Editor | Wu Blockchain

On the evening of February 21st, Beijing time, on-chain detective ZachXBT first revealed that over $1.46 billion in suspicious funds had been detected flowing out of Bybit, with mETH and stETH currently being exchanged for ETH on DEXes. It can be confirmed that this has become the largest hacking incident in the history of cryptocurrency (calculated by the amount at the time).

Coinbase executive Conor Grogan stated that the North Korean hack on Bybit is the largest hacking theft case in history (surpassing the Iraqi Central Bank theft of around $1 billion), about 10 times the size of the 2016 DAO hack (but with a much higher percentage of the supply). It is expected that there will be some calls for an Ethereum fork.

Arkham tweeted that on-chain analyst ZachXBT provided conclusive evidence that the $1.5 billion Bybit hack was carried out by the North Korea-backed hacker group Lazarus Group. His submission includes detailed analysis of test transactions, associated wallets, forensic charts, and timeline analysis. The relevant information has been shared with Bybit to assist in their investigation.

Bybit CEO BEN tweeted that about 1 hour ago, Bybit's ETH multi-sig cold wallet just transferred to our hot wallet. It seems this transaction was forged, with all signers seeing a forged UI showing the correct address, with the URL coming from SAFE. However, the signing information was to change the logic of our ETH cold wallet smart contract. This allowed the hackers to take control of the specific ETH cold wallet we signed, and transfer all the ETH in the cold wallet to this unidentified address. Rest assured, all other cold wallets are safe. All withdrawals are normal. I will keep you updated on further developments, and if any team can help us track down the stolen funds, we would be grateful. Bybit's hot wallet, warm wallet, and all other cold wallets are fine. The only compromised cold wallet is the ETH cold wallet. All withdrawals are normal.

Bybit's official Twitter stated that Bybit detected unauthorized activity involving one of our ETH cold wallets. At the time of the incident, our ETH multi-sig cold wallet executed a transfer to our hot wallet. Unfortunately, this transaction was manipulated through a sophisticated attack that obscured the signing interface, displayed the correct address, while changing the underlying smart contract logic. As a result, the attackers were able to take control of the affected ETH cold wallet and transfer its assets to an unidentified address. Our security team is actively investigating this incident in collaboration with leading blockchain forensics experts and partners. Any team with expertise in blockchain analysis and asset recovery who can assist in tracking these assets is welcome to work with us. We want to assure our users and partners that all other Bybit cold wallets are completely secure. All customer funds are safe, and our operations are continuing uninterrupted. Transparency and security remain our top priorities, and we will provide updates as soon as possible.

Bybit stated that all other Bybit cold wallets are secure, and customer funds are unaffected and remain safe. We understand the current situation is causing a surge in withdrawal requests. While the high volume may result in delays, all withdrawals are being processed normally. Bybit has sufficient assets to cover the loss, with over $20 billion in assets under management, and will utilize bridging loans if necessary to ensure the availability of user funds.

Coinbase executive Conor Grogan tweeted that Binance and Bitget have just deposited over 50,000 ETH directly into Bybit's cold wallets, with Bitget's deposit particularly notable, accounting for a quarter of the exchange's total ETH. These funds were clearly coordinated by Bybit itself, bypassing deposit addresses. Bybit CEO Ben Zhou stated: "Thank you to Bitget for stepping up at this moment, we are in communication with Binance and a few other partners, and this has nothing to do with the official Binance."

Bitget CEO Gracy stated that Bybit is a respectable competitor and partner, and while the loss is significant, it is just their annual profit. He believes customer funds are 100% safe and there is no need for panic or a run. Gracy also stated that the loan to Bybit is from Bitget's own assets, not user assets.

The Slowmist team provided additional details, stating that the attacker deployed a malicious implementation contract, and then the attacker replaced the Safe's implementation contract with the malicious contract through a transaction signed by the three owners, utilizing the backdoor functions "sweepETH" and "sweepERC20" in the malicious contract to empty the hot wallet funds.

Dilation Effect analysis points out that compared to previous similar incidents, the Bybit incident only required compromising one signer to complete the attack, as the attacker used a "social engineering" trick. Analysis of the on-chain transactions shows that the attacker executed a malicious contract's "transfer" function via delegatecall, with the "transfer" code using the SSTORE instruction to modify slot 0, effectively changing the implementation address of Bybit's multi-sig contract to the attacker's address. Once the person/device initiating the multi-sig transaction was compromised, the subsequent reviewers would be much less alert, as they would see a normal-looking "transfer" and not realize it was changing the contract.

Chainlink data shows that after the Bybit security incident was disclosed, USDe briefly flash-crashed to $0.965 before rebounding to $0.99. Bybit has integrated USDe as collateral for perpetual contracts on its UTA. ethena_labs stated they are monitoring the situation with Bybit and will continue to track the developments. All spot assets supporting USDe are held in off-exchange custodial solutions, including Bybit through Copper Clearloop. Currently, there are no spot assets held on any exchanges. The total unrealized PNL related to Bybit hedging positions is less than $30 million, less than half of the reserve fund. USDe remains over-collateralized and will provide updates based on the latest information.

Binance co-founder CZ responded that this is not an easy situation to handle, and may suggest pausing all withdrawals as a standard security precaution, and will provide any assistance needed. He Yi stated he is willing to provide assistance.

The Safe security team responded that they are closely collaborating with Bybit in the ongoing investigation. No evidence of an official Safe frontend breach has been found yet, but as a precaution, some Safe Wallet functions have been temporarily suspended. Slowmist Cosine stated that similar to the previous Radiant Capital case, this may also be a theft by North Korean hackers. Radiant Capital stated that their $50 million attack in October was related to the North Korean hacker group, involving complex identity impersonation and multi-layered phishing attacks, where the attackers posed as former contractors to obtain sensitive credentials and infiltrate the protocol system.

Security analysts believe this is similar to the WazirX and Radiant cases, where the signer's computer or intermediary interface was compromised. The possible reasons for this hack are: Hackers planted a virus on the signer's computer/browser, replacing the transaction with a malicious one, then sending it to the hardware wallet. This virus could be at any layer of the stack (e.g., malicious extension, wallet communication...) - the security interface was compromised, it displayed one transaction, but sent another transaction to the wallet, resulting in the signer seeing an innocent transaction on the secure interface, but the malicious transaction being sent to their wallet. Until the full post-mortem analysis is available, we cannot confirm the details.

OneKey stated that the hackers have most likely confirmed that Bybit's three multi-sig computers have been compromised, and are waiting for them to perform their normal signing operations. When the multi-sig personnel execute their daily transfer-type signing operations, the hackers replace the signing content. The personnel see on the web page what appears to be a normal transaction - unaware that it has been changed to a "replace the safe contract with the previously deployed malicious contract" transaction. And so the tragedy unfolds. The malicious contract with a backdoor, easily allowed the hackers to withdraw all the funds.

Bybit stated that it will not immediately purchase ETH, but will rely on its partners to provide bridging loans. It will ensure that all users can withdraw, but due to traffic being 100 times the normal amount, it will take some time to process, and it will need to perform some risk verification for large withdrawals.

Dilation Effect pointed out that the combination of a regular hardware wallet and a Safe multi-signature mechanism can no longer meet the security management needs of large funds. If the attacker has enough patience to deal with multiple signatories, then the entire operation process will have no other measures to further guarantee security. The security management of large funds must use an institutional-level custodian solution.

According to DeFiLlama data, including the funds stolen by hackers, Bybit's total outflow in the past 24 hours was $2.399 billion. Currently, the platform's on-chain verifiable assets exceed $14 billion, of which Bitcoin and USDT account for nearly 70%. Bybit announced that it has reported the incident to the relevant authorities and will provide updates after obtaining more information. In addition, cooperation with on-chain analysis providers has helped identify and separate the relevant addresses, aiming to reduce the ability of malicious actors to dispose of ETH through legitimate markets.

This incident may trigger discussions about an Ethereum fork. Conor Grogan said that although he believes the calls for a fork are too radical, he expects a real debate on this issue. Arthur Hayes, as a large holder of Ethereum, believes that Ethereum is no longer a "currency" after the hard fork following the 2016 DAO hack. He said that if the community decides to roll back again, he will support this decision, because in 2016 the community has already voted against immutability, so why not do it again?