Case Summary
On the evening of February 21, 2025 (Beijing time), Bybit exchange was attacked by APT, forging "blind signatures" to break through the multi-signature mechanism, resulting in the theft of nearly $1.5 billion in assets from the cold wallet. As of 8 a.m. on the 22nd (Beijing time), the stolen assets were distributed across 51 addresses.
Bit Jungle, as a professional tracing company in the industry, unveils the full panorama of the hacker attack through public data.
Reveal One: Hacker Attack Techniques
1. Hackers gained access to Bybit employee computers through APT attacks
2. Hackers lurked for a long time, observing Bybit's coin transfer process
3. Hackers deployed a malicious Safe contract: 0xbdd077f651ebe7f7b3ce16fe5f2b025be2969516
4. Forged Safe front-end transaction prompts, deceiving Bybit employees into multi-signing, and replacing the safe implementation contract with a malicious contract
5. Transferred the assets of the cold wallet through the malicious contract
Reveal Two: Fund Transfer Settlement and Attacker Profile
As of 8 a.m. on the 22nd (Beijing time), the stolen assets were distributed across 51 addresses (yellow addresses in the figure)
At the same time, according to the latest information, the funds stolen from Bybit have been mixed with the outflow funds from the initial hacker address of Phemex and transferred to the same address, which has been used since November 2024 and has a history of multiple exchanges and cross-chain transactions, confirming that they are the work of North Korean hackers;
Reveal Three: Potential Secondary Financial Risks
1. Hackers selling or market panic may trigger user bank runs, or cause Bybit to face a surge in withdrawals, putting pressure on its liquidity chain, requiring urgent response to stabilize confidence.
2. ETH, as a highly volatile asset, its price is significantly affected by market sentiment, supply and demand relationship, and macroeconomic factors. This theft incident may lead to fluctuations in the ETH price, causing further losses;
Reveal Four: Preventive Measures
1. Train employees to improve their ability to defend against advanced phishing and social engineering, reducing the introduction of network security risks from within.
2. Properly isolate networks and devices, with dedicated machines for important tasks or financial matters, separate from regular office or personal computers, to reduce the attack surface.
3. Diversify asset storage across multiple cold wallets, reducing the impact of single-point theft and enhancing overall security.
4. Establish a professional security team and collaborate with Web3 security companies like Bit Jungle to jointly combat hackers.
5. Purchase insurance to mitigate the losses caused by security incidents.
Reveal Five: The Security Mechanism of Safe Wallet Multi-Signature Was Not Breached
Safe (formerly Gnosis Safe) is a widely used multi-signature solution in the industry, and its security relies on multi-party signatures and the immutability of smart contract logic.
This attack shows that the hackers did not crack the multi-signature mechanism of Safe or exploit its code vulnerabilities, but rather obtained sufficient signing permissions through phishing tactics.
Reveal Six: What Can Bit Jungle Do
1. Ascertain the truth, reconstruct the complete invasion path of the hackers, and identify hidden security risks.
2. Bit Jungle has already established contacts with more than a dozen major exchanges and organizations, and through the Zhongkui system, can automatically freeze the stolen assets to help users recover losses as soon as possible.
3. Through professional technology and rich experience, quickly locate and assist law enforcement agencies in arresting the suspects.
