Bybit · Field note

The Bybit Hack Freeze: How Tether, Circle and ChangeNOW Locked $85M in 48 Hours

The Bybit Hack Freeze: How Tether, Circle and ChangeNOW Locked $85M in 48 Hours

On 21 February 2025, Bybit lost 401,346 ETH — roughly $1.4 billion at the time — to what investigators later attributed to the Lazarus Group, in what stands as the largest single theft in crypto history. What happened in the following 48 hours is, in its own way, more instructive than the theft itself. Tether froze 181,000 USDT connected to the stolen funds within 24 hours. ChangeNOW froze 34 ETH. FixedFloat froze 120,000 USDC and USDT combined. Bitget, Coinex, Avalanche and THORChain all took some form of freezing or blocking action across the same window. By the 48-hour mark, the combined total frozen across all participating platforms reached approximately $85 million.

Set against a $1.4 billion theft, $85 million is a small fraction — roughly six per cent. If you followed the Bybit story and came away wondering why the number everyone celebrated as a coordinated industry response amounted to so little of the total, you are asking the right question. The freeze mechanism that worked in those 48 hours is real, and worth understanding properly, but it is also worth understanding exactly what it can and cannot do.

What “freeze” actually means during a live incident

A freeze in this context is a discrete technical action: the issuer of a token — Tether for USDT, Circle for USDC — adds a specific wallet address to a blacklist maintained at the smart contract level. Once blacklisted, that address can no longer send or receive the token in question. The funds do not move anywhere; they remain visible on the blockchain, sitting in the flagged wallet, permanently immobilised unless the issuer later reverses the block.

This only works for stablecoins with a centralised issuer capable of enforcing a blacklist. Native ETH, Bitcoin, and most other non-stablecoin assets have no such mechanism — there is no central party who can freeze a Bitcoin wallet the way Tether can freeze a USDT address. This is precisely why the Bybit incident, which began with stolen ETH, saw comparatively limited freezing activity relative to the total sum: the moment stolen ETH was converted into a stablecoin along its laundering path, it became freezable; before that conversion, or once converted into a different non-stablecoin asset, it was effectively untouchable by this mechanism.

The narrow window in which freezing actually happens

Nearly all effective freezing in the Bybit case happened within a five-to-seven hour window immediately following the theft, before the stolen assets had been laundered through enough intermediary wallets, mixers, and cross-chain bridges to obscure the trail. mETH Protocol’s response illustrates both sides of this timing problem well: an eight-hour delay in its own reaction still allowed it to recover $43 million in cmETH, showing that meaningful sums remain freezable even somewhat later than the ideal window, but also showing how much time had already been lost by that point relative to platforms that reacted within the first hour or two.

Circle’s handling of its own exposure drew direct public criticism. On-chain investigator ZachXBT flagged delays in Circle’s freezing of 115,000 USDC connected to the Bybit theft, arguing that faster action was both possible and reasonable given the public, real-time nature of the tracing effort already under way across the crypto community. Whether or not that criticism was entirely fair to Circle’s internal compliance process, it captures the core dynamic: every hour that passes after a major theft, the laundering trail branches further, and the sum realistically recoverable through freezing shrinks accordingly.

  • Stablecoin issuers (Tether, Circle) can freeze specific addresses at the contract level
  • Exchanges and bridges (ChangeNOW, FixedFloat, Bitget, and others) can freeze or block transactions passing through their own systems
  • Native assets without a centralised issuer — Bitcoin, ETH itself before conversion — cannot be frozen by any single party
  • The effective window for meaningful freezing action is measured in hours, not days

Freezing is preservation, not recovery

The single most important distinction the Bybit case illustrates is that a freeze does not return stolen funds to their rightful owner. It stops a specific sum at a specific address from moving further. What happens to that frozen balance afterwards — whether it is eventually returned to Bybit, held indefinitely pending a legal process, or remains in limbo — is an entirely separate question, typically requiring a court order, a law-enforcement judgment, or a negotiated settlement between the parties involved.

Of the $1.4 billion stolen from Bybit, only around $85 million was ultimately frozen. The remainder was laundered through a combination of mixing services, cross-chain bridges, and decentralised exchanges that either had no freezing capability or were not monitoring the situation quickly enough to act within the effective window. This is the sobering arithmetic behind every high-profile freeze headline: the freeze number reported in the days after an incident is almost always a small fraction of the total loss, and the gap between the two numbers represents funds that have, for practical purposes, disappeared into the broader laundering infrastructure that the crypto ecosystem has not yet found a reliable way to counter.

The coordination itself is also worth understanding, because it did not happen automatically. Tether, ChangeNOW, FixedFloat, Bitget, Coinex and the others did not share a single alert system that triggered freezes in unison. Each acted on information gathered and circulated by on-chain investigators, Bybit’s own security team, and public reporting, then made an independent decision to freeze whatever fell within its own reach. This decentralised, ad hoc response pattern is typical of how the industry handles major thefts: effective when it works, but dependent on each platform separately noticing the right address in time, rather than any formal reporting structure guaranteeing a response.

That gap matters for anyone assessing exposure after a smaller, less publicised theft. Bybit’s case attracted unusual attention precisely because of its size, part of why $85 million was frozen at all. A theft affecting an individual or smaller business, without the same public profile, is far less likely to prompt the same volume of voluntary action from issuers, even where the technical capability is identical. The mechanism exists regardless of scale, but willingness to act often correlates with how loudly, and how credibly, a request is made.

Where UsdtFreeze fits

Individuals and businesses affected by a theft or hack rarely have the resources, relationships, or technical tracing capability that a large exchange like Bybit can mobilise in the first critical hours. We work with victims to identify where stolen funds have actually gone, which issuers or platforms still hold freezable exposure, and how to engage the right authority quickly enough to matter. We coordinate with partner counsel across 15+ jurisdictions, since a laundering trail rarely stays within one country’s legal reach for long.

We ask for an NDA before details, given the sensitivity of ongoing theft investigations. Where a middleman platform or bridge sits between the theft and the current holder of the funds, tracing becomes twice as difficult, which is precisely why we keep a jurisdictional pool of counsel ready to engage the right issuer or authority the moment a lead surfaces, rather than starting that search from scratch. Our Standard engagement is $20,000 in ETH, with a $10,000 refund if the case is unsuccessful, and VIP hourly rates apply for cases requiring urgent, round-the-clock coordination across multiple jurisdictions at once — the kind of pace a Bybit-scale incident actually demands. UsdtFreeze is not a law firm. We are the middleman who moves quickly on the tracing and the outreach so that a freezable window is not lost to administrative delay. If you have been affected by a theft and are racing against the same clock Bybit faced, get in touch, email [email protected], or message @unfreezeusdt.

FAQ

Why could Tether freeze USDT but nobody could freeze the stolen ETH?
Tether, as the issuer of USDT, controls a blacklist function built into the token’s smart contract. ETH has no equivalent central issuer, so no single party has the technical ability to block a specific ETH wallet from transacting.

How quickly does a freeze request need to happen after a theft?
Based on the Bybit case, the effective window is roughly five to seven hours before laundering activity significantly reduces the freezable share of stolen funds. Action taken within the first one to two hours captures meaningfully more than action taken toward the end of that window.

Does a freeze mean the victim gets their money back?
Not automatically. A freeze only stops the funds from moving further. Returning frozen funds to the rightful owner typically requires a separate legal process — a court order, law-enforcement action, or negotiated settlement with the parties holding or controlling the frozen balance.

Next step

Think a freeze is affecting your position?

Send the tx hashes, exchange references, and rough timeline. We open a jurisdictional pool review under NDA and come back with a candid position.

[email protected] · Telegram @unfreezeusdt · NDA on request