Source: Bitrace

On February 21, 2025, the cryptocurrency exchange Bybit suffered a large-scale security vulnerability incident, resulting in the theft of approximately $1.5 billion in assets from its Ethereum cold wallet. This incident is considered the largest single theft in the history of cryptocurrency, surpassing the previous records of Poly Network (2021, $611 million) and Ronin Network (2022, $620 million), and has had a shocking impact on the industry.

This article aims to introduce the hacking incident and its fund laundering methods, while warning of a large-scale freezing wave targeting the OTC community and Crypto payment companies in the coming months.

Theft Process

According to the description of Bybit Ben Zhou and the preliminary investigation of Bitrace, the theft process is as follows:

Attack Preparation: The hackers deployed a malicious smart contract (address: 0xbDd077f651EBe7f7b3cE16fe5F2b025BE2969516) at least three days before the incident (i.e., on February 19), laying the groundwork for the subsequent attack.

Invasion of the Multi-Signature System: Bybit's Ethereum cold wallet uses a multi-signature mechanism, which usually requires multiple authorized parties to sign transactions. The hackers invaded the computers managing the multi-signature wallet through unknown means, possibly through a disguised interface or malware.

Fake Transactions: On February 21, Bybit planned to transfer ETH from the cold wallet to the hot wallet to meet daily trading needs. The hackers disguised the transaction interface as a normal operation, inducing the signers to confirm what appeared to be a legitimate transaction. However, the signature was actually executing an instruction to change the logic of the cold wallet smart contract.

Fund Transfer: After the instruction took effect, the hackers quickly took control of the cold wallet and transferred the approximately $1.5 billion worth of ETH and ETH staking certificates to an unknown address (initial tracking address: 0x47666Fab8bd0Ac7003bce3f5C3585383F09486E2). Subsequently, the funds were dispersed to multiple wallets and the money laundering process began.

Money Laundering Methods

The money laundering can be roughly divided into two stages:

The first stage is the early fund splitting phase, where the attackers quickly exchanged the ETH staking certificate tokens for ETH tokens, rather than the more freezable stablecoins, and then strictly split and transferred the ETH to lower-level addresses, preparing for the laundering.

It was during this stage that the attackers' attempt to exchange 15,000 mETH for ETH was thwarted, allowing the industry to recover a portion of the loss.

The second stage is the fund laundering work. The attackers will transfer the obtained ETH through centralized or decentralized industry infrastructure, including Chainflip, THORChain, Uniswap, eXch, etc. Some protocols are used for fund exchange, while others are used for cross-chain fund transfer.

So far, a large amount of the stolen funds have been exchanged for layer1 tokens such as BTC, Doge, SOL, and even memecoins or transferred to exchange addresses to confuse the funds.

Bitrace is monitoring and tracking the addresses related to the stolen funds, and this threat information will be synchronized in BitracePro and Detrust to prevent users from accidentally receiving the stolen funds.

Previous Offense Analysis

Analysis of the 0x457 address in the fund chain reveals that it is related to the BingX exchange theft incident in October 2024 and the Phemex exchange theft incident in January 2025, indicating that the mastermind behind these three attack incidents is the same entity.

Combining its highly industrialized fund laundering methods and attack techniques, some blockchain security practitioners attribute this incident to the notorious hacker organization Lazarus, which has launched multiple cyber attacks on Crypto industry institutions or infrastructure over the past few years, illegally seizing billions of dollars worth of cryptocurrencies.

Freezing Crisis

In the course of its investigation over the past few years, Bitrace has found that in addition to using unauthorized industry infrastructure for fund laundering, this organization also uses centralized platforms for large-scale dumping, directly leading to the risk control of the accounts of many exchange users who have intentionally or unintentionally received the stolen funds, and the business addresses of OTC merchants and payment institutions being frozen by USDT.

In 2024, the Japanese cryptocurrency exchange DMM was attacked by Lazarus, with over $600 million worth of Bitcoin illegally transferred. The attackers bridged the funds to the Southeast Asian cryptocurrency payment institution HuionePay, causing the latter's hot wallet address to be frozen by USDT, with over $29 million locked and unable to be transferred.

In 2023, Poloniex was attacked, with the attackers suspected to be the Lazarus group, and over $100 million in funds illegally transferred. Some of the funds were laundered through OTC trading, leading to the freezing of the business addresses of many OTC merchants or the risk control of the exchange accounts used to store business funds, greatly impacting their business activities.

Conclusion

The frequent hacking incidents have already caused huge losses to our industry, and the subsequent fund laundering activities have also polluted more personal and institutional addresses, which for these innocent victims and potential victims, should pay more attention to these threat funds in their business activities to prevent themselves from being affected.

This also rings the alarm for us, it's time to pay attention to Crypto anti-money laundering awareness and KYT programs.