Editor | Wu Blockchain

On the evening of February 21st Beijing time, on-chain detective ZachXBT first revealed that more than $1.46 billion in suspicious funds had flowed out of Bybit, with mETH and stETH currently being exchanged for ETH on DEXes. It can be confirmed that this has become the largest hacking incident in the history of cryptocurrency (calculated by the amount at the time).

Coinbase executive Conor Grogan stated that the hacking attack on Bybit by North Korea is the largest hacker theft case in history (surpassing the Iraqi Central Bank theft of about $1 billion) and is about 10 times the size of the 2016 DAO hacker attack (but with a much higher percentage of the supply). It is expected that there will be some calls for an Ethereum fork. (The amount here is calculated based on the value at the time of the theft)

Arkham tweeted that on-chain analyst ZachXBT provided conclusive evidence that the $1.5 billion Bybit hack was carried out by the North Korea-backed hacker group Lazarus Group. His submission includes detailed analysis of test transactions, associated wallets, forensic charts, and timeline analysis. The relevant information has been shared with Bybit to assist in their investigation.

Bybit CEO BEN tweeted that about 1 hour ago, Bybit's ETH multi-signature cold wallet just transferred to our hot wallet. It seems this transaction was forged, with all signers seeing a forged UI showing the correct address, with the URL coming from SAFE. However, the signing information was to change the smart contract logic of our ETH cold wallet. This resulted in the hackers controlling the specific ETH cold wallet we signed, and transferring all the ETH in the cold wallet to an unidentified address. Rest assured, all other cold wallets are safe. All withdrawals are normal. I will keep you updated on further developments, and if any team can help us track down the stolen funds, we would be grateful.

Bybit's official Twitter stated that Bybit detected unauthorized activity involving one of our ETH cold wallets. At the time of the incident, our ETH multi-signature cold wallet executed a transfer to our hot wallet. Unfortunately, this transaction was manipulated through a sophisticated attack that concealed the signing interface, displayed the correct address, while changing the underlying smart contract logic. As a result, the attackers were able to control the affected ETH cold wallet and transfer its assets to an unidentified address. Our security team is actively investigating this incident together with leading blockchain forensics experts and partners. Any team with expertise in blockchain analysis and asset recovery who can assist in tracking these assets is welcome to collaborate with us. We want to assure our users and partners that all other Bybit cold wallets are completely secure. All customer funds are safe, and our operations are continuing uninterrupted. Transparency and security remain our top priorities, and we will provide updates as soon as possible.

Bybit stated that all other Bybit cold wallets are secure, and customer funds are unaffected and remain safe. We understand the current situation is causing a surge in withdrawal requests. While the high volume may result in delays, all withdrawals are being processed normally. Bybit has sufficient assets to cover the loss, with an asset management size exceeding $20 billion, and will use bridge loans if necessary to ensure the availability of user funds.

Coinbase executive Conor Grogan tweeted that Binance and Bitget have just directly deposited over 50,000 ETH into Bybit's cold wallets, with Bitget's deposit particularly notable, accounting for a quarter of that exchange's total ETH. These funds were clearly coordinated by Bybit itself, bypassing deposit addresses. Bybit CEO Ben Zhou stated: "Thank you to Bitget for stepping up at this moment, we are in communication with Binance and a few other partners, and this has nothing to do with the official Binance."

Bitget CEO Gracy stated that Bybit is a respectable competitor and partner, and while the loss is significant, it is just their annual profit. He believes customer funds are 100% safe and there is no need to panic or run. Gracy also said the loan to Bybit is Bitget's own assets, not user assets.

The Slowmist team provided additional details, stating that the attacker deployed a malicious implementation contract, and then the attacker replaced Safe's implementation contract with the malicious contract through three-owner signatures, using the backdoor functions "sweepETH" and "sweepERC20" in the malicious contract to empty the hot wallet funds.

Dilation Effect analysis pointed out that compared to previous similar incidents, the Bybit incident only required compromising one signer to complete the attack, as the attacker used a "social engineering" trick. By analyzing the on-chain transactions, it can be seen that the attacker executed the transfer function of a malicious contract through delegatecall, with the transfer code modifying the value of slot 0 using the SSTORE instruction, thereby changing the implementation address of Bybit's multi-signature contract to the attacker's address. Only the person/device initiating the multi-signature transaction needed to be compromised, as the subsequent reviewers would be much less vigilant when seeing the "transfer" operation, not realizing it was actually changing the contract.

Chainlink data shows that after the Bybit security incident was disclosed, USDe briefly crashed to $0.965 before rebounding to $0.99. Bybit has integrated USDe as collateral for trading perpetual contracts on its UTA. ethena_labs posted that they are monitoring the current situation at Bybit and will continue to track the developments. All spot assets supporting USDe are held in off-exchange custodial solutions, including the partnership with Bybit through Copper Clearloop. Currently, no spot assets are held on any exchanges. The total unrealized PNL related to Bybit hedging positions is less than $30 million, less than half of the reserve fund. USDe remains over-collateralized and will provide updates based on the latest information.

Binance co-founder CZ responded that this is not an easy situation to handle, and may suggest suspending all withdrawals as a standard security precaution, and will provide any assistance if needed. He Yi expressed willingness to provide assistance.

The Safe security team responded that they are closely collaborating with Bybit in the ongoing investigation. No evidence of an official Safe frontend breach has been found so far, but out of caution, Safe Wallet has temporarily suspended certain functionalities. Slowmist Cosine stated that similar to the previous Radiant Capital case, it may also be a theft by North Korean hackers. Radiant Capital stated that their $50 million attack incident in October was related to the North Korean hacker group, involving complex identity forgery and multi-layered phishing attacks. The attackers impersonated former contractors and used social engineering tactics to obtain sensitive credentials, then infiltrated the protocol system to carry out the attack.

Security analysts believe that this is similar to the WazirX and Radiant cases, where the signer's computer or intermediate interface was hacked. The possible reasons for this hacker attack are: Hackers planted a virus on the signer's computer/browser, replacing the transaction with a malicious one, then sending it to the hardware wallet. This virus could be at any layer of the stack (e.g., malicious extension, wallet communication...) - the security interface was hacked, it displayed a transaction, but sent another transaction to the wallet. The end result is that the signer sees an innocent transaction on the security interface, but the malicious transaction is sent to their wallet. Until the full post-mortem analysis is available, we cannot confirm the details.

OneKey stated that the hackers have most likely confirmed that Bybit's three multi-sig computers have been compromised, and are waiting for them to perform daily signing operations. When the multi-sig personnel execute a signing operation, the hackers replace the signing content. The personnel see what appears to be a normal transaction on the web page - unaware that it has been changed to a "replace the safe contract with the previously deployed malicious contract" transaction. The tragedy then unfolds. The malicious contract with a backdoor was easily drained of all funds by the hackers.

Bybit stated that it will not immediately purchase ETH, but will rely on its partners to provide bridge loans. This will ensure that all users can withdraw, but due to the traffic being 100 times the normal amount, it will take some time to process, and some risk verification will be required for large withdrawals.

Dilation Effect pointed out that the combination of a regular hardware wallet and the Safe multi-signature mechanism can no longer meet the security management needs of large funds. If the attacker has enough patience to deal with multiple signatories, then the entire operation process has no other measures to further ensure security. Large fund security management must use an institutional-level custodian solution.

According to DeFiLlama data, including the funds stolen by hackers, Bybit's total outflow in the past 24 hours was $2.399 billion. Currently, the platform's on-chain verifiable assets exceed $14 billion, of which Bitcoin and USDT account for nearly 70%. Bybit announced that it has reported the case to the relevant authorities and will provide updates when more information is available. In addition, cooperation with on-chain analysis providers has helped identify and separate the relevant addresses, with the aim of reducing the ability of malicious actors to dispose of ETH through legitimate markets.

This incident may trigger discussions about an Ethereum fork. Conor Grogan said that although he believes the calls for a fork are too radical, he expects a real debate on this issue. Arthur Hayes, as a large Ethereum holder, believes that Ethereum is no longer a "currency" after the DAO hack hard fork in 2016. He said that if the community decides to roll back again, he will support this decision, because in 2016 the community has already voted against immutability, so why not do it again?