Bybit Hack: The Catalyst for Scaling Crypto Monitoring Operations.

Friday, February 21st, 2025 saw crypto exchange Bybit experience a security breach resulting in the theft of approximately $1.4 billion in Ethereum tokens. Widely touted as the largest heist ever in the crypto and financial industry, the attackers exploited a vulnerability during a routine transfer from Bybit’s cold wallet to a warm wallet, successfully siphoning funds to a range of unknown addresses.

This activity was quickly attributed to North Korea’s Lazarus Group, an OFAC-sanctioned entity known for large-scale cyber crimes in crypto and beyond. But how can you identify the wallets and fund flows involved in a wallet hack? How do you differentiate between valid data points and the noise? This is where traditional blockchain analytics tools can help.

Offering a systematic and comprehensive database of illicit actors, experts using these tools can often effectively identify the culprit involved with a hack, but the process can be cumbersome and time-consuming. This is particularly problematic as the excessive intelligence typically impedes the overall objective of acting fast to find the fund’s destination and work to freeze the flows. This challenge is exacerbated further by:

Rigid user interfaces that require proprietary platform knowledge

Inefficient workflows that force the navigation of complex graphs of wallets and transactions

Commercial models that charge for each additional connection plotted on a graph

When combined together, these drawbacks create an incredibly meticulous, time-consuming, and costly process that is prone to mistakes and oversights.

To tackle these challenges, we developed an alternative approach to blockchain analytics that eliminates the user interface and gives you direct access to comprehensive on-chain data, effectively “handing over the keys” to the blockchain. This allows you to scale your investigations and monitoring operations, enabling fast fund tracing, custom investigations, and unlimited counterparty identification—capabilities. 

By taking this approach, we unlock a range of benefits when compared to interface-based and pre-parametrized blockchain analytics alternatives. 

Only TRACE what matters to you.

When working with large datasets, we all know that targeted filtering is key to finding critical insights, and this is particularly true when it comes to exploring the blockchain. You need to be able to hone in and identify the flows that really matter, based on your specific investigation criteria. For instance, you may want to focus only on transfers and wallets that exceed a specific value, ensuring the returned data only shows flows exceeding $10,000 or associated wallets with a balance of over $100,000. This helps weed out those annoying $3 dollar transactions that can often clog up an investigation UI. 

The table below provides another example of filtering, showing a sorted list (by amount in USD) of wallets that received funds related to the Bybit hack. These wallets can be directly or indirectly identified as wallets owned by the Bybit hacker or used to lose track of the 1.4bn stolen funds. This helps law enforcement agencies, regulators, and exchanges prioritize which wallets to blacklist and monitor in real-time. 

* Only part of the wallets involved in the Bybit hack is shown here, as the full list is too long to display.

As seen in the Bybit hack, the list of prioritized target wallets must be continuously updated in real-time. With a UI-free approach, this ambition is easy to achieve. You can simply generate a blacklist from your criteria, then set a script that updates the list in real-time on the back of your query, allowing you to keep pace with the hacker via a single API call. This critical visibility ensures that when the funds move, you’re not stuck with a static out-of-date list or trying to navigate unnecessary graphs or UI steps to keep up.  

INVESTIGATE IN NATIVE TOKEN UNITS AND IN USD.

Many traditional blockchain analytics tools convert cryptoassets to their USD equivalent when tracing stolen funds. This is problematic as USD values fluctuate significantly which obscures the true movement of funds, causing major difficulties and complexities when accurately tallying fund flows. 

With our Blockchain Monitoring solution, investigators track and reconcile stolen assets in both USD, and the original token units, ensuring an accurate tally is displayed showcasing where the funds have gone. 

As shown below, the 401,347 ETH stolen from Bybit were split in 10,000 ETH batches, which USD value changes over time, so with token units data available additionally to USD, users can directly say 10,000 ETH has been located, not the USD equivalent of 10,000 ETH.  

UNPARALLELED FLEXIBILITY AND INTEGRATION.

When you work in a proprietary platform, your investigation efficiency is always at risk of compatibility issues. Moving data from one location to another can often create data gaps or formatting errors, adding further complexity to an already complicated process. In addition, many traditional blockchain analytics tools restrict the parameters of what you can export, sometimes limiting you to sharing a single graph, rather than the critical data behind it. 

With a data-first API-led approach you can eliminate these issues. Our Blockchain Monitoring solution gives you the complete autonomy you need to manipulate the raw data without the constraints or limitations of a user interface. You can take all the data from your investigation and put it exactly where you need, when you need it, integrating it seamlessly into your workflows and systems. This helps you enhance your efficiency and monitoring frameworks without overhauling established processes, ultimately enabling you to create robust alerting systems.

CAPTURING ALPHA AHEAD OF MARKET IMPACT.

As is often the case in financial markets, the Bybit hack affected not only Bybit itself but also had significant ripple effects on the broader crypto market. In particular, it triggered a sell-off in ETH markets, as the hack occurred on the Ethereum blockchain. Additionally to that overall market effect, our research showed that there was a significant delay between the moment the hack happened on the chain and the market’s response.

As shown above, in the immediate aftermath of the hack, an influencer suggested at around 14:30 that something was awry, which led to a brief flurry of trading activity, however, it wasn’t until the official statement from Bybit’s CEO 90 minutes later that we saw a substantial increase in trading activity, and a notable contraction in market depth on Bybit. 

This lag-time response highlights a critical window of opportunity for crypto market participants across the board. Institutional investors leveraging our Level 1 and Level 2 Data, were able to see each and every trade taking place on Bybit, read the warning signs, and quickly move their trading activity elsewhere or just switch their ETH to safe havens like stablecoins, reducing the risk of price slippage and unfavorably executed trades.   

These users were also able to monitor the market depth (Level 2 aggregations) and execute trades under more favorable conditions (deeper markets) before the announcement. After Bybit’s CEO officially disclosed the hack, liquidity dropped to half its previous level, making trading less favorable.

Supporting investigators & market participants with data.

The Bybit hack revealed the need for scalable solutions in fund-tracking investigations and exchange’s monitoring of crypto wallet holdings. Exchanges must be able to identify issues in real-time without relying on X influencers for information. Similarly, crypto market participants, such as market makers and traders, need these solutions to stay ahead of the market and remain proactive. 

By providing unparalleled access to on-chain data and real-time market insights, we ensure that both investigators and market participants are equipped to navigate the complexities of the cryptocurrency landscape with confidence.

Our flexible API-first blockchain monitoring solution is designed to integrate into your existing workflows and systems seamlessly, providing you with an instant upgrade on your investigation capabilities. This presents a low-risk, high-gain proposition to your organization and unlocks significant opportunities to improve the efficiency, flexibility, and accuracy of your investigations. 

Learn more about how our data-led approach can support your strategy, book a demo with our expert team today.