On February 21, 2025, the cryptocurrency exchange Bybit experienced a large-scale security vulnerability incident, resulting in the theft of approximately $1.5 billion in assets from its Ethereum cold wallet. This event is considered the largest single theft in the history of cryptocurrency, surpassing the previous records of Poly Network (2021, $611 million) and Ronin Network (2022, $620 million), and has had a shocking impact on the industry.
This article aims to introduce the hacking incident and its money laundering methods, while warning that in the coming months, a large-scale freezing wave will soon target the OTC community and Crypto payment companies.
The Theft Process
According to the description of Bybit Ben Zhou and the preliminary investigation of Bitrace, the theft process is as follows:
Attack Preparation: The hackers deployed a malicious smart contract (address: 0xbDd077f651EBe7f7b3cE16fe5F2b025BE2969516) at least three days before the incident (i.e., on February 19), laying the groundwork for the subsequent attack.
Invasion of the Multi-Signature System: Bybit's Ethereum cold wallet uses a multi-signature mechanism, usually requiring multiple authorized parties to sign transactions. The hackers invaded the computers managing the multi-signature wallet through unknown means, possibly through a disguised interface or malware.
Fake Transactions: On February 21, Bybit planned to transfer ETH from the cold wallet to the hot wallet to meet daily trading needs. The hackers disguised the transaction interface as a normal operation, inducing the signers to confirm what appeared to be a legitimate transaction. However, the signature actually executed an instruction to change the logic of the cold wallet smart contract.
Fund Transfer: After the instruction took effect, the hackers quickly took control of the cold wallet and transferred the approximately $1.5 billion worth of ETH and ETH staking certificates to an unknown address (initial tracking address: 0x47666Fab8bd0Ac7003bce3f5C3585383F09486E2). Subsequently, the funds were dispersed to multiple wallets and the money laundering process began.
Money Laundering Methods
The money laundering process can be divided into two stages:
The first stage is the early fund splitting phase, where the attackers quickly exchanged the ETH staking certificate tokens for ETH tokens, rather than the more freezable stablecoins, and then strictly split and transferred the ETH to lower-level addresses, preparing for the money laundering.
It was during this stage that the attackers' attempt to exchange 15,000 mETH for ETH was thwarted, allowing the industry to recover a portion of the loss.
The second stage is the money laundering work. The attackers will transfer the obtained ETH through centralized or decentralized industry infrastructure, including Chainflip, THORChain, Uniswap, and eXch. Some protocols are used for fund conversion, while others are used for cross-chain fund transfers.
To date, a large amount of the stolen funds have been converted to BTC, Doge, SOL, and other layer1 tokens, and even issued memecoins or transferred to exchange addresses to confuse the funds.
Bitrace is monitoring and tracking the addresses related to the stolen funds, and this threat information will be synchronized in BitracePro and Detrust to prevent users from accidentally receiving the stolen funds.
Prior Offense Analysis
Analysis of the 0x457 address in the fund chain reveals that it is related to the BingX exchange theft incident in October 2024 and the Phemex exchange theft incident in January 2025, indicating that the mastermind behind these three attack events is the same entity.
Combining their highly industrialized money laundering methods and attack techniques, some blockchain security practitioners attribute this incident to the notorious hacker organization Lazarus, which has launched multiple cyber-attacks on Crypto industry institutions or infrastructure and illegally seized billions of dollars worth of cryptocurrencies in the past few years.
Freezing Crisis
In the course of its investigation over the past few years, Bitrace has found that in addition to using the industry's permissionless infrastructure for money laundering, this organization also extensively uses centralized platforms for dumping, directly leading to the risk control of a large number of exchange user accounts who have intentionally or unintentionally received the stolen funds, and the business addresses of OTC merchants and payment institutions being frozen by USDT.
In 2024, the Japanese cryptocurrency exchange DMM was attacked by Lazarus, with Bitcoin worth $600 million illegally transferred. The attackers bridged the funds to the Southeast Asian cryptocurrency payment institution HuionePay, causing the latter's hot wallet address to be frozen by USDT, with over $29 million locked and unable to be transferred.
In 2023, Poloniex was attacked, with the suspected Lazarus group illegally transferring over $100 million in funds. Some of the funds were laundered through OTC trading, leading to the freezing of a large number of OTC merchants' business addresses or the risk control of exchange accounts used to store business funds, greatly impacting their business activities.
Conclusion
The frequent hacking incidents have already caused huge losses to our industry, and the subsequent money laundering activities have also polluted more personal and institutional addresses. For these innocent victims and potential victims, it is more important to pay attention to these threat funds in their business activities to prevent themselves from being affected.
