Ethereum loaned from other exchanges.

February 24: Lazarus appears on DEX, Bybit fills the ETH gap

Blockchain detectives continue to monitor the flow of funds related to Lazarus. Arkham Intelligence observed hacker-related addresses on a decentralized exchange (DEX) trying to trade the stolen cryptocurrency as Dai.

A wallet that received some stolen ETH from Bybit was reportedly interacting with Sky Protocol, Uniswap and OKX DEX. According to trading platform LMK, the hackers successfully exchanged at least $3.64 million.

Unlike other stablecoins such as USDT and USDC, Dai cannot be frozen.

Zhou announced that Bybit has "fully filled the ETH gap" - that is, to supplement the $1.4 billion lost in the hacker attack. His statement was followed by a third-party reserve certificate report.

Bybit restores its Ether reserves to pre-hacking levels. Source: Darkfost

February 25: Battle of Lazarus

Bybit launched a dedicated website to promote its recovery efforts, Zhou promoted it while calling on the cryptocurrency community to unite against the Lazarus Group. The website distinguishes between those who provide help and those who allegedly refuse to work together.

Almost $95 million of funds were reportedly transferred to eXch. Source: LazarusBounty

The report highlights individuals and entities that assist in the freezing of stolen funds and awarded them a 10% bounty, which is split equally by the whistleblower and the entity that freezes funds.

The report also noted that eXch was the only platform to refuse to help, claiming it had overlooked 1,061 reports.

February 26: FBI confirms reports on Lazarus and Safe invasions

The FBI confirmed widely reported suspicion that North Korean hackers carried out a Bybit vulnerability attack and named the TraderTraitor organization, which is better known as the Lazarus Group in the cybersecurity circle.

In a public service announcement, the FBI urged the private sector, including node operators, exchanges and bridges, to block transactions from addresses associated with Lazarus.

The FBI identified 51 suspicious blockchain addresses related to hackers, while cybersecurity firm Elliptic identified more than 11,000 intermediaries.

Meanwhile, investigations after the hacker attack found that the stolen SafeWallet credentials caused vulnerability, rather than through Bybit's infrastructure as previously reported.

February 27: THORChain trading volume explodes

Security firm TRM Labs called the speed of Bybit hackers’ money laundering “particularly worrying”, and as of February 26, hackers reportedly transferred more than $400 million through intermediate wallets, cryptocurrency exchanges, cross-chain bridges and DEXs. TRM also noted that most of the stolen proceeds are exchanged for Bitcoin, a strategy that is usually associated with Lazarus. Most of the exchanged Bitcoins are still stored in their original location.

Meanwhile, Arkham Intelligence discovered that Lazarus had transferred at least $240 million in ETH through the troubled cross-chain protocol THORChain, to exchange it for Bitcoin. THORChain's total redemption volume surged to over $1 billion in 48 hours.

THORChain developer "Pluto" announced that it would immediately withdraw from the project after the vote to block transactions related to North Korean hackers was overturned. Meanwhile, Lookonchain reported that hackers have whitewashed 54% of the stolen funds.

What does Bybit hacking mean for cryptocurrencies

Bybit may have been able to fully recover its lost reserves, but the incident has raised bigger questions about the blockchain industry and how to deal with hacking.

Ethereum developer Tim Beiko quickly dismissed a call to roll back the Ethereum network to return Bybit. He said the hacking was fundamentally different from previous events, adding that “the interconnected nature of Ethereum and the settlement of off-chain economic transactions on-chain are making this problem tricky today.”

The consequences of the Bybit vulnerability suggest that Lazarus Group has become more efficient in transferring blockchain-based funds. Investigators at TRM Labs suspect this could indicate an improvement in North Korea’s crypto infrastructure or an increased ability of underground financial networks to absorb illegal funds.

As the value of blockchain platform locking continues to grow, the complexity of attacks continues to increase. The industry remains the main target of North Korean state hackers, who reportedly use their revenue to fund their weapons programs.