Author: Slow Mist Security Team

Background

On the evening of February 21, 2025 Beijing time, according to the on-chain detective ZachXBT, a large-scale fund outflow incident occurred on the Bybit platform. This incident resulted in the theft of over $1.46 billion, making it the largest cryptocurrency theft incident in recent years.

On-chain Tracking and Analysis

After the incident, the Slow Mist Security Team immediately issued a security alert and conducted a tracking and analysis of the stolen assets:

According to the Slow Mist Security Team's analysis, the stolen assets mainly include:

· 401,347 ETH (worth about $1.068 billion)
· 8,000 mETH (worth about $26 million)
· 90,375.5479 stETH (worth about $260 million)
· 15,000 cmETH (worth about $43 million)

We used on-chain tracking and anti-money laundering tool MistTrack to analyze the initial hacker address

0x47666Fab8bd0Ac7003bce3f5C3585383F09486E2

and obtained the following information:

ETH was dispersed and transferred, with the initial hacker address splitting 400,000 ETH into 40 addresses in 1,000 ETH increments, and continuing to transfer.

Among them, 205 ETH were converted to BTC through Chainflip and cross-chained to the address:

bc1qlu4a33zjspefa3tnq566xszcr0fvwz05ewhqfq

cmETH flow: 15,000 cmETH were transferred to the address:

0x1542368a03ad1f03d96D51B414f4738961Cf4443.

It is worth noting that the mETH Protocol published a post on X stating that in response to the Bybit security incident, the team promptly suspended cmETH withdrawals, preventing unauthorized withdrawals, and the mETH Protocol successfully recovered 15,000 cmETH from the hacker address.

mETH and stETH transfers: 8,000 mETH and 90,375.5479 stETH were transferred to the address:

0xA4B2Fd68593B6F34E51cB9eDB66E71c1B4Ab449e

Then, through Uniswap and ParaSwap, they were exchanged for 98,048 ETH and transferred to:

0xdd90071d52f20e85c89802e5dc1ec0a7b6475f92

Address 0xdd9 dispersed the ETH in 1,000 ETH increments to 9 addresses and has not yet transferred them out.

In addition, by tracing the initial attack address:

0x0fa09C3A328792253f8dee7116848723b72a6d2e

we found that the initial funds of this address came from Binance.

Currently, the initial hacker address:

0x47666Fab8bd0Ac7003bce3f5C3585383F09486E2

has a balance of 1,346 ETH, and we will continue to monitor the related addresses.

After the incident, Slow Mist immediately suspected the attackers to be North Korean hackers based on the attacker's acquisition of the Safe multi-signature method and money laundering methods:

Possible social engineering attack methods:

Using MistTrack for analysis, we also found that the hacker addresses in this incident are associated with the BingX Hacker and Phemex Hacker addresses:

ZachXBT also confirmed that this attack is related to the North Korean hacker group Lazarus Group, which has been primarily engaged in cross-border network attacks and cryptocurrency theft. According to the information, the evidence provided by ZachXBT, including test transactions, associated wallets, forensic charts, and time analysis, all show that the attackers used the common technical means of the Lazarus Group in multiple operations. Meanwhile, Arkham stated that all relevant data has been shared with Bybit to help the platform further investigate.

Attack Method Analysis

On the night of the incident at 23:44, Bybit CEO Ben Zhou posted a statement on X, explaining the technical details of this attack:

Through on-chain signature analysis, we found some traces:

1. The attacker deployed a malicious contract: UTC 2025-02-19 07:15:23, deployed a malicious implementation contract:

0xbDd077f651EBe7f7b3cE16fe5F2b025BE2969516

2. Tampered with the Safe contract logic: UTC 2025-02-21 14:13:35, through three Owner signatures, replaced the Safe contract with a malicious version:

0x46deef0f52e3a983b67abf4714448a41dd7ffd6d32d32da69d62081c68ad7882

This led to the initial attack address against the hackers:

0x0fa09C3A328792253f8dee7116848723b72a6d2e.

3. Embedded malicious logic: Through DELEGATECALL, the malicious logic contract was written into STORAGE 0 storage:

0x96221423681A6d52E184D440a8eFCEbB105C7242

4. Called the backdoor function to transfer funds: The attacker used the sweepETH and sweepERC20 functions in the contract to transfer all 400,000 ETH and stETH (total value of about $1.5 billion) from the cold wallet to unknown addresses.

From the attack method, the WazirX hacking incident and the Radiant Capital hacking incident have similarities with this attack, as the targets of these three incidents were all Safe multi-signature wallets. For the WazirX hacking incident, the attacker also pre-deployed a malicious implementation contract and, through three Owner signatures, replaced the Safe contract with a malicious implementation contract through DELEGATECALL to write the malicious logic contract into STORAGE 0 storage.

(https://etherscan.io/tx/0x48164d3adbab78c2cb9876f6e17f88e321097fcd14cadd57556866e4ef3e185d)

For the Radiant Capital hacking incident, according to the official disclosure, the attacker used a complex method to make the signature verifier see a seemingly legitimate transaction on the front-end, which is similar to the information disclosed in Ben Zhou's tweet.

(https://medium.com/@RadiantCapital/radiant-post-mortem-fecd6cd38081)

And the permission check methods of the malicious contracts involved in these three incidents are the same, with the owner addresses hardcoded in the contracts to check the callers of the contracts. The error messages thrown by the permission checks in the Bybit hacking incident and the WazirX hacking incident are also similar.

In this incident, the Safe contract was not the problem, the issue was in the non-contract part, where the front-end was tampered with to achieve a deceptive effect. This is not an isolated case. North Korean hackers have attacked several platforms in this way last year, such as: WazirX lost $230M, which was a Safe multi-signature; Radiant Capital lost $50M, which was a Safe multi-signature; DMM Bitcoin lost $305M, which was a Gonco multi-signature. This attack method is mature and needs more attention.

According to the announcement released by Bybit:

(https://announcements.bybit.com/zh-MY/article/incident-update---eth-cold-wallet-incident-blt292c0454d26e9140)

Combined with Ben Zhou's tweet:

The following questions arise:

1. Routine ETH transfers

The attacker may have previously obtained the operational information of Bybit's internal finance team and grasped the timing of ETH multi-signature cold wallet transfers?

Through the Safe system, the signer was induced to sign a malicious transaction on a forged interface? Was the Safe front-end system breached and taken over?

2. The Safe contract UI was tampered with

The signer saw the correct address and URL on the Safe interface, but the transaction data they actually signed had been tampered with?

The key question is: who initiated the signing request first? How secure is their device?

With these questions in mind, we look forward to the official disclosure of more investigation results.

Market Impact

After the incident, Bybit quickly issued an announcement, promising that all customer assets are backed 1:1, and the platform can bear the loss. Withdrawals are not affected.

On February 22, 2025 at 10:51, Bybit CEO Ben Zhou posted on X that deposits and withdrawals are currently normal:

In Conclusion

This theft incident once again highlights the severe security challenges facing the cryptocurrency industry. As the cryptocurrency industry develops rapidly, hacker organizations, especially state-level hackers like the Lazarus Group, are continuously upgrading their attack methods. This incident sounded the alarm for cryptocurrency exchanges, and platforms need to further strengthen security protection and adopt more advanced defense mechanisms, such as multi-factor authentication, encrypted wallet management, asset monitoring and risk assessment, to ensure the safety of user assets. For individual users, raising security awareness is also crucial. It is recommended to prioritize the use of hardware wallets and other safer storage methods, and avoid keeping large amounts of funds on exchanges for long periods. In this constantly evolving field, only by continuously upgrading the technical defense line can we ensure the security of digital assets and promote the healthy development of the industry.