Original | Odaily Planet Daily (@OdailyChina)
Author | Wenser (@wenser 2010 )
The "Bybit theft of over $1.5 billion, over 500,000 ETH-related assets" that occurred last weekend was almost another "FTX moment" for the crypto industry.
Fortunately, thanks to Bybit's prompt and effective post-incident handling, the crypto industry's support from all sides, and the strong support of the security team, this "largest theft case in history" has basically been brought under control, but the subsequent capital movements of the Lazarus Group hackers, Bybit's further handling, and the recovery of the stolen funds are still a concern for the crypto industry. After all, such a scale of ETH has a significant impact on market sentiment.
Odaily Planet Daily will review the latest developments of the incident in this article for readers' reference.
For the background, please refer to 《Bull Market Black Swan: Bybit Stolen Over $1.5 Billion in Assets, 514,000 ETH Dumped on the Market?》.
Key Data on the Bybit Theft: Over $1.5 Billion in Losses, Hackers Have Sold 57,000 ETH Worth $142 Million
Currently, there is some disagreement in the market on the specific amount of the Bybit theft, partly because the stolen assets include native ETH and derivative assets, with some price fluctuations. According to the first public announcement issued by Bybit, the loss exceeds $1.5 billion.
Bybit's Loss: Total Value Exceeds $1.5 Billion, Including Over 510,000 ETH and Derivative Assets
Previously, The Wall Street Journal cited the view of the security firm CertiK that this Bybit theft incident is the largest single theft event in crypto history, with the stolen assets valued at over $1.4 billion.
According to the monitoring and statistics of the security firm Beosin Trace, a total of 514,723 ETH and derivative assets were stolen, including:
401,347 ETH, worth $1.12 billion;
90,376 stETH, worth $253.16 million;
15,000 cmETH, worth $44.13 million;
8,000 mETH, worth $23 million.
Furthermore, according to the hacking incident panel on the defillama website, the over $1.4 billion in assets stolen from Bybit is the largest security incident in the history of cryptocurrencies, accounting for about 14% of the total amount stolen in all security incidents in the history of cryptocurrencies. The panel data shows that the total amount stolen in the history of cryptocurrencies exceeds $10.62 billion, of which DeFi-related stolen assets reached $6.31 billion, and stolen assets from various bridge projects reached $2.87 billion.
DefiLlama Panel
Latest Progress: Hackers Have Sold 57,000 ETH, Remaining Assets Still Worth $1.26 Billion
According to on-chain analyst Embermonitoring, the Bybit hackers have now sold 50,700 ETH ($142 million) and converted them into DAI and other on-chain assets (such as BTC).
They still hold 448,600 ETH ($1.26 billion).
Additionally, 15,000 cmETH (worth $43 million) were promptly handled and recovered by the mETH Protocol official, as confirmed by the mETH Protocol official.
Hackers' Money Laundering Channels: Mixers, Cross-Chain Bridges, and Even Meme Coins
Notably, after the Bybit theft incident, the Lazarus Group's methods of cleaning up the stolen funds have become more diverse: in addition to the previous practice of converting ETH assets into BTC and other assets through mixers like Chainflip, THORChain, LiFi, DLN and eXch, and cross-chain bridges, the hackers have also chosen to use Meme coin issuance as a money laundering channel.
According to on-chain data, the Bybit attackers transferred SOL tokens to an address and then launched a Meme coin, which currently has a market cap of about $2.2 million and a trading volume of about $26 million, but with low liquidity, reminding the community to be cautious about interacting.
Additionally, according to ZachXBT's disclosure, the attacker received $1.08 million from the Bybit hacking incident through the address "0x363908...d7d1", and then transferred the USDC across chains to the Solana chain. The address "EFmgz8...dq2P" then transferred all the USDC on the Solana chain to two addresses on the BSC chain. The two BSC addresses distributed the USDC to more than 30 addresses through programmatic operations, and finally consolidated it into the address "0x0be9...5a3", where the money launderer exchanged the acquired SOL for meme coins.
Bybit's Response: Raised 254,800 ETH, Issued 10% Hacker Bounty Program
Bybit's further handling after the incident is also noteworthy, which can be divided into the following 3 aspects:
ETH Reserves: 446,870 ETH Raised, Worth $12.3 Billion
Bybit or its affiliated addresses (0x2E4...b77) have purchased a total of 157,600 ETH (worth $441 million) through three brokers, Galaxy Digital, FalconX, and Wintermute, and transferred them to Bybit over the past 2 days.
According to monitoring by Spot On Chain, Bybit raised 254,830 ETH ($693 million) within 48 hours after the hacker attack, including:
132,178 ETH ($367 million), likely obtained through OTC trades with Galaxy Digital, FalconX and Wintermute;
122,652 ETH ($326 million), borrowed from trading platforms/institutions such as Bitget, MEXC, Binance and DWF Labs (or possibly personal borrowing by some whales).
According to monitoring by LookonChain, since the attack, Bybit has cumulatively obtained 446,870 ETH, worth about $12.3 billion, through loans, whale deposits, and purchases.
The latest news is that Bybit CEO Ben Zhou posted that "Bybit has fully filled the ETH gap, and the new audit POR (proof of reserve) report will be released soon."
Cumulative Raise of Over 440,000 ETH, Worth $12.26 Billion
Fund Freezing and Recovery: $42.89 Million Frozen Within 24 Hours
Around 11 pm on February 23, according to Bybit's announcement, through coordinated efforts, $42.89 million in stolen funds were successfully frozen within one day.
The assisting institutions and specific amounts are:
Tether - blacklisted relevant addresses and froze 182,000 USDT;
THORChain - blacklisted and marked relevant addresses;
ChangeNOW - froze 34 ETH;
FixedFloat - froze $120,000 in USDC and USDT;
Avax - froze 0.38755 BTC;
CoinEx-blacklisted related addresses and provided key assistance;
Bitget-blacklisted related addresses and froze 84 USDT;
Circle-assisted in connecting and providing key clues.
Bounty Program: Provide a 10% reward for recovered funds, with a total value exceeding $140 million
On February 22, the day after the theft incident occurred, Bybit officially announced that "as part of the investigation and recovery efforts, Bybit promises to put up 10% of the recovered funds as a reward for the ethical network and cybersecurity experts who actively help recover the stolen cryptocurrencies."
Subsequently, Bybit officially confirmed this bounty and simultaneously updated the blacklist API program for hacker wallet addresses. According to reports, this API will help various project parties and security experts track and recover the stolen funds more efficiently in urgent situations. This list of suspicious addresses was compiled by industry white hat hackers and investigators within three days of the hacker attack, and Bybit has received thousands of leads from industry peers so far. Bybit will provide a 10% bounty reward for contributors who successfully intercept and recover the funds.
In addition, Bybit is developing the HackBounty platform, which will be announced at an appropriate time. This platform aims to empower the entire industry to jointly track the hacker's movements and encourage all security experts to stay up-to-date on the latest developments of this innovative plan. Bybit will also continuously update the blacklist to help partners intercept illegal fund flows.
Furthermore, all of the above progress is inseparable from the Bybit team, especially the close communication and close cooperation between the co-founder and CEO Ben Zhou and the outside world, especially the public appeals and seeking help, which is also the reason why the industry has not ushered in a new round of market plunge after Bybit was stolen of more than $1.5 billion.
Possible Aftermath: Some are pessimistic, some are optimistic, and some believe it will be a protracted battle
After the Bybit theft incident, there have been some divergent views in the market on the future outlook of the cryptocurrency industry, especially the subsequent trend of ETH. Representative views are as follows:
Optimistic View: zhusu believes ETH will hit a new all-time high
Previously, Zhu Su wrote that a large number of traders opened short positions due to the panic over the theft of ETH assets on Bybit, and now ETH finally has a narrative (i.e. short-covering) to hit a new all-time high.
Pessimistic View: Santiment believes the market has become a startled bird
Santiment previously wrote that due to the impact of the Bybit hacker attack in the crypto field, coupled with worrying news about LIBRA and other contributing factors this week, the crowd has shown extreme fear as Bitcoin plummeted. According to the sentiment score, the negative sentiment in the crypto community is the same as before the price rebound on February 17 and 18. While nothing is certain, and a major exchange hack may have a lasting impact on crowd perception, remember that the market almost always moves in the opposite direction of retail traders' expectations.
The short-term lowest point of BTC price is $91,500
Protracted Battle: Lazarus Group's money laundering process may last for years
As the hacker organization behind the Bybit theft incident, the Lazarus Group has long been the focus of high attention. Chainalysis previously released a report on the group's "disposal" of the stolen funds. Generally, the Lazarus Group will take three steps to "dispose" of the stolen goods: the first step is to convert all ERC 20 (including stETH and other liquidity derivative tokens) into ETH; the second step is to convert ETH into BTC; the third step is to gradually cash out the BTC into fiat currency through Asian exchanges. The entire process may take years.
Conclusion: Ethereum will not roll back, and Bybit needs time to recover
Previously, Coinbase executive Conor Grogan stated that the Bybit hacker has become the 14th largest ETH holder in the world by holding nearly 500,000 ETH, accounting for 0.42% of the total Ethereum supply, exceeding the ETH holdings of Fidelity and Vitalik, and more than twice the ETH holdings of the Ethereum Foundation. Nevertheless, the Ethereum Foundation, including Vitalik, has not yet commented on this matter, although Arthur Hayes and Andrei Grachev, a partner at DWF Labs, have expressed curiosity about it.
But times have changed, and Ethereum can no longer return to the days of The DAO hard fork, as rollback is no longer possible, as the transaction volume and scale of the Ethereum ecosystem have reached hundreds of millions in just three days. What is left for Bybit is the need to fill the funding gap and recover the stolen funds in the short term, as well as to restore user trust and the funding gap through longer-term sound operations.
The future is still bright, and although the process may be painful, it is a necessary path for growth.
