The Largest CEX Hack in History: How Liquid Staking Tokens Became Prime Targets

The crypto industry has witnessed its biggest hack ever. ByBit, the second-largest centralized exchange (CEX) by trading volume, has been struck by a security exploit resulting in the loss of $1.5 billion worth of ETH. This hack, attributed to North Korea's Lazarus Group, surpasses all previous records—140% larger than the infamous $625 million Ronin Bridge exploit.

As the dust settles, we explore what went wrong, why it matters, and how the crypto world can recover.

What Exactly Happened?

In a statement, Zhou, a representative from ByBit, said:

"This hacker took control of a specific ETH cold wallet we signed and transferred all ETH in the wallet to an unidentified address. All other cold wallets remain secure."

ByBit insists it remains solvent and can cover the loss. But how did the attack occur?

The Attack Breakdown:

1?? Malware in ByBit's Approval Machines:

• A malware infection could have altered transaction details during the approval process, deceiving the approvers.

2?? Compromised Safe{Wallet} Infrastructure:

• The hacker potentially manipulated Safe{Wallet}’s web UI, gaining full control over the wallet’s funds.

?? The Escape Route: ETH to BTC via Chainflip

The stolen ETH is reportedly being converted to BTC using Chainflip, a method linked to previous high-profile crypto heists.

Staked ETH & Liquid Staking Tokens (LSTs): What’s the Deal?

Staked ETH represents ETH locked to secure the Ethereum network, generating staking rewards that offset token inflation. Liquid staking tokens (LSTs) like mETH and stETH that were stolen, are tokenized representation of staked ETH but offer liquidity. Benefits include:

• Tradability: Easier to trade compared to locked staked ETH.
• Accessibility: Earn staking rewards without running validator nodes.

Why Do CEXs Offer Liquid Staking?

Centralized Exchanges (CEXs) like ByBit provide these tokens to:

• Offer staking services without technical hurdles.
• Simplify trading of staked assets.

CEX vs. DEX: Control, Security, and the Bigger Picture

When trading crypto, you typically choose between:

Centralized Exchanges (CEXs):

• Managed by a central authority.
• Use order books like traditional stock exchanges.
• Key Risk: You don’t control private keys—the platform does.

Decentralized Exchanges (DEXs):

• Operate on autonomous smart contracts.
• Use Automated Market Makers (AMMs) instead of order books.
• Key Advantage: Users retain control of private keys, minimizing centralized risks.

The major difference is that CEX is a custodian solution, meaning CEX is a custodian of your crypto. In contrast, at DEX, you can only swap your tokens; you must have your own wallet to manage any transactions.

Lessons from the ByBit Hack

This breach serves as a cautionary tale for the entire crypto industry. Key lessons include:

1?? Control Matters:

• Users should be aware that CEXs hold the keys, making funds vulnerable.

2?? Centralization Risks:

• Single points of failure become attractive targets for sophisticated threat actors.

3?? Stronger Security Protocols:

• Adoption of multi-signature wallets, real-time monitoring, and robust transaction verification is critical.

Conclusion

The ByBit hack is a harsh reminder of the risks inherent in centralized systems and the growing sophistication of threat actors like the Lazarus Group. The crypto industry must now reflect and respond. Strengthening approval mechanisms, enhancing infrastructure integrity, and embracing decentralization could provide the resilience required for future growth.

Will 2025 set new records for crypto security incidents? Time will tell. But one thing is clear: The industry must evolve—or risk repeating history.

Thanks for reading From PhD Research in DeFi! This post is public so feel free to share it.