Major cryptocurrency exchange Bybit has seen total outflows of over $5.5 billion after it suffered a near $1.5 billion hack that saw hackers, believed to be from North Korea’s Lazarus Group, drain its ether cold wallet.

The total assets tracked on wallets associated with the exchange plunged from around $16.9 billion to $11.2 billion at the time of writing, according to data from DeFiLlama. The exchange is now looking to understand exactly what happened.

In an X spaces session, Bybit’s CEO Ben Zhou revealed that shortly after the incident, he called for “all hands on deck” to serve their clients with processing withdrawals and responding to inquiries about what was going on.

During the session, Zhou revealed that the security breach saw the hackers make off with roughly 70% of their clients’ ether, which meant that Bybit needed to quickly secure a loan to be able to process withdrawals. Yet, Zhou found that ether wasn’t the most withdrawn token, with most users instead withdrawing stablecoin from Bybit.

The exchange, Zhou noted, has reserves to cover these withdrawals, but the crisis deepened as, in response to the incident, Safe moved to temporarily shut down its smart wallet functionalities to “ensure absolute confidence in our platform’s security.”

Safe is a decentralized custody protocol providing smart contract wallets for digital asset management. Some exchanges integrated Safe, which allows users to maintain custody of their funds and has multisig functionality to enhance the security of their cold wallets.

While the exchange had reserves to back up users’ withdrawals, $3 billion worth of USDT was in a Safe wallet that had just been shut down as the wallet moved to understand the situation, according to Zhou.

On social media, Safe said that while it had «not found evidence that the official Safe frontend was compromised,» it was temporarily shutting down «certain functionalities» out of caution.

While Zhou and Bybit’s team were figuring out how to securely withdraw their $3 billion, withdrawals were mounting. Within two hours of the security breach, the exchange was facing requests to move over $100,000 off its platform, Zhou revealed.

Responding to the situation, Zhou told his security team to engage Safe to “find a better way to get this money out.” The team ended up developing new software with code “based on Etherscan” to verify the signatures “on a very manual level” to move the stablecoins back to their wallet and cover the withdrawal surge.

The exchange’s team had to remain up all night to be able to fulfill withdrawals, according to Zhou. As the exchange managed to move the $3 billion in stablecoin reserves, it was facing a bank run of “about 50%” of all the funds within the exchange.

Zhou said that since the incident, the exchange has moved a significant amount of funds off of Safe cold wallets and is now determining what system it will use to replace Safe.

Pushing to «Roll Back» Ethereum Was not Off the Table

Since the security breach, Bybit has engaged authorities. During the session, Zhou said that the Singaporean authorities took the issue “very seriously” and that he believes it has already been escalated with Interpol.

Blockchain analysis firms, including Chainalysis, were engaged. Zhou said, “As long as Bybit is there and continues to track [the stolen ether], I hope we can get these funds back.”

Notably, he revealed that pushing to «roll back» the Ethereum blockchain, which was suggested by some industry players on social media, including BitMEX co-founder Arthur Hayes, had been on the table for some time if the community agreed with it.

“I had my team talking to Vitalik and the Ethereum Foundation to see if there’s any recommendations they can offer to help. I do really thank all these guys on Twitter asking if there is a possibility to roll back the chain. I’m not sure what was the response on their side, but anything that would help we would try,” Zhou said.

When asked if «rolling back» the chain is even possible, Zhou responded he doesn’t know. “I’m not sure it’s a one-man decision based on the spirit of blockchain. It should be a work in process to see what the community wants,” he said.

It’s worth noting that a blockchain «rollback» refers to a state change that would allow for the funds to be recovered. While rolling back the Bitcoin blockchain is technically possible, such a state change on Ethereum would be more complex, given its smart contract interactions and state-based architecture.

Nevertheless, any state change would require consensus and likely lead to a contentious hard fork, drawing criticism from the community. This would likely split the Ethereum blockchain into two networks, each with its own supporters.

As for what exactly caused the hack to occur, is still unclear. Per Zhou, Bybit’s laptops have not been compromised. He said the movements of the transaction’s signers have been scrutinized but appear to have been routine.

“We know the cause is definitely around the Safe cold wallet. Whether it’s a problem with our laptops or on Safe’s side, we don’t know.,” Zhou added.

A vast majority of Latin American cryptocurrency users—95%—plan to expand their holdings in 2025, according to a Binance Research survey of more than 10,000 investors in Argentina, Brazil, Colombia, and Mexico.

The findings show that 40.1% of respondents are expecting to buy more crypto within the next three months, 15.3% are looking to do so in the next six months, and 39.7% within 12 months. Only 4.9% have no plans to keep on investing this year.

Latin America led the world in crypto adoption in 2024, growing by 116%, according to research from payments firm Triple-A quoted in the report. The region now has 55 million cryptocurrency users, making up nearly 10% of total cryptocurrency users.

This rapid expansion has been fueled by rising asset prices, regulatory advancements, and new financial products like spot bitcoin exchange-traded funds (ETFs). Brazil has just last week become the first country to approve a spot XRP ETF.

Market performance has also bolstered investor confidence. «Latin America is a rapidly expanding region for the crypto sector, and the results of this research reinforce what we have observed in our operations,” Binance’s regional VP for Latin America, Guilherme Nazar, said.

Binance’s research shows that half of those inquired already use cryptocurrencies for over a year, with most entering the space expecting significant returns and searching for financial freedom.

Portfolio diversification, privacy, and protecting their money were also quoted as motives to invest in the space.
Read more: How a $115M Crypto Fund With Big Ambitions Plans to Invest In Latin America

The price of the world’s second-largest cryptocurrency, ether (ETH), has risen by more than 2.3% in the last 24 hours, while the broader CoinDesk 20 Index has risen by just 0.76% during the same period. Bitcoin is down around 0.3%.

The rise comes amid reports that Bybit, the cryptocurrency exchange that was hacked for $1.5 billion worth of ether and staked ether by North Korean hacking group Lazarus, has moved 100 million USDT into new addresses and moved half of that into addresses to purchase 36,900 ETH over-the-counter.

The funds, worth around $101 million, were then moved to addresses tagged as belonging to the cryptocurrency exchange, crypto journalist Colin Wu reported, citing, Arkham Intelligence data.

Bybit’s CEO Ben Zhou reportedly said in an “ask me anything” session that the company’s assets are “far greater than $1.5 billion,” adding that “there is a cold wallet in safe with nearly 3 billion US dollars in USDT,” according to the same source.

Bybit’s hacker is now holdings an estimated 489,000 ETH valued at approximately $1.34 billion, around 0.4% of ether’s total supply, which makes it the 14th-largest holder of the cryptocurrency.

The addresses associated with the hacker are now closely monitored in the space and are blacklisted by major cryptocurrency exchanges.

“The stolen funds have already been marked, making it extremely difficult for the hacker to use them. Any attempt to transfer these funds to a major exchange would result in an immediate block,” StealthEX CEO Maria Carola told CoinDesk.

Since the hacker may not be able to use the funds in any way, some analysts are suggesting that the 0.4% of the ETH supply it holds is “essentially gone.”