Bybit ETH Hack

How was Bybit Hacked?

Yesterday $1.46 billion was stolen from Bybit exchange in a hack allegedly coordinated by the North Korean Lazurus Group. Note that the security of the Ethereum blockchain itself was not compromised – the “hack” is closer to a phishing attack that requires convincing the victim to voluntarily give up their password (or in this case their private key signature) than a “hack”. The attackers compromised a cold wallet, stealing Ether and Ether staking derivatives tokens:

• 401,346.7688 ETH 
• 90,375.5479 stETH
• 8,000 mETH
• 15,000 cmETH

According to Bybit, the hack occurred when one of its ETH multisig cold wallets (a wallet that requires multiple signatures) executed a routine transfer to a warm wallet. During that transfer, the transaction was manipulated by the hackers who used a “musked UI” which essentially created a fake transaction interface, displaying the correct address but behind the scenes had instead altered the destination address – this in turn meant the transaction was signed, allowing the hackers to gain control of the ETH in the cold wallet, and reroute the funds to their own wallet address. 

401,346.7688 ETH was transferred by the hackers from a wallet on Etherscan labelled as ‘Bybit: Cold Wallet 1’ to another address, labelled as ‘Bybit Exploiter 1’ via 41 different transactions. That wallet appears to have been the main wallet of the hackers before they began redistributing the ETH in 10k increments across various different wallets (hereon labelled as Bybit exploiter Xs). 

‍

Part of that redistribution included a 1 ETH transfer to wallet address, ‘Bybit Exploiter 2’, as well as a significant proportion of stETH, an ETH staking derivative token. 

‍

After swapping the staking derivatives for native ETH tokens on a DEX, that wallet then redistributed approximately 98,000 ETH in separate transactions to ‘Bybit Exploiter 5’. 

‍

Bybit exploiter 5 then went on to make various of its own 10,000 increment ETH transfers. In total, it appears that there were at least 50 different wallets involved in the redistribution of the stolen funds, with many of those addresses not having made any outgoing transfers as of yet. 

‍

‍

What has the hacker done with the stolen funds? Will they be blacklisted?

According to Arkham Intelligence, around $253M worth of stETH (below) has been sold or swapped into ETH so far. These appear to have been routed through DEX aggregators such as ParaSwap which used DEXs such as Uniswap to make the swaps.

‍

It is already proving to be more difficult for the hackers to convert the illicit ETH into stablecoins. Paolo Ardoino, CEO of Tether, stated earlier today that 181K USDT connected to the Bybit hack has been frozen – the smart contract that governs the transactions of USDT on the Ethereum network will not allow transfers of those marked USDT tokens. Another option which (according to Ben Zhou, Bybit CEO) the hackers have already utilised is converting the ETH into BTC via bridges such as Chainflip – which enables swaps between Bitcoin, Solana, Ethereum and other tokens. This is something that we have observed in different iterations in previous cryptocurrency hacks; most notably during the FTX hack in November 2022. Then, ETH was converted into renBTC, though the hackers were unable to convert all the Ethereum through this method. 

How will this impact the market? Is there sell-pressure on ETH from the hacker?

In the last 24 hours, spot trading volume on ETH across all exchanges has been upwards of $30B – even if the hackers were able to sell all their stolen holdings at once, that sell pressure would only be marginal compared to the volume of Ethereum transactions. This means there is less of a direct price impact from the hack itself.

However, ETH fell from $2.8K down to $2.6K (an 8% move down) on the news yesterday. Since then however, it has quickly pared back its losses and is now almost back to where it fell from (currently trading at $2740). This suggests part of the move down was more closely related to second order effects on price, which have further been amplified by a general decline in crypto sentiment that has not just been exclusive to Ethereum – the large decline in $TRUMP and $MELANIA, tokens released by those close to the President, to the Argentinian $LIBRA token collapse, and now a major exchange hack. Combining this with the relative underperformance of ETH so far in this bull cycle, it is these second-order effects which appear to have impacted price more than the direct implications of the hack itself.

The stolen ETH, if successfully blacklisted in its entirety and therefore rendered unspendable in the same way that the ETH stolen in the FTX remains to this day, may instead act to remove that $1.5B of ETH (and its staking derivatives) from the supply. How complete will that blacklist end up being?