Rekt describes the Bybit theft as a compromise of the exchange’s Ethereum cold-wallet signing process that drained roughly 401,346 ETH, 90,375 stETH, 15,000 cmETH, and 8,000 mETH. The attackers presented signers with a legitimate-looking Safe interface while the approved transaction upgraded the wallet implementation to attacker-controlled code with a hidden sweepERC20 function. The article cites ZachXBT, SlowMist, PeckShield, and Bybit statements, and says ZachXBT linked the attack to Lazarus Group through Arkham Intel’s bounty process. It also records Bybit’s response that only the ETH cold wallet was affected, user assets remained backed, and withdrawals continued while the exchange sought liquidity support.