Author: Spirit
Event Overview
On February 21, 2025, the cryptocurrency exchange Bybit disclosed that its Ethereum multi-signature cold wallet had experienced unauthorized activities, resulting in the theft of nearly $1.5 billion worth of ETH and stETH assets. Preliminary analysis pointed to hackers leveraging a meticulously planned attack, using techniques such as spoofing the trading interface and replacing smart contracts, to successfully gain control of Bybit's ETH cold wallet and transfer the funds. After the incident, Bybit quickly issued a statement, launched an investigation, and sought external financial support to address the user withdrawal surge. This event is the largest single theft incident in the history of cryptocurrency, triggering market turmoil and heightened concerns about the security of centralized exchanges.
Timeline of Events (HKT, UTC+8)
The following timeline is based on public information, with Hong Kong time (HKT, UTC+8) as the reference:
February 19, 2025, 15:15 HKT (UTC 07:15): The malicious contract was deployed (contract address: `0xbDd077f651EBe7f7b3cE16fe5F2b025BE2969516`). The SlowMist team's analysis shows that this malicious contract was the pre-deployment step for the attack.
February 21, 2025, 14:13 HKT (UTC 06:13): The hackers used three Owner signatures to initiate a transaction (transaction hash: `0x46deef0f52e3a983b67abf4714448a41dd7ffd6d32d32da69d62081c68ad7882`), replacing Bybit's multi-signature cold wallet's Safe implementation contract with the aforementioned malicious contract. This is considered the critical step of the attack, paving the way for the subsequent theft of funds.
Around February 21, 2025, 23:30 HKT: Bybit's Ethereum cold wallet experienced abnormal fund transfers, with approximately $1.5 billion worth of ETH and stETH being stolen. X (formerly Twitter) user @OrdzWorld was the first to detect the abnormal transfer of funds from Bybit's cold wallet to a hot wallet.
February 21, 2025, 23:48 HKT: Bybit CEO Ben Zhou posted on social media, acknowledging the unauthorized ETH cold wallet transfer incident and initially identifying it as a "UI masking deception attack", while emphasizing that other cold wallets were secure and withdrawals were operating normally.
February 21, 2025, 23:51 HKT: Bybit's official account @Bybit_Official posted an official statement on the X platform, confirming the detection of unauthorized activity in the ETH multi-signature cold wallet and stating that the attackers had manipulated the transactions through a complex attack involving a spoofed signing interface.
February 22, 2025, 00:11 HKT: Bybit CEO Ben Zhou posted again, emphasizing that Bybit has the ability to compensate users and that user assets are 1:1 guaranteed.
February 22, 2025, 01:00 HKT: The SlowMist team @SlowMist_Team disclosed more technical details on the X platform, indicating that the malicious contract had been deployed as early as February 19, and the attackers used backdoor functions `sweepETH`, `sweepERC20`, and `DELEGATECALL` logic to carry out the theft.
February 22, 2025, 01:07 HKT: X user @web3golder reported that Bybit was facing a user withdrawal surge, and some of the stolen assets had been converted to ETH on a decentralized exchange (DEX), exacerbating market concerns.
February 22, 2025, 01:24 HKT: BitMart founder Sheldon posted on the X platform, stating that BitMart had frozen the relevant addresses and would assist Bybit in recovering the assets.
February 22, 2025, 01:39 HKT: The security team Beosin analyzed that the initial attack address's gas fee funds came from the Binance exchange.
February 22, 2025, 05:23 HKT: Chain detective ZachXBT (@ZachXBT) posted on the X platform, submitting an evidence report that preliminarily confirmed the attack was planned by the North Korean hacker group Lazarus Group. Arkham Intelligence retweeted this information.
February 22, 2025, 07:27 HKT: Bybit's official X platform post stated that they had filed a report with the relevant authorities and were cooperating with on-chain analysis providers to identify and isolate the addresses involved, in order to prevent the hackers from selling the stolen ETH.
February 22, 2025, 09:09 HKT: On-chain data analyst Yu Jing (@EmberCN) monitored that Bitget had lent 40,000 ETH (approximately $105.9 million) to Bybit to alleviate the withdrawal pressure.
February 22, 2025, 09:14 HKT: Bitget CEO Gracy Chen posted on the X platform in support of Bybit, stating that she believes Bybit's customer funds are safe and there is no need for panic.
February 22, 2025, 09:21 HKT: Web3 audit firm Hacken released an updated proof of reserves, stating that Bybit's reserves still exceed its liabilities, and user funds are fully backed. Bybit CEO Ben Zhou responded that Hacken's audit proves Bybit has the ability to compensate user losses.
February 22, 2025, 09:28 HKT: KuCoin CEO BC Wong expressed support for Bybit and stated that KuCoin had assisted in monitoring the flow of funds and freezing suspicious assets.
February 22, 2025, 09:30 HKT: Binance founder CZ responded on social media, stating that Binance had not yet lent funds to Bybit, and the related fund transfers were likely the personal actions of a whale.
February 22, 2025, 09:35 HKT: The multi-signature wallet protocol Safe issued a statement, saying they had not found any leaks in their codebase and had temporarily suspended Safe functionality to conduct a thorough investigation.
February 22, 2025, 09:38 HKT: On-chain monitoring showed that MEXC's hot wallet transferred 12,600 stETH to Bybit's cold wallet, further providing liquidity support.
February 22, 2025, 09:55 HKT: Bybit CEO Ben Zhou stated that Bybit was transferring 2.95 billion USDT from the cold wallet to the hot wallet, which was a planned strategic move and not another hacking incident.
Support and Liquidity Response from Various Parties
After the incident, Bybit quickly took action to seek support from multiple parties to address the potential liquidity crisis and user trust crisis:
Bitget's ETH loan: Bitget urgently lent 40,000 ETH (approximately $105.9 million) to Bybit, directly transferring it to Bybit's cold wallet address to alleviate user withdrawal pressure. This loan demonstrates the spirit of mutual assistance among industry exchanges.
Bridge Loan: Bybit CEO Ben Zhou revealed that the company had reached a bridge loan agreement with a partner, with an amount of approximately 80% of the stolen ETH value (around $112 million). The specific source of the loan has not been disclosed, but it may include Bitget's loan. The bridge loan serves as a short-term financing tool to quickly replenish liquidity and avoid Bybit having to purchase a large amount of ETH in the market, which could further disrupt the market.
KuCoin's Assistance in Monitoring and Freezing: The KuCoin CEO stated that they had assisted Bybit in monitoring the flow of the stolen funds and freezing suspicious assets, in an attempt to minimize the losses.
Financial Audit and Solvency Proof: Bybit's partner, the Web3 audit firm Hacken, released an updated proof of reserves, showing that Bybit's reserves still exceed its liabilities, and user funds are fully backed. Bybit CEO Ben Zhou also stated that Bybit has the ability to compensate user losses, even if the stolen assets cannot be fully recovered.
User Withdrawal Processing: The Bybit CEO stated that the platform's withdrawal function is operating normally, and emphasized that 99.994% of withdrawal requests have been completed, but acknowledged that processing a large number of withdrawal requests may result in delays.
Background and Implications for the Industry
Overview of Bybit Exchange: Bybit was founded in 2018, headquartered in Singapore, and is a cryptocurrency exchange primarily focused on derivatives trading. It has over 10 million users and is a significant player in the industry.
Frequent Cryptocurrency Theft Incidents: In recent years, centralized exchanges have become high-value targets for hacker attacks due to their concentrated funds. In 2024, the global amount of cryptocurrency stolen reached $230 million, and Bybit's current incident exceeds 60% of the industry's total theft last year, highlighting the severity of the industry's security situation. Previously, well-known projects like Ronin Network have also experienced large-scale theft incidents, indicating that hacking techniques are constantly evolving, and centralized platforms face ongoing security challenges.
Early warning and long-term planning: The security agency Slow Mist disclosed that the malicious contract was deployed as early as February 19, indicating that this attack was not a spur-of-the-moment decision, but rather the result of careful planning and meticulous preparation over a long period of time.
Cause Analysis
Technical vulnerabilities and social engineering attacks:
Preliminary analysis shows that the attackers may have exploited a vulnerability in Bybit's multi-signature cold wallet signing process, using a fake trading interface and replacing the Safe contract to trick multi-signature owners into signing malicious transactions.
The attackers may have combined social engineering tactics (referring to the attack incident in October last year), such as infiltrating the signer's computer or the intermediate communication link, replacing the normal transaction request with a malicious one, and reducing the signer's vigilance.
The `DELEGATECALL` instruction was exploited in the malicious contract, which may have allowed malicious code to execute in the context of the multi-signature wallet, thereby modifying the contract logic and transferring funds.
Inherent risks of centralized exchanges:
As the custodian of user funds, centralized exchanges naturally have the risk of "single point of failure" and are easy targets for hacker attacks. Bybit CEO Ben Zhou had publicly acknowledged this inherent vulnerability of CEXs as early as 2020.
External environmental factors:
The overall recovery of the cryptocurrency market in February 2025 and the rise in ETH prices may have stimulated the hackers' theft motives.
Recent attacks on other crypto platforms (such as ZkLend) also reflect that the overall security environment in the industry may be deteriorating.
Impact of the Incident
Direct impact on Bybit:
Huge financial loss: $1.5 billion in assets were stolen, accounting for a large proportion (about 75%) of Bybit's ETH deposits, causing direct economic losses to the exchange.
User trust crisis and withdrawal surge: The large-scale theft incident may have triggered a crisis of user trust in Bybit's platform security, leading to a concentrated withdrawal of funds, putting tremendous pressure on the platform's liquidity.
Short-term fluctuation in ETH price: After the incident, the ETH price experienced a short-term decline of about 3%, reflecting the market's negative sentiment towards the event.
Reputational damage: Although Bybit has actively responded and emphasized its solvency, this incident has undoubtedly caused some negative impact on Bybit's reputation.
Impact on the cryptocurrency industry:
Exacerbating the CEX trust crisis: The Bybit incident further exacerbates users' concerns about the security of centralized exchanges, which may prompt some users to transfer their funds to decentralized exchanges (DEXs) or choose safer asset custody solutions.
Increased regulatory pressure: Historically, large-scale exchange security incidents have often attracted the attention and intervention of regulatory authorities. The Bybit incident may prompt regulators in various countries to strengthen security audits and compliance requirements for CEXs.
Driving industry-wide security upgrades: This incident may become a turning point in the field of crypto security, prompting exchanges, security agencies, and the developer community to jointly drive a comprehensive upgrade of technical security and governance mechanisms, improving the overall security level of the industry.
Potential discussion on Ethereum forking: Coinbase executive Conor Grogan and crypto industry figure Arthur Hayes have publicly discussed the possibility of this incident triggering a discussion on Ethereum forking similar to the DAO incident, although the calls for forking may be rather radical, it also reflects the severity of the incident and the industry's potential consideration of extreme scenarios.
Reactions from Industry Participants
Bybit official: After the incident, Bybit CEO Ben Zhou quickly made the details of the event public and communicated with users through social media, live streams, etc., emphasizing the platform's solvency and normal operations, in an attempt to regain user trust through transparency and active communication. Bybit's official statement said the company has reported the incident to the relevant authorities and is cooperating with security agencies to investigate and track the stolen funds.
Audit and security agencies: Blockchain security companies such as Slow Mist and Beosin quickly intervened after the incident, analyzing the technical details of the attack, assisting Bybit in tracking the stolen funds, and issuing security warnings to the industry.
Centralized exchange (CEX) peers: Exchanges such as Bitget, KuCoin, MEXC, and Jucoin have publicly expressed support for Bybit and provided financial and technical assistance. BitMart has promised to freeze suspicious addresses, and Binance founder CZ has also stated that Binance is willing to provide assistance if needed. The collective support and mutual assistance from leading exchanges in the industry demonstrate their stance in addressing industry security risks.
Community and analysts: The cryptocurrency community and industry analysts have generally expressed concern and concern about this incident. Some users have affirmed Bybit's transparent communication, but more users have expressed general concerns about the security of CEXs. Analysts pointed out that this incident may prompt CEXs to re-examine and improve their multi-signature mechanisms, smart contract security audits, and internal security processes.
Summary
The $150 million theft incident at the Bybit exchange is the largest single-time fund loss in the history of the cryptocurrency industry, once again sounding the alarm on the security risks of centralized exchanges. The carefully planned attack by the hackers, using technical vulnerabilities and social engineering tactics, breached the exchange's multiple security barriers, causing massive economic losses and a trust crisis.
Although Bybit has encountered a sudden security incident, its rapid response and relatively open and transparent handling have effectively alleviated market anxiety. More encouragingly, the assistance from peers and the active support of security agencies have fully demonstrated the spirit of solidarity and mutual assistance in the cryptocurrency community. This incident not only reminds us of the risks in the industry, but also shows us the growing maturity and resilience of the crypto sector.
In the future, the cryptocurrency industry may face a comprehensive upgrade in the security field due to this incident. Centralized exchanges need to continuously strengthen their investment in technical security, and improve the security protection of multi-signature wallets, smart contracts, internal risk control, and other aspects. Regulatory authorities may also further strengthen compliance oversight of CEXs, promoting a healthier and more orderly development of the industry. For users, this incident once again reminds them that asset security is always the primary consideration for participating in the cryptocurrency market, and it is becoming increasingly important to reasonably diversify risks and choose safer asset custody solutions.
Latest Updates (as of February 22, 2025, 09:55 HKT)
Bybit has collaborated with Web3 audit firm Hacken to release a proof of reserves, demonstrating the platform's solvency.
Exchanges like Bitget and MEXC continue to provide ETH and stETH loans to Bybit to alleviate liquidity pressure.
KuCoin has assisted Bybit in monitoring fund flows and freezing suspicious assets.
Safe has temporarily suspended Wallet functionality for a comprehensive security check.
Binance founder CZ has clarified that Binance has not provided any loans to Bybit, and the related fund transfers may be the personal actions of a whale.
On-chain sleuth ZachXBT has confirmed that the Lazarus Group is the planner of this attack incident.
The Bybit hacker's attempt to unstake cmETH was rejected by the contract.
Bybit's CEO stated that all withdrawals have been processed and a full incident report will be released.
