Bybit has returned to a 1:1 backing of client assets and has fully closed the “ether gap” it faced after an unprecedented $1.4 billion hack hit the exchange late Friday.

The exchange has received 446,870 ether (ETH), worth $1.23 billion at current prices, through loans, large deposits, and ether purchases in the past two days, on-chain tracking service Lookonchain said in an X post on Monday.

Address activity suggests more than $400 million were purchased through over-the-counter trading, with another $300 million brought directly from exchanges. Nearly $300 million were sought as loans; the rest are from addresses apparently belonging to crypto funds.

ETH prices rose upto 4% over the weekend amid the apparent buying activity, but are down 2% in the past 24 hours as sentiment isn’t fully lifted.

Meanwhile, Bybit said late Sunday that all deposit and withdrawal activity had “fully recovered to normal levels — with total deposits “slightly exceeding” withdrawals as on Saturday in a sign of market confidence.

Friday’s attack targeted one of Bybit’s offline “cold” wallets, which are typically considered secure due to their lack of internet connectivity, in a heist that allowed $1.4 billion in ETH to be withdrawn.

Hackers gained control by exploiting a sophisticated method involving a manipulated user interface (UI) and URL. This allowed the attackers to alter the smart contract logic, redirecting the funds to an unidentified address. The stolen assets were then split across multiple wallets and swapped on decentralized exchanges.

Blockchain sleuth ZachXBT linked the hack to North Korea’s Lazarus Group, a state-sponsored hacking collective notorious for crypto thefts. Lazarus was behind several high-profile crypto attacks, including the $600 million Ronin Network hack in 2022, and a $230 million drain on Indian exchange WazirX in 2024.

On Friday, cryptocurrency exchange Bybit was allegedly hacked by North Korea’s Lazarus group, which drained nearly $1.4 billion in ether (ETH) from the exchange.

Following the hack, Arthur Hayes, BitMEX co-founder and claiming to be a major ether (ETH) holder, wrote a post on X to Ethereum co-founder Vitalik Buterin on whether he will “advocate to roll back the chain to help @Bybit_Official.” Meanwhile, in an X spaces session, Bybit’s CEO Ben Zhou revealed that his team had also reached out to the Ethereum Foundation to see if it was something the network would consider, noting that such a decision should be based on what the network’s community wants.

Hayes’s post immediately provoked a fierce reaction from the Ethereum community, which was firm in its belief that it wouldn’t happen. Some even questioned whether the BitMEX founder was joking. CoinDesk reached out to Hayes over X to clarify his comments.

Ethereum members, like the core developer teams, are vastly against “rolling back” the network because it would override core elements of decentralization. If Buterin decided on his own that it would happen, then that would be seen as the end of Ethereum’s ethos, which heavily involves various developer teams and other community members when it comes to the health and state of the blockchain.

“Rolling back the chain would give ETH no purpose. What’s the point if you can just change rules,” said user @the_weso in a post on X.

Some outside the Ethereum community pointed to the 2016 DAO hack as an example when $60 million in ETH was stolen. The network went forward with a hard fork, splitting the old network into two, and the new chain continued on as Ethereum.

That hard fork was not a “rollback,” though; it was known as an “irregular state transition.” Ethereum technically can’t “roll back” the network because it relies on an account model, where accounts hold users’ ETH.

At the time of the hack, developers upgraded their nodes to a new client or software. Those who didn’t upgrade their nodes were still on the old chain, which became known as Ethereum Classic.

When the nodes upgraded to the new software, the stolen ETH could move from one Ethereum account address to the next.

“The ‘irregular state change’ that they implemented at the time of the DAO hard fork was this: they airlifted all the ETH in the DAO smart contracts out to a refund contract that would send you 1 ETH for every 100 DAO tokens you sent in,” wrote Laura Shin of Unchained in a post on X.

Read more: Arthur Hayes Floats the Idea of Rolling Back Ethereum Network to Negate $1.4B Bybit Hack, Drawing Community Ire

Major cryptocurrency exchange Bybit has seen total outflows of over $5.5 billion after it suffered a near $1.5 billion hack that saw hackers, believed to be from North Korea’s Lazarus Group, drain its ether cold wallet.

The total assets tracked on wallets associated with the exchange plunged from around $16.9 billion to $11.2 billion at the time of writing, according to data from DeFiLlama. The exchange is now looking to understand exactly what happened.

In an X spaces session, Bybit’s CEO Ben Zhou revealed that shortly after the incident, he called for “all hands on deck” to serve their clients with processing withdrawals and responding to inquiries about what was going on.

During the session, Zhou revealed that the security breach saw the hackers make off with roughly 70% of their clients’ ether, which meant that Bybit needed to quickly secure a loan to be able to process withdrawals. Yet, Zhou found that ether wasn’t the most withdrawn token, with most users instead withdrawing stablecoin from Bybit.

The exchange, Zhou noted, has reserves to cover these withdrawals, but the crisis deepened as, in response to the incident, Safe moved to temporarily shut down its smart wallet functionalities to “ensure absolute confidence in our platform’s security.”

Safe is a decentralized custody protocol providing smart contract wallets for digital asset management. Some exchanges integrated Safe, which allows users to maintain custody of their funds and has multisig functionality to enhance the security of their cold wallets.

While the exchange had reserves to back up users’ withdrawals, $3 billion worth of USDT was in a Safe wallet that had just been shut down as the wallet moved to understand the situation, according to Zhou.

On social media, Safe said that while it had «not found evidence that the official Safe frontend was compromised,» it was temporarily shutting down «certain functionalities» out of caution.

While Zhou and Bybit’s team were figuring out how to securely withdraw their $3 billion, withdrawals were mounting. Within two hours of the security breach, the exchange was facing requests to move over $100,000 off its platform, Zhou revealed.

Responding to the situation, Zhou told his security team to engage Safe to “find a better way to get this money out.” The team ended up developing new software with code “based on Etherscan” to verify the signatures “on a very manual level” to move the stablecoins back to their wallet and cover the withdrawal surge.

The exchange’s team had to remain up all night to be able to fulfill withdrawals, according to Zhou. As the exchange managed to move the $3 billion in stablecoin reserves, it was facing a bank run of “about 50%” of all the funds within the exchange.

Zhou said that since the incident, the exchange has moved a significant amount of funds off of Safe cold wallets and is now determining what system it will use to replace Safe.

Pushing to «Roll Back» Ethereum Was not Off the Table

Since the security breach, Bybit has engaged authorities. During the session, Zhou said that the Singaporean authorities took the issue “very seriously” and that he believes it has already been escalated with Interpol.

Blockchain analysis firms, including Chainalysis, were engaged. Zhou said, “As long as Bybit is there and continues to track [the stolen ether], I hope we can get these funds back.”

Notably, he revealed that pushing to «roll back» the Ethereum blockchain, which was suggested by some industry players on social media, including BitMEX co-founder Arthur Hayes, had been on the table for some time if the community agreed with it.

“I had my team talking to Vitalik and the Ethereum Foundation to see if there’s any recommendations they can offer to help. I do really thank all these guys on Twitter asking if there is a possibility to roll back the chain. I’m not sure what was the response on their side, but anything that would help we would try,” Zhou said.

When asked if «rolling back» the chain is even possible, Zhou responded he doesn’t know. “I’m not sure it’s a one-man decision based on the spirit of blockchain. It should be a work in process to see what the community wants,” he said.

It’s worth noting that a blockchain «rollback» refers to a state change that would allow for the funds to be recovered. While rolling back the Bitcoin blockchain is technically possible, such a state change on Ethereum would be more complex, given its smart contract interactions and state-based architecture.

Nevertheless, any state change would require consensus and likely lead to a contentious hard fork, drawing criticism from the community. This would likely split the Ethereum blockchain into two networks, each with its own supporters.

As for what exactly caused the hack to occur, is still unclear. Per Zhou, Bybit’s laptops have not been compromised. He said the movements of the transaction’s signers have been scrutinized but appear to have been routine.

“We know the cause is definitely around the Safe cold wallet. Whether it’s a problem with our laptops or on Safe’s side, we don’t know.,” Zhou added.