Previously, Beosin has conducted a complete chain analysis of the Bybit incident, and now the hacker is "washing" the stolen funds, while Bybit has obtained about 446,869 ETH (worth about $1.23 billion) through loans, large account deposits, and ETH purchases, and Bybit is now close to making up for the funding gap caused by the hacker incident. The Beosin team is also synchronizing the analysis progress with the Bybit team.
Overview of the Bybit Hacker Attack Incident
Bybit is a leading global cryptocurrency derivatives trading platform, founded in 2018, headquartered in Singapore, with an operations center in Dubai, UAE, and has also obtained corresponding VASP licenses in countries such as Cyprus, Kazakhstan, and Georgia. The exchange focuses on providing cryptocurrency perpetual contracts, options contracts, and spot trading services, committed to creating a safe, efficient, and transparent digital asset trading platform for users.
At 22:56 on February 21, Beijing time, the cryptocurrency trading platform Bybit was hacked, with a massive attack scale, and over 400,000 ETH and stETH worth about $1.44 billion (about RMB 10.4 billion) were transferred to unknown addresses.
According to the analysis of the Beosin security team, the stolen assets mainly include:
401,347 ETH (worth about $1.12 billion)
8,000 mETH (worth about $23 million)
90,375.5479 stETH (worth about $250 million)
15,000 cmETH (worth about $44 million)
Complete Replay of the Incident
Based on the information released by Bybit, the hacker infiltrated the computers of Bybit's internal employees through some means, and by tampering with the UI frontend display content, the signing personnel confirmed that the Safe URL was correct, but in fact they signed the malicious transactions carefully constructed by the hacker. This transaction essentially modified the logic implementation of the wallet contract, allowing the hacker to completely take over the wallet. Since the hacker controlled the employees' computers and could obtain the final transaction signatures, they were able to submit the transactions to the chain. After the transactions were packaged and broadcasted, the hacker completely controlled the wallet. The hacker then transferred all the assets in the wallet.
Technical Details and Timeline of the Attack Process
1. Restore the Attack Timeline
Before February 21, 2025:
The hacker organization Lazarus Group may have already infiltrated the devices of Bybit team members through Trojans and other means, preparing for the subsequent attack.
February 21, 2025:
The hacker tampered with the frontend interface of Bybit's Safe multi-signature wallet, inducing the signing personnel to sign the malicious transaction, modifying the logic of the ETH cold wallet smart contract to the hacker-controlled malicious contract, and thus completely controlling the wallet.
At UTC time 2025-02-21 14:16:11, Bybit's hot wallet with assets worth over $1.46 billion in ETH and stETH flowed to the hacker's address 0x47666fab8bd0ac7003bce3f5c3585383f09486e2, becoming the largest theft incident in cryptocurrency history.
At UTC time 2025-02-21 14:44:00, Bybit's co-founder Ben Zhou confirmed the incident in a timely manner, stating that Bybit's official cold wallet had been hacked, and began to deal with the relevant security issues.
We have conducted in-depth tracking and analysis of the stolen funds from the Bybit exchange hacking incident. The research found that one of the addresses where the stolen funds were deposited is 0x36ed3c0213565530c35115d93a80f9c04d94e4cb.
At UTC time on February 22, 2025, 06:28:23, it transferred 5,000 ETH to the split address 0x4571bd67d14280e40bf3910bd39fbf60834f900a. Subsequently, the funds were split into amounts ranging from tens to hundreds of ETH at a frequency of several minutes, and further transferred to multiple addresses. It is worth noting that some of the funds attempted to cross-chain to the BTC chain address bc1qlu4a33zjspefa3tnq566xszcr0fvwz05ewhqfq after multiple transfers, showing the hacker's attempt to further obscure the flow of funds through cross-chain operations.
In addition, in the Bybit hacker attack money laundering path, we also found the same addresses as the Bingx and Phemex hacker attack money laundering paths, suspecting that these attacks were carried out by the same group or using the same money laundering channels, with overlapping addresses being:
0x33d057af74779925c4b2e720a820387cb89f8f65
0xd555789b146256253cd4540da28dcff6e44f6e50.
This key finding further corroborates our previous inference based on the similarity of the attack pattern and the WazirX incident, that the Bybit exchange hacking incident is highly likely to be related to the Lazarus Group.
February 23, 2025:
The Bybit hacker's money laundering pattern tends to be stable, mainly using THORChain to transfer assets to the BTC public chain, as well as using the OKX DEX to exchange for DAI and then circulate the funds.
2. Analysis of Attack Technical Means
a. Vulnerability Exploitation Approach (such as phishing attacks and social engineering tactics, frontend UI tampering, and malicious contract deployment).
Phishing Attacks and Social Engineering
The attacker infiltrated the computers of Bybit's internal employees through phishing attacks (such as forged emails or malicious links) and obtained operational permissions. Using social engineering tactics, the attacker may have impersonated internal personnel or partners to induce employees to click on malicious links or download malware, thereby planting backdoors.
Frontend UI Tampering
The attacker tampered with the frontend interface of the Safe multi-signature wallet, forging a seemingly normal transaction prompt page to induce the signing personnel to sign the malicious transaction. The signing personnel, in the case of confirming the "Safe" URL, actually signed the transaction content that had been tampered with, resulting in the malicious contract logic being planted.
Malicious Contract Deployment
The attacker deployed a malicious contract (address: 0xbDd077f651EBe7f7b3cE16fe5F2b025BE2969516) before the attack, and used DELEGATECALL to write the malicious logic into STORAGE[0x0] of the Safe contract. The malicious contract contains backdoor functions (such as sweepETH and sweepERC20) to transfer the assets in the cold wallet.
b. How the attacker bypassed the risk control system (such as forging IPs or pages, simulating normal user signing behavior, etc.).
Forging Pages and Transaction Prompts
The attacker tampered with the frontend interface of the Safe multi-signature wallet, forging a seemingly legitimate transaction prompt page, causing the signing personnel to mistakenly believe that the transaction content was normal. The signing personnel saw a different transaction content on the hardware wallet than the actual executed transaction, leading to "blind signing".
Simulating Normal User Behavior
After infiltrating the employee's device, the attacker simulated normal user operation behavior (such as login, signing, etc.), avoiding triggering the abnormal behavior detection of the risk control system. By forging IP addresses or using proxy servers, the attacker hid the real source, further avoiding the IP blacklist detection of the risk control system.
Exploiting the Limitations of Hardware Wallets
Hardware wallets have insufficient parsing capabilities when handling complex transactions, and cannot fully display the detailed transaction data of the Safe multi-signature wallet, causing the signing personnel to be unable to verify the authenticity of the transaction content. The attacker exploited this vulnerability and induced the signing personnel to perform "blind signing" by forging the transaction content.
Bypassing the Trust Vulnerability of the Multi-Signature Mechanism
Although Bybit adopted a multi-signature mechanism, the multiple signatories relied on the same underlying infrastructure and verification process. Once one link was breached, the entire security system was compromised. The attacker only needed to attack one signer's device to forge transactions and obtain sufficient signing authority.
Money Laundering Paths of the Stolen Funds and Key Node Breakthroughs
1. Money Laundering Means Decomposition
a. Cross-Chain Bridge Conversion: Transfer assets through Chainflip, ChangeNow, THORChain, LiFi, DLN, etc.
The Lazarus Group is adept at using various cross-chain bridges to avoid on-chain tracing. In addition to Chainflip, the organization has widely used Avalanche Bridge, BitTorrent Bridge, THORChain, Threshold, and Swft in previous attack incidents to transfer funds.
b. Use of Mixing Platforms: eXch mixing exchange
The Lazarus Group has used platforms such as Tornado Cash, Sinbad, and Railgun to obfuscate and launder funds.
Tornado Cash was sanctioned by the U.S. Treasury Department's Office of Foreign Assets Control (OFAC) in 2022 for being used to assist the Lazarus Group in money laundering, and the organization subsequently stopped using the mixer. However, since March 2024, the Lazarus Group has again used Tornado Cash for large-scale money laundering. It is worth mentioning that in response to the Bybit incident, we are fully prepared. Once the relevant funds enter the Tornado.cash mixer, Beosin will immediately initiate a fund tracing analysis. The special task force has been equipped with the latest version of the Tornado Cash tracing algorithm and has recruited professional analysts who have successfully completed fund tracing in similar cases, ensuring efficient tracking of fund flows to provide strong support for subsequent actions.
Sinbad was designated by OFAC as the Lazarus Group's primary money laundering tool, particularly in the CoinEX theft incident, where the organization extensively transferred the stolen assets to Sinbad for mixing operations.
Railgun is also an important channel for the Lazarus Group's money laundering. In early 2023, the FBI reported that the Lazarus Group had laundered over $60 million in illicit funds through Railgun.
c. Over-the-counter (OTC) money laundering
After stealing cryptocurrency assets, the Lazarus Group typically follows a chain-like money laundering process of cross-chain transfers, mixer usage to obscure the source of funds, and then OTC conversion to fiat currency. Statistics show that exchanges such as Paxful, Noones, MEXC, KuCoin, ChangeNOW, FixedFloat, and LetsExchange have all received funds associated with the Lazarus Group. In addition to on-chain money laundering, the organization also frequently uses OTC trading to evade regulation. Previous reports have shown that since 2022, OTC trader Yicong Wang has provided long-term money laundering services for the Lazarus Group, helping the organization convert stolen cryptocurrency assets worth millions of dollars into cash through bank transfers. The Lazarus Group has exhibited a highly systematized operational model in the money laundering process, making this multi-layered, decentralized money laundering approach even more difficult to trace.
How can cryptocurrency platforms conduct pre-emptive defense, real-time response, and post-incident tracking?
1. Pre-emptive defense
a. Strengthen the security of the internal multi-signature process, use dedicated networks and devices for signature review and operations, and avoid devices being controlled by hackers, which could become a breach point for hackers to enter the internal network;
b. When reviewing the signature content, the signers should clearly compare the signature displayed in the process with the content displayed in the wallet, and if any anomalies are found, the signature process should be immediately stopped and emergency response initiated;
c. The risk control system can also be used to monitor the fund dynamics of cold and hot wallets in real-time and issue alerts for abnormal behavior;
d. For the submission of multi-signature wallet signature data to the chain, it is possible to specify that only a fixed number of addresses can perform the signature data submission, controlling both the transaction submission and signature authority within the company,
2. Real-time emergency response
a. Threat intelligence sharing: Rapid early warning through the Beosin security intelligence network.
b. Emergency response mechanism: Upon discovery of abnormal transactions, quickly initiate an emergency response, assess whether to temporarily suspend customer wallet deposits and withdrawals, synchronize the situation with the community, and utilize the power of the entire security community to impede the flow of stolen funds;
c. Attack tracing and analysis: Track the source of the attack and the destination of the funds using on-chain data and off-chain logs.
d. Assistance in fund freezing: Collaborate with financial and law enforcement agencies to freeze the stolen funds.
3. Post-incident tracking and review
a. Fund flow mapping: Use the Beosin Trace tool to visualize the money laundering path.
b. Anti-money laundering (AML) labeling: Beosin will quickly mark all hacker-related wallet addresses as hackers and issue alerts for all fund transfer activities, blocking the hackers' money laundering attempts through Beosin's client platforms.
c. Judicial forensic support: Provide on-chain evidence that meets legal standards.
Warnings and industry improvement directions from this incident:
The Bybit incident has exposed vulnerabilities in the cryptocurrency industry's fund security management and sounded an alarm for the entire industry. The following are some important insights from this incident:
Enhance the security of the multi-signature process
Multi-signature management of funds is a common practice in the industry, but its security still needs to be strengthened. In this incident, hackers infiltrated the internal Safe signature system workflow and implemented signature deception and signature data tampering. Therefore, the security of the signature system is of paramount importance and must be protected through technical upgrades and strict permission management to prevent similar attacks.
Strengthen the review and monitoring of the signature process
During the signing process, the operator needs to carefully review the signing content, such as comparing the signing content displayed on the cold wallet with the front-end display during cold wallet signing, to detect potential anomalies. Additionally, it is recommended to simulate the execution of the signed data and confirm that the execution result is consistent with the expected before broadcasting the transaction. Although in this incident the hackers directly obtained the signing content and broadcast the transaction, this step can still effectively prevent other types of attacks.
Establish an industry alliance to jointly address security threats
Establish a VASP (Virtual Asset Service Provider) industry alliance, where member organizations can share the latest major incident information and security threat intelligence, pooling industry resources to jointly address hacker attacks and money laundering activities. This collaborative mechanism can enhance the overall defense capabilities of the industry.
Strengthen compliance to mitigate money laundering risks
Decentralized protocols and VASP platforms need to further strengthen compliance, preventing them from being exploited by hackers for money laundering activities. If a platform is labeled as a high-risk entity by the compliance department, it will seriously impact the normal deposit and withdrawal operations of legitimate users. Therefore, exchanges and decentralized platforms should improve their anti-money laundering (AML) and know-your-customer (KYC) mechanisms to ensure compliant operations.
Continuously optimize security and compliance mechanisms
Security and compliance are dynamic processes that need to be continuously optimized based on the latest threats and technological developments. Industry participants should remain vigilant, regularly review and upgrade security measures, and actively participate in the formulation and improvement of industry standards.
The Bybit incident is not only an exposure of security vulnerabilities, but also a test of the entire industry's security and compliance system. Only through technology upgrades, process optimization, industry collaboration, and compliance building can we effectively address the increasingly complex cybersecurity threats, safeguard user asset security, and promote the healthy development of the industry.
