On the evening of February 21, 2025 Beijing time, according to on-chain detective ZachXBT, a large-scale fund outflow incident occurred on the Bybit platform. This incident resulted in the theft of over $1.46 billion, making it the largest cryptocurrency theft incident in recent years. After the incident, the Slow Mist security team immediately issued a security alert and conducted a tracking and analysis of the stolen assets: The stolen assets mainly include: · 401,347 ETH (worth about $1.068 billion) · 8,000 mETH (worth about $26 million) · 90,375.5479 stETH (worth about $260 million) · 15,000 cmETH (worth about $43 million) Using on-chain tracking and anti-money laundering tools like MistTrack, we analyzed the initial hacker address 0x47666Fab8bd0Ac7003bce3f5C3585383F09486E2 and found that the ETH was dispersed, with the initial hacker address transferring 400,000 ETH in batches of 10,000 ETH to 40 addresses, and the transfer is still ongoing. 205 ETH were converted to BTC through Chainflip and cross-chained to the address bc1qlu4a33zjspefa3tnq566xszcr0fvwz05ewhqfq. Regarding the cmETH, 15,000 cmETH were transferred to the address 0x1542368a03ad1f03d96D51B414f4738961Cf4443. It is worth noting that the mETH Protocol published a post on X stating that in response to the Bybit security incident, the team promptly suspended cmETH withdrawals, preventing unauthorized withdrawals, and the mETH Protocol successfully recovered 15,000 cmETH from the hacker address. The 8,000 mETH and 90,375.5479 stETH were transferred to the address 0xA4B2Fd68593B6F34E51cB9eDB66E71c1B4Ab449e, then converted to 98,048 ETH through Uniswap and ParaSwap, and then transferred to 0xdd90071d52f20e85c89802e5dc1ec0a7b6475f92, which dispersed the ETH in batches of 10,000 ETH to 9 addresses, and have not been withdrawn yet. In addition, by tracing the initial attack address 0x0fa09C3A328792253f8dee7116848723b72a6d2e, we found that the initial funds of this address came from Binance. Currently, the initial hacker address 0x47666Fab8bd0Ac7003bce3f5C3585383F09486E2 has a balance of 1,346 ETH, and we will continue to monitor the relevant addresses. After the incident, Slow Mist immediately speculated that the attacker was a North Korean hacker based on the attacker's acquisition of the Safe multi-signature method and money laundering method. The analysis also found that the hacker addresses involved in this incident are associated with the BingX Hacker and Phemex Hacker addresses. ZachXBT also confirmed that this attack is related to the North Korean hacker organization Lazarus Group, which has been mainly engaged in cross-border network attacks and cryptocurrency theft. Arkham stated that all relevant data has been shared with Bybit to help the platform further investigate. On the night of the incident at 23:44, Bybit CEO Ben Zhou published a statement on X, explaining the technical details of this attack: Through on-chain signature analysis, we found some traces: 1. The attacker deployed a malicious contract: UTC 2025-02-19 07:15:23, deployed the malicious implementation contract 0xbDd077f651EBe7f7b3cE16fe5F2b025BE2969516. 2. Tampered with the Safe contract logic: UTC 2025-02-21 14:13:35, through three Owner signatures, replaced the Safe contract with a malicious version: 0x46deef0f52e3a983b67abf4714448a41dd7ffd6d32d32da69d62081c68ad7882. This led to the initial attack address 0x0fa09C3A328792253f8dee7116848723b72a6d2e. 3. Embedded malicious logic: Through DELEGATECALL, the malicious logic contract was written into STORAGE 0: 0x96221423681A6d52E184D440a8eFCEbB105C7242. 4. Called the backdoor function to transfer funds: The attacker used the sweepETH and sweepERC20 functions in the contract to transfer all 400,000 ETH and stETH (total value of about $1.5 billion) from the cold wallet to unknown addresses. From the attack method, the WazirX hacking incident and the Radiant Capital hacking incident have similar characteristics to this attack, as the targets of these three incidents were all Safe multi-signature wallets. In the WazirX hacking incident, the attacker also pre-deployed a malicious implementation contract, and through three Owner signatures, replaced the Safe contract with the malicious contract through DELEGATECALL.

Regarding the Radiant Capital hacking incident, according to the official disclosure, the attacker used a complex method that made the signature verifiers see seemingly legitimate transactions on the front-end, which is similar to the information disclosed in Ben Zhou's tweet.

And the permission check method of the malicious contracts involved in these three incidents is the same, which is to hardcode the owner address in the contract to check the contract caller. The error messages thrown by the permission checks in the Bybit hacking incident and the WazirX hacking incident are also similar.

In this incident, the Safe contract is not problematic, the problem is in the non-contract part, the front-end has been tampered with and forged to achieve a deceptive effect. This is not an isolated case. North Korean hackers have attacked several platforms in this way last year, such as: WazirX lost $230M, which was a Safe multi-signature; Radiant Capital lost $50M, which was a Safe multi-signature; DMM Bitcoin lost $305M, which was a Gonco multi-signature. This attack method has been industrialized and mature, and needs more attention.

According to the announcement released by Bybit:

Combined with Ben Zhou's tweet:

The following questions arise:

1. Routine ETH transfer

· Did the attacker previously obtain the operational information of Bybit's internal finance team and grasp the timing of the ETH multi-signature cold wallet transfer?

· Through the Safe system, did they induce the signers to sign malicious transactions on the forged interface? Was the front-end system of Safe breached and taken over?

2. Safe contract UI tampered with

· Did the signers see the correct address and URL on the Safe interface, but the transaction data they actually signed was tampered with?

· The key question is: who initiated the signing request first? How secure is their device?

With these questions in mind, we look forward to the official release of more investigation results.

Market Impact

After the incident, Bybit quickly issued an announcement, promising that all customer assets are 100% backed, and the platform can bear this loss. User withdrawals are not affected.

On February 22, 2025 at 10:51, Bybit CEO Ben Zhou tweeted that deposits and withdrawals are currently normal:

In Conclusion

This theft incident once again highlights the severe security challenges facing the cryptocurrency industry. With the rapid development of the cryptocurrency industry, hacker organizations, especially the Lazarus Group, are continuously upgrading their attack methods. This incident has sounded the alarm for cryptocurrency exchanges, and platforms need to further strengthen security protection and adopt more advanced defense mechanisms, such as multi-factor authentication, encrypted wallet management, asset monitoring and risk assessment, to ensure the safety of user assets. For individual users, improving security awareness is also crucial. It is recommended to prioritize the use of hardware wallets and other safer storage methods, and avoid keeping large amounts of funds on exchanges for a long time. In this constantly evolving field, only by continuously upgrading the technical defense line can we ensure the security of digital assets and promote the healthy development of the industry.

Original Link

Welcome to join the official BlockBeats community:

Telegram Subscription Group: https://t.me/theblockbeats

Telegram Discussion Group: https://t.me/BlockBeats_App

Twitter Official Account: https://twitter.com/BlockBeatsAsia