Background
On the evening of February 21, 2025, Beijing time, according to on-chain detective ZachXBT, a massive outflow of funds occurred on the Bybit platform. This incident resulted in the theft of over $1.46 billion, making it the largest cryptocurrency theft in recent years.
On-Chain Tracking Analysis
Immediately after the incident, the security team issued a security alert and began tracking analysis of the stolen assets:
According to the security team's analysis, the stolen assets mainly included:
401,347 ETH (valued at approximately $1.068 billion)
8,000 mETH (valued at approximately $26 million)
90,375.5479 stETH (valued at approximately $260 million)
15,000 cmETH (valued at approximately $43 million)
We used the on-chain tracking and anti-money laundering tool MistTrack to analyze the initial hacker address 0x47666Fab8bd0Ac7003bce3f5C3585383F09486E2, obtaining the following information:
ETH was dispersed, with the initial hacker address dispersing 400,000 ETH in batches of 10,000 ETH to 40 addresses, continuing the transfer.
Among them, 205 ETH was exchanged for BTC through Chainflip and cross-chained to the address bc1qlu4a33zjspefa3tnq566xszcr0fvwz05ewhqfq.
cmETH flow: 15,000 cmETH was transferred to address 0x1542368a03ad1f03d96D51B414f4738961Cf4443. Notably, the mETH Protocol posted on X stating that in response to the Bybit security incident, the team promptly suspended cmETH withdrawals, preventing unauthorized withdrawals, and successfully recovered 15,000 cmETH from the hacker address.
mETH and stETH transfers: 8,000 mETH and 90,375.5479 stETH were transferred to address 0xA4B2Fd68593B6F34E51cB9eDB66E71c1B4Ab449e, then exchanged for 98,048 ETH through Uniswap and ParaSwap, and then transferred to 0xdd90071d52f20e85c89802e5dc1ec0a7b6475f92, where address 0xdd9 dispersed the ETH in batches of 10,000 ETH to 9 addresses, with no further transfers yet.
Additionally, an analysis of the attack methods revealed that the initial attack address 0x0fa09C3A328792253f8dee7116848723b72a6d2e's initial funds came from Binance.
The initial hacker address 0x47666Fab8bd0Ac7003bce3f5C3585383F09486E2 currently has a balance of 1,346 ETH, and we will continue to monitor related addresses.
Immediately after the incident, SlowMist speculated that the attacker was a North Korean hacker based on the techniques used to obtain the Safe multi-signature and money laundering methods:
Possible social engineering attack methods used:
Using MistTrack analysis, it was also discovered that the event's hacker address was associated with the BingX Hacker and Phemex Hacker addresses:
ZachXBT also confirmed that this attack was related to the North Korean hacker organization Lazarus Group, which has been primarily engaged in conducting transnational cyberattacks and stealing cryptocurrencies. According to the evidence provided by ZachXBT, including test transactions, associated wallets, forensic charts, and time analysis, the attacker used techniques commonly employed by the Lazarus Group in multiple operations. Meanwhile, Arkham stated that all related data had been shared with Bybit to help the platform further investigate.
Analysis of Attack Techniques
On the night of the incident at 23:44, Bybit CEO Ben Zhou posted a statement on X, explaining the technical details of the attack:
Through on-chain signature analysis, we found some traces:
1. Attacker deployed a malicious contract: UTC 2025-02-19 07:15:23, deploying the malicious implementation contract 0xbDd077f651EBe7f7b3cE16fe5F2b025BE2969516.
2. Tampering with Safe contract logic: UTC 2025-02-21 14:13:35, through three Owner signatures, the Safe contract was replaced with a malicious version: 0x46deef0f52e3a983b67abf4714448a41dd7ffd6d32d32da69d62081c68ad7882. This led to the identification of the initial attack address 0x0fa09C3A328792253f8dee7116848723b72a6d2e.
3. Embedding malicious logic: Through DELEGATECALL, the malicious logic contract was written into STORAGE 0: 0x96221423681A6d52E184D440a8eFCEbB105C7242.
4. Calling backdoor functions to transfer funds: The attacker used the contract's sweepETH and sweepERC20 functions to transfer all 400,000 ETH and stETH (total value approximately $1.5 billion) from the cold wallet to an unknown address.
From the analysis of the attack techniques, the WazirX hacking incident and the Radiant Capital hacking incident have similarities with this attack, with all three targeting Safe multi-signature wallets. In the WazirX hacking incident, the attacker also deployed a malicious implementation contract in advance and replaced the Safe contract with a malicious implementation contract through DELEGATECALL, using three Owner signatures.
(https://etherscan.io/tx/0x48164d3adbab78c2cb9876f6e17f88e321097fcd14cadd57556866e4ef3e185d)
For the Radiant Capital hacking incident, according to official disclosures, the attacker used a complex method that made the signature validators see seemingly legitimate transactions on the frontend, similar to the information disclosed in Ben Zhou's tweet.
Moreover, the permission checks in the malicious contracts involved in these three incidents are the same, with hardcoded owner addresses used to check the callers of the contracts. The error messages thrown by the permission checks in the Bybit and WazirX hacking incidents are also similar.
In this incident, the Safe contract was not the problem; the issue was in the non-contract part, where the frontend was tampered with to deceive. This is not an isolated case. North Korean hackers used this method to attack several platforms last year, such as: WazirX losing $230M, for Safe multi-signature; Radiant Capital losing $50M, for Safe multi-signature; DMM Bitcoin losing $305M, for Gonco multi-signature. This attack method is mature and engineered, requiring extra caution.
According to the official announcement by Bybit:
Combined with Ben Zhou's tweet:
Raising the following questions:
1. Routine ETH transfers
Did the attacker previously obtain operation information from Bybit's internal finance team, knowing the timing of ETH multi-signature cold wallet transfers?
Through the Safe system, did they induce signers to sign malicious transactions on a forged interface? Was the Safe frontend system breached and taken over?
2. Safe contract UI tampered
Did the signers see the correct address and URL on the Safe interface, but the actual signed transaction data was tampered with?
The key question is: who initiated the signature request first? How secure was their device?
With these questions in mind, we look forward to the official disclosure of more investigation results.
Market Impact
Bybit quickly issued an announcement after the incident, promising that all customer assets are backed 1:1, and the platform can bear this loss. User withdrawals are not affected.
On February 22, 2025, at 10:51, Bybit CEO Ben Zhou posted on X stating that deposits and withdrawals are now normal:
In Conclusion
This theft incident once again highlights the severe security challenges facing the cryptocurrency industry. As the crypto industry rapidly develops, hacker organizations, especially state-level hackers like the Lazarus Group, are continuously upgrading their attack methods.
This event has sounded an alarm for cryptocurrency exchanges, which need to further strengthen security defenses, adopt more advanced defense mechanisms, such as multi-factor authentication, encrypted wallet management, asset monitoring, and risk assessment, to ensure the safety of user assets.
For individual users, it is equally crucial to enhance security awareness, with a recommendation to prioritize more secure storage methods like hardware wallets, and avoid storing large amounts of funds on exchanges for extended periods. In this continuously evolving field, only by continuously upgrading technical defenses can we ensure the safety of digital assets and promote the healthy development of the industry.
