News
On Friday, cryptocurrency exchange Bybit was allegedly hacked by North Korea’s Lazarus group, which drained nearly $1.4 billion in ether (ETH) from the exchange.
Following the hack, Arthur Hayes, BitMEX co-founder and claiming to be a major ether (ETH) holder, wrote a post on X to Ethereum co-founder Vitalik Buterin on whether he will “advocate to roll back the chain to help @Bybit_Official.” Meanwhile, in an X spaces session, Bybit’s CEO Ben Zhou revealed that his team had also reached out to the Ethereum Foundation to see if it was something the network would consider, noting that such a decision should be based on what the network's community wants.
Hayes's post immediately provoked a fierce reaction from the Ethereum community, which was firm in its belief that it wouldn't happen. Some even questioned whether the BitMEX founder was joking. CoinDesk reached out to Hayes over X to clarify his comments.
Ethereum members, like the core developer teams, are vastly against “rolling back” the network because it would override core elements of decentralization. If Buterin decided on his own that it would happen, then that would be seen as the end of Ethereum’s ethos, which heavily involves various developer teams and other community members when it comes to the health and state of the blockchain.
“Rolling back the chain would give ETH no purpose. What's the point if you can just change rules,” said user @the_weso in a post on X.
Some outside the Ethereum community pointed to the 2016 DAO hack as an example when $60 million in ETH was stolen. The network went forward with a hard fork, splitting the old network into two, and the new chain continued on as Ethereum.
That hard fork was not a “rollback,” though; it was known as an “irregular state transition.” Ethereum technically can’t “roll back” the network because it relies on an account model, where accounts hold users' ETH.
At the time of the hack, developers upgraded their nodes to a new client or software. Those who didn’t upgrade their nodes were still on the old chain, which became known as Ethereum Classic.
When the nodes upgraded to the new software, the stolen ETH could move from one Ethereum account address to the next.
“The 'irregular state change' that they implemented at the time of the DAO hard fork was this: they airlifted all the ETH in the DAO smart contracts out to a refund contract that would send you 1 ETH for every 100 DAO tokens you sent in,” wrote Laura Shin of Unchained in a post on X.
Major cryptocurrency exchange Bybit has seen total outflows of over $5.5 billion after it suffered a near $1.5 billion hack that saw hackers, believed to be from North Korea’s Lazarus Group, drain its ether cold wallet.
The total assets tracked on wallets associated with the exchange plunged from around $16.9 billion to $11.2 billion at the time of writing, according to data from DeFiLlama. The exchange is now looking to understand exactly what happened.
In an X spaces session, Bybit’s CEO Ben Zhou revealed that shortly after the incident, he called for “all hands on deck” to serve their clients with processing withdrawals and responding to inquiries about what was going on.
During the session, Zhou revealed that the security breach saw the hackers make off with roughly 70% of their clients’ ether, which meant that Bybit needed to quickly secure a loan to be able to process withdrawals. Yet, Zhou found that ether wasn’t the most withdrawn token, with most users instead withdrawing stablecoin from Bybit.
The exchange, Zhou noted, has reserves to cover these withdrawals, but the crisis deepened as, in response to the incident, Safe moved to temporarily shut down its smart wallet functionalities to “ensure absolute confidence in our platform’s security.”
Safe is a decentralized custody protocol providing smart contract wallets for digital asset management. Some exchanges integrated Safe, which allows users to maintain custody of their funds and has multisig functionality to enhance the security of their cold wallets.
While the exchange had reserves to back up users’ withdrawals, $3 billion worth of USDT was in a Safe wallet that had just been shut down as the wallet moved to understand the situation, according to Zhou.
On social media, Safe said that while it had "not found evidence that the official Safe frontend was compromised," it was temporarily shutting down "certain functionalities" out of caution.
While Zhou and Bybit’s team were figuring out how to securely withdraw their $3 billion, withdrawals were mounting. Within two hours of the security breach, the exchange was facing requests to move over $100,000 off its platform, Zhou revealed.
Responding to the situation, Zhou told his security team to engage Safe to “find a better way to get this money out.” The team ended up developing new software with code “based on Etherscan” to verify the signatures “on a very manual level” to move the stablecoins back to their wallet and cover the withdrawal surge.
The exchange’s team had to remain up all night to be able to fulfill withdrawals, according to Zhou. As the exchange managed to move the $3 billion in stablecoin reserves, it was facing a bank run of “about 50%” of all the funds within the exchange.
Zhou said that since the incident, the exchange has moved a significant amount of funds off of Safe cold wallets and is now determining what system it will use to replace Safe.
Pushing to "Roll Back" Ethereum Was not Off the Table
Since the security breach, Bybit has engaged authorities. During the session, Zhou said that the Singaporean authorities took the issue “very seriously” and that he believes it has already been escalated with Interpol.
Blockchain analysis firms, including Chainalysis, were engaged. Zhou said, “As long as Bybit is there and continues to track [the stolen ether], I hope we can get these funds back.”
Notably, he revealed that pushing to "roll back" the Ethereum blockchain, which was suggested by some industry players on social media, including BitMEX co-founder Arthur Hayes, had been on the table for some time if the community agreed with it.
“I had my team talking to Vitalik and the Ethereum Foundation to see if there’s any recommendations they can offer to help. I do really thank all these guys on Twitter asking if there is a possibility to roll back the chain. I’m not sure what was the response on their side, but anything that would help we would try,” Zhou said.
When asked if "rolling back" the chain is even possible, Zhou responded he doesn’t know. “I’m not sure it’s a one-man decision based on the spirit of blockchain. It should be a work in process to see what the community wants,” he said.
It's worth noting that a blockchain "rollback" refers to a state change that would allow for the funds to be recovered. While rolling back the Bitcoin blockchain is technically possible, such a state change on Ethereum would be more complex, given its smart contract interactions and state-based architecture.
Nevertheless, any state change would require consensus and likely lead to a contentious hard fork, drawing criticism from the community. This would likely split the Ethereum blockchain into two networks, each with its own supporters.
As for what exactly caused the hack to occur, is still unclear. Per Zhou, Bybit’s laptops have not been compromised. He said the movements of the transaction’s signers have been scrutinized but appear to have been routine.
“We know the cause is definitely around the Safe cold wallet. Whether it’s a problem with our laptops or on Safe’s side, we don’t know.,” Zhou added.
A vast majority of Latin American cryptocurrency users—95%—plan to expand their holdings in 2025, according to a Binance Research survey of more than 10,000 investors in Argentina, Brazil, Colombia, and Mexico.
The findings show that 40.1% of respondents are expecting to buy more crypto within the next three months, 15.3% are looking to do so in the next six months, and 39.7% within 12 months. Only 4.9% have no plans to keep on investing this year.
Latin America led the world in crypto adoption in 2024, growing by 116%, according to research from payments firm Triple-A quoted in the report. The region now has 55 million cryptocurrency users, making up nearly 10% of total cryptocurrency users.
This rapid expansion has been fueled by rising asset prices, regulatory advancements, and new financial products like spot bitcoin exchange-traded funds (ETFs). Brazil has just last week become the first country to approve a spot XRP ETF.
Market performance has also bolstered investor confidence. "Latin America is a rapidly expanding region for the crypto sector, and the results of this research reinforce what we have observed in our operations,” Binance’s regional VP for Latin America, Guilherme Nazar, said.
Binance’s research shows that half of those inquired already use cryptocurrencies for over a year, with most entering the space expecting significant returns and searching for financial freedom.
Portfolio diversification, privacy, and protecting their money were also quoted as motives to invest in the space. Read more: How a $115M Crypto Fund With Big Ambitions Plans to Invest In Latin America
The price of the world’s second-largest cryptocurrency, ether (ETH), has risen by more than 2.3% in the last 24 hours, while the broader CoinDesk 20 Index has risen by just 0.76% during the same period. Bitcoin is down around 0.3%.
The rise comes amid reports that Bybit, the cryptocurrency exchange that was hacked for $1.5 billion worth of ether and staked ether by North Korean hacking group Lazarus, has moved 100 million USDT into new addresses and moved half of that into addresses to purchase 36,900 ETH over-the-counter.
The funds, worth around $101 million, were then moved to addresses tagged as belonging to the cryptocurrency exchange, crypto journalist Colin Wu reported, citing, Arkham Intelligence data. Bybit’s CEO Ben Zhou reportedly said in an “ask me anything” session that the company’s assets are “far greater than $1.5 billion,” adding that “there is a cold wallet in safe with nearly 3 billion US dollars in USDT,” according to the same source.
Bybit’s hacker is now holdings an estimated 489,000 ETH valued at approximately $1.34 billion, around 0.4% of ether’s total supply, which makes it the 14th-largest holder of the cryptocurrency.
The addresses associated with the hacker are now closely monitored in the space and are blacklisted by major cryptocurrency exchanges.
“The stolen funds have already been marked, making it extremely difficult for the hacker to use them. Any attempt to transfer these funds to a major exchange would result in an immediate block,” StealthEX CEO Maria Carola told CoinDesk.
Since the hacker may not be able to use the funds in any way, some analysts are suggesting that the 0.4% of the ETH supply it holds is “essentially gone.”
The U.S. Securities and Exchange Commission (SEC) is closing its investigation into major non-fungible token marketplace OpenSea, the platform’s founder and CEO Devin Finzer said on social media.
The regulator issued a Wells notice against OpenSea in August 2024, indicating it was planning on pursuing an enforcement action against it. The regulator alleged the platform may have been operating as an unregistered securities marketplace.
The SEC’s move comes as the regulator is slated to vote on a deal negotiated with Coinbase to drop its lawsuit against the exchange, which is seen as a boon for the cryptocurrency industry and NFT creators.
“This is a win for everyone who is creating and building in our space. Trying to classify NFTs as securities would have been a step backward—one that misinterprets the law and slows innovation,” Finzer posted.
Reacting to Finzer’s post, Chris Akhavan, chief business officer of NFT marketplace Magic Eden, suggested it was a victory for the wider cryptocurrency space. “While we are competitors in the trenches, we share a deep belief in NFTs and what they will enable,” Akhavan wrote.
The announcement led to an uptick in activity for the native token of NFT marketplace LooksRare. The token, LOOKS, saw a surge in active addresses shortly after the announcement that represents an “approximately fivefold increase compared to the usual figures,” according to data from TheTie.
The Bybit hacker, supposedly a North Korean entity, is now one of the world's largest ether holders, which may have bullish implications for the cryptocurrency's spot price.
According to data from Arkham Intelligence and Coinbase executive Connor Grogan, this malicious actor holds 489,000 ETH, valued at approximately $1.34 billion, constituting about 0.4% of ether's total supply, making it the 14th-largest Ether holder globally. That puts the hacker ahead of the Ethereum Foundation, Ethereum's CEO Vitalik Buterin and Fidelity.
It's important to note that the addresses linked to this entity are being closely monitored and backlisted by exchanges, which means the hacker will likely struggle to offload these coins in the market.
In simpler terms, the hacked ether supply is likely lost permanently. Furthermore, Bybit, which has reportedly secured a bridged loan from unnamed partners to cover nearly 80% of the ether lost in the Friday hack, will likely need to purchase coins in the market.
"As far as this supply is concerned, it's essentially gone. No OTC desk or exchange will facilitate the movement of such a large amount. Meanwhile, Bybit is short 402k ETH. The bridge loan may cover immediate needs, but purchasing will still be necessary," Vance Spencer, co-founder of the crypto VC firm Framework Ventures, said on X.
That probably explains why ether has bounced 2.6% to $2,730 from the overnight low of around $2,614. Funding rates in perpetual futures tied to ether remain positive, implying a bias for long positions, according to data source Coingecko.
Crypto exchange Bitget has transferred 40,000 ether (ETH), worth $105 million, to Bybit, offering crucial support to its industry counterpart in the wake of the over billion-dollar hack suffered by the exchange.
The funds transferred are from Bitget's own reserves, not user deposits, which remain securely stored on the platform and can be cross checked through the proof of reserves, the exchange's CEO, Gracy Chen, said in a note shared with CoinDesk, while assuring more support if needed.
"At Bitget we strongly believe in supporting the community and everyone contributing towards the growth of crypto," Chen said.
A suspected North Korean entity drained approximately $1.4 billion in ether from Bybit on Friday. The hack prompted an unprecedented wave of withdrawal requests from users, with the exchange successfully processing 99% of them, effectively facing a significant market stress test.
Part of the stolen funds started to move during Asian afternoon hours on Saturday with over 5,000 ETH moved through eXch mixer - a service that masks wallet address - before being sent to bridge protocol ChainFlip where the stash was converted to bitcoin (BTC).
In an X post, ChainFlip said it couldn't block fund movements as it was a fully decentralized applications that relies on automated smart contracts, but that it had "turned off some frontend services to stop the flow."
On the other hand, Bitget has blacklisted wallets tied to the hacker that drained ether worth millions from Bybit on Friday.
"We will block any transactions flowing in from illicit addresses to the exchange once it has been monitored. Our team of security, and researchers, are currently tracking these activities," Chen said.
Despite the hack, Bybit had managed to process over 350,000 withdrawal requests and has since restored normal withdrawal operations, per an X post.
CORRECTION (Feb. 22, 19:16 UTC): Reworks the story throughout to clarify and include more context of the so-called "rollback" and the criticism around it. Also removed the percentage of ETH held by hackers in 2016). Arthur Hayes, co-founder of BitMEX and major ether (ETH) holder, asked Ethereum co-founder Vitalik Buterin if he would be willing to entertain the idea of rolling back the network to assist hacked exchange Bybit, which lost nearly $1.4 billion in ether (ETH) on Friday.
"@VitalikButerin will you advocate to roll back the chain to help @Bybit_Official," Hayes said in the social media post.
"My own view as a mega $ETH bag holder is $ETH stopped being money in 2016 after the DAO hack hardfork. If the community wanted to do it again, I would support it because we already voted no on immutability in 2016 [wh]y not do it again?" he added
Buterin was yet to reply as of time of publication.
While some, including Unchained's Laura Shin, wondered if Hayes's post was a joke, it did raise a serious question about whether rolling back is even feasible. CoinDesk reached out to Hayes about the post and hasn't received a comment at the time of writing.
"I wish we could roll back for the Bybit hack, I'm not against the idea. But the DAO hack was 15% of ETH with a clean recovery path. Today, a rollback would break bridges, stablecoins, L2s, RWAs and so much more. ETH ecosystem is just too interconnected now for a clean solution like 2016," said Gautham Santhosh, co-founder of Polynomial.fi.
The problem with "rollback"
Hayes' suggestions of rolling back the blockchain as one of the potential ways to address hacking involves reverting the blockchain to a state before a specific event, in this case, the hack. That way, malicious transactions resulting from the hack can be erased, effectively restoring lost or stolen funds. Implementing a rollback requires consensus from the network participants.
For instance, in 2016, the Ethereum network saw a controversial revision of the network using a hard fork to reverse a theft of $60 million in ether from The DAO (the percentage the hackers took control of is still up for debate). The hard fork split the chain into two – Ethereum and Ethereum Classic.
However, the term "rollback" was never used during that revision; it was referred to as an “irregular state transition.” The move still triggered huge and important debates over so-called “immutability” in blockchains.
Immutability is a security feature that prevents data from being changed after it's added to the blockchain, making it trustworthy and tamper-proof.
A similar controversy played out in the Bitcoin community in 2019 when Binance's CEO Changpeng Zhao and his team considered pushing for a "rollback" approach (the term was later rephrased by CZ as "re-org" and decided not to pursue the approach) on the Bitcoin network following a $40 million hack. However, the Bitcoin mining community criticized the idea of going back against the principle of decentralization and immutability.
Similarly, the Ethereum community criticized the idea of "rollback" in this case, noting that the idea wouldn't even have been considered by the community.
Theoretically, an actual "rollback" won't be possible on Ethereum, as the network uses something called "accounts" to store the ether, which can be analogous to bank accounts. When the 2016 hack occurred, the nodes upgraded to new software, and the ETH held was moved to new addresses.
However, the idea of reversing a transaction in light of a hack isn't a new one; at least one smaller blockchain network, Vericoin, actually executed such a procedure previously.
The Bybit hack came into light on Friday when on-chain sleuth ZachXBT noted suspicious outflows of over $1.4 billion from the exchange, with the attacker quickly swapping mETH and stETH for ether through a decentralized exchange.
The hackers were later identified by ZachXBT as the North Korean Lazarus Group.
The attacker then split 10,000 ETH to 39 different addresses and another 10,000 ETH to nine addresses, Polynomial.fi's Santhosh said on X.
Bybit CEO Ben Zhou said that the hacker "took control of the specific ETH cold wallet and transferred all the ETH in the cold wallet to this unidentified address." Zhou confirmed that the exchange "is solvent even if this hack loss is not recovered."
Margaux Nijkerk contributed to the revised story. Read more: Ether Price Spikes Further on Reports of Bybit Starting to Buy ETH
Bybit CEO Ben Zhou said Thursday that his exchange will not list the Pi Network's PI token, which was controversially released on Thursday, citing a Chinese police warning from 2023 that alleged the project was a scam targeting elderly people, leaking their personal information and leading to the loss of their pensions.
"There are multiple other reports out there questioning the project legitimacy," Zhou posted on X. "Yes, I still think you are a scam, and no, Bybit will not list scam."
The Pi Network didn't respond to CoinDesk's request for comments.
The token went live alongside the project's mainnet release on Thursday. Users who "mined" tokens by clicking their smartphone screens once a day were finally able to transfer and sell tokens.
Zhou, however, found himself in the middle of a separate issue on Friday, with his exchange Bybit, which was hacked by North Korea's Lazarus Group for $1.5 billion.
The PI token debuted on OKX at $0.67, rose as high as $2 and then slumped 65% and is currently around $0.69.
One issue that raised concerns was a marketing tactic that rewarded users who recruited other users. Each time a user persuaded someone else to sign up using their code, the first person's "mining" rewards were increased. The idea had some drawing comparisons to the 2017 Ponzi scheme, Bitconnect.
"Pi Network is the biggest ponzi [scheme]," X user CryptoBeast alleged, posting to their 656K followers.
The project also offers users the option of locking their tokens for as long as three years. In return, they are promised increased rewards. The same technique was at the heart of the Hex project, whose founder, Richard Schueler, known online as Richard Heart, is a fugitive sought by the U.S. Securities and Exchange Commission (SEC) for, among other things, defrauding his investors.
The token has a market cap of $4.18 billion based on a circulating supply of $6.33 billion. However, its inflationary nature means the maximum supply is 100 billion, giving a fully diluted value (FDV) at a staggering $67 billion, assuming it holds the current price. At launch, FDV rose as high as $200 billion, almost double that of Solana.
Some exchanges have been undeterred by the concerns raised. OKX, Bitget and Gate have racked up a total of $620 million in trading volume for PI trading pairs between them, according to CoinMarketCap.
Read more: Pi Network's Token Debuts at $195B Value Despite Minimal Liquidity
Blockchain analytics firm Arkham Intelligence said North Korea's Lazarus Group was behind Bybit's $1.46 billion hack.
In an earlier post on social media platform X, Arkham offered a bounty of 50,000 ARKM tokens for anyone who could identify the attackers for Friday's hack. Later, the platform said onchain sleuth ZachXBT submitted "definitive proof" that the attackers were the North Korean hacker group.
"His submission included a detailed analysis of test transactions and connected wallets used ahead of the exploit, as well as multiple forensics graphs and timing analyses," the post said.
Read more: Bybit Loses $1.5B in Hack but Can Cover Loss, CEO Confirms
The hack that rocked the crypto market and saw most prices tumbling was called the "largest crypto theft of all time, by some margin," by Elliptic's Tom Robinson, co-founder and chief scientist. "The next largest crypto theft would be the $611 million stolen from Poly Network in 2021. In fact it may even be the largest single theft of all time."
Blockchain data provider Nansen told CoinDesk that the attackers first withdrew nearly $1.5 billion worth of funds from the exchange into a main wallet and then spread the funds across several others.
"Initially, the stolen funds were transferred to a primary wallet, which then distributed them across more than 40 wallets," Nansen said. "The attackers converted all stETH, cmETH, and mETH to ETH before systematically transferring ETH in $27 million increments to over 10 additional wallets," Nansen said.
The attack appeared to have been caused by something called "Blind Signing," where a smart contract transaction is approved without the comprehensive knowledge of its contents.
"This attack vector is quickly becoming the favorite form of cyber attack used by advanced threat actors, including North Korea," said blockchain security firm Blockaid's CEO Ido Ben Natan. "It’s the same type of attack that was used in the Radiant Capital breach and the WazirX incident."
"The problem is that even with the best key management solutions, today most of the signing process is delegated to software interfaces that interact with dApps. This creates a critical vulnerability — it opens the door for malicious manipulation of the signing process, which is exactly what happened in this attack," he said.
Bybit CEO Ben Zhou wrote earlier on X that a hacker "took control of the specific ETH cold wallet and transferred all the ETH in the cold wallet to this unidentified address." He also confirmed that the exchange "is solvent even if this hack loss is not recovered."
Oliver Knight contributed to the reporting of this story Read more: Bitcoin, Ether Slump as Crypto Prices Dip on Report of Massive $1.5B Bybit Hack