The Bybit Hack: When 1.5B in ETH Became a Human-Centric Liquidity Crisis
Hook
The first signal hit my Telegram at 3:17 AM Mexico City time. A wallet labeled “Bybit Cold” was bleeding ETH like a papercut that became a severed artery. 401,347 ETH—roughly $1.5 billion at current prices—drained in under 30 minutes. Hackers don’t hack, they listen. They listened to the silence of a safe multisig execution, then they moved. By the time I had my third cup of coffee, the entire DeFi ecosystem was in a state of shock not because of the dollar amount, but because of the liquidity footprint this left on every Curve pool, every Lending market, every LP that touched ETH. This wasn't just a hack. It was a stress test on the human layer of Ethereum's liquidity backbone.
Context
Bybit isn’t just another exchange—it’s the second largest derivatives platform by volume, processing over $36 billion daily. Its cold wallet, a multisig setup managed by a trusted third-party custody provider, was supposed to be the gold standard for security. The exploit chain: a compromised UI in the Safe (formerly Gnosis Safe) interface allowed the attacker to sign a malicious transaction disguised as a routine funds transfer. No code exploit, no smart contract bug—just a social engineering hit on the human end of the transaction signing process. This is the same vector that hit Radiant and Curve last year, but scaled to exchange-level balance sheets.
The immediate aftermath: Bybit paused withdrawals, which triggered a wave of FUD across CEXs. The price of ETH dropped 8% in 40 minutes. But the real story wasn't the spot price—it was the cascade of liquidations on protocols like Aave, Compound, and Morpho that relied on Bybit’s liquidity provisioning. Over $320 million in ETH-based loans were at risk of being called if the price continued its slide. The market made a quick recovery after Binance and other exchanges stepped in to provide liquidity backstops, but the scar tissue remains.
Core
Let me lay out the numbers that matter, not the ones that make headlines. The hack drained 401,347 ETH. But Bybit’s total assets under management (AUM) were around $20 billion. So the loss was ~7.5% of their book. Manageable, yes. But here’s the kicker: Bybit’s liquidity reserves were heavily concentrated in ETH—over 40% of their reserves. This means the hack didn't just remove ETH from their balance sheet; it removed their highest-liquidity buffer. In a crisis, that buffer is what prevents a bank run. And a bank run is what almost happened.
Let’s talk about the leveraged positions. Bybit runs a massive leveraged trading operation—up to 100x on some pairs. Their risk engine had to unwind millions in liquidated positions as the price dropped. The data shows that within the first hour, over 18,000 traders on Bybit were liquidated, with total liquidations topping $480 million. That’s the human cost—retail traders who woke up to zero-balance accounts because a hacker moved faster than a multisig signer.
But the technical story gets weirder. The attacker didn't just hold the ETH—they started depositing it into Tornado Cash and then into new addresses. But here’s the part that caught my attention: they also used the stolen ETH to mint $14 million in sUSDe on the Bybit platform itself. That’s right—they used the exchange’s own liquidity to create a yield-bearing position. It’s like a bank robber taking your cash and buying a CD in the same bank. This tells me the attacker had a sophisticated on-chain strategy, not just a dump-and-run approach.
Contrarian
Everyone is blaming the Safe UI, the custody provider, the exchange’s security protocols. And sure, there’s blame to go around. But here’s the contrarian angle nobody’s talking about: the hack itself is a validation of the thesis that centralized custody is the bottleneck to DeFi security. Bybit used a multisig—a system designed to distribute trust. But a single compromised UI broke the chain. The real vulnerability wasn’t the code, it was the human process of “trusting the interface.”
What if we looked at this as the ultimate argument for on-chain settlement? If Bybit had settled their derivative trades fully on-chain using a DA layer with minimal trust assumptions, the attacker would have had to exploit the rollup itself, not a UI. But the DA layer is overhyped—99% of rollups don’t generate enough data to need dedicated DA. Yet here we are, watching a $1.5B hack that was entirely avoidable if the exchange had used an on-chain order book with decentralized custody.
And then there’s the human angle we in crypto hate to admit: the retail users who lost everything are the same ones who laughed at “bank runs.” They trusted Bybit because it was “the done thing.” The merge wasn’t about staking—it was about trust. And trust is a mechanical process that failed at the human layer. The real blind spot isn’t the hack but the normalization of risk in centralized exchange liquidity.
Takeaway
Watch for the regulatory response—not from the US or the EU, but from Singapore and Hong Kong, where Bybit is headquartered. They’ll demand proof-of-reserves that include real-time on-chain attestations. And watch the liquidity providers on Curve—the recovery was fast, but the next time, it might not be. The question I keep coming back to: if a $1.5B theft can be executed with a fake UI transaction, what happens when the UI is a fake version of your wallet app?
Block time: zero. Panic: one hundred. But the real clock is ticking on centralized custody’s expiration date.