Bybit was stolen nearly 1.5 billion USD, the largest theft in human history. How did North Korean hackers do it?

Editor | Wu Says Blockchain

On the evening of February 21, Beijing time, on-chain detective ZachXBT first disclosed that over $1.46 billion in suspicious funds had flowed out of Bybit, with mETH and stETH currently being exchanged for ETH on DEX. It can be confirmed that this has become the largest theft incident in cryptocurrency history (by the amount at the time).

Coinbase executive Conor Grogan stated that North Korea's hack on Bybit is the largest hacking theft ever (surpassing the Iraq Central Bank theft, valued at about $1 billion), with an amount approximately 10 times that of the 2016 DAO hack (but the percentage of supply is much higher). It is expected that there will be calls for an Ethereum fork.

Arkham tweeted that on-chain analyst ZachXBT provided conclusive evidence that the $1.5 billion hack of Bybit was carried out by the North Korean-backed hacker group Lazarus Group. His submission included detailed analyses of test transactions, associated wallets, forensic charts, and time analysis. Relevant information has been shared with Bybit to assist in their investigation.

Bybit CEO BEN tweeted that about an hour ago, Bybit's ETH multi-signature cold wallet had just transferred to our hot wallet. It appears that this transaction was forged, and all signers saw a forged UI that displayed the correct address, with the URL coming from SAFE. However, the signature information was meant to change the smart contract logic of our ETH cold wallet. This allowed the hacker to control our signed specific ETH cold wallet and transfer all ETH from the cold wallet to this unrecognized address. Rest assured, all other cold wallets are secure. All withdrawals are normal. I will keep you updated on further developments, and if any team can help us track the stolen funds, we would be grateful. Bybit's hot wallet, warm wallet, and all other cold wallets are fine. The only cold wallet that was hacked is the ETH cold wallet. All withdrawals are normal.

Bybit's official Twitter stated that Bybit detected unauthorized activity involving one of our ETH cold wallets. At the time of the incident, our ETH multi-signature cold wallet was executing a transfer to our hot wallet. Unfortunately, this transaction was manipulated through a complex attack that obscured the signing interface, displaying the correct address while altering the underlying smart contract logic. As a result, the attacker was able to control the affected ETH cold wallet and transfer its assets to an unrecognized address. Our security team is actively investigating this incident in collaboration with leading blockchain forensic experts and partners. Any team with expertise in blockchain analysis and fund recovery that can assist in tracking these assets is welcome to collaborate with us. We want to assure our users and partners that all other Bybit cold wallets are completely secure. All customer funds are safe, and our operations continue as usual without interruption. Transparency and security remain our top priorities, and we will provide updates as soon as possible.

Bybit stated that all other Bybit cold wallets are secure, and customer funds are unaffected and remain safe. We understand that the current situation has led to a surge in withdrawal requests. While such a high volume may cause delays, all withdrawals are being processed normally. Bybit has sufficient assets to cover the losses, with asset management exceeding $20 billion, and will use bridge loans if necessary to ensure the availability of user funds.

Coinbase executive Conor Grogan tweeted that Binance and Bitget just deposited over 50,000 ETH directly into Bybit's cold wallet, with Bitget's deposit particularly notable, accounting for a quarter of all ETH at the exchange. Since the deposit address was skipped, these funds were evidently coordinated by Bybit itself. Bybit CEO Ben Zhou expressed gratitude to Bitget for extending a helping hand at this moment, stating that Binance and several other partners are in communication, and this funding has nothing to do with Binance officially.

Bitget CEO Gracy stated that Bybit is a respected competitor and partner. Although the loss is significant, it is merely their annual profit. I believe customer funds are 100% safe, and there is no need for panic or bank runs. Additionally, Gracy mentioned that the funds lent to Bybit are Bitget's own assets, not user assets.

The SlowMist team published additional details, stating that the attacker deployed a malicious implementation contract, and then the attacker replaced the Safe implementation contract with the malicious contract by having three owners sign the transaction, utilizing the backdoor functions in the malicious contract to sweep ETH and sweep ERC20, emptying the hot wallet funds.

Dilation Effect analysis pointed out that, unlike previous similar incidents, the Bybit incident only required taking down one signer to complete the attack, as the attacker used a "social engineering" technique. Analyzing on-chain transactions reveals that the attacker executed a malicious contract's transfer function via delegatecall, where the transfer code used the SSTORE instruction to modify the value of slot 0, thereby changing the implementation address of the Bybit cold wallet multi-signature contract to the attacker's address. It only required dealing with the person/device initiating this multi-signature transaction, and the subsequent reviewers would significantly lower their guard when seeing this transfer. Because a normal person would think a transfer is just a transfer, who would know it was actually changing the contract?

Chainlink data shows that after the disclosure of the Bybit security incident, USDe briefly plummeted to $0.965 before rebounding to $0.99. Bybit integrated USDe as collateral to trade perpetual contracts for all assets in the exchange's UTA. ethena_labs stated that they are monitoring the current situation at Bybit and will continue to track developments. All spot assets supporting USDe are stored in an over-the-counter custody solution, including cooperation with Bybit through Copper Clearloop. Currently, no spot assets are stored on any exchange. The total unrealized PNL related to hedged positions with Bybit is less than $30 million, below half of the reserve fund. USDe currently maintains over full collateralization and will provide updates based on the latest information.

Binance co-founder CZ responded that this is not an easy situation to handle and may suggest pausing all withdrawals as a standard safety precaution, offering any assistance if needed. He Yi expressed willingness to help.

The Safe security team responded that they are working closely with Bybit to conduct a continuous investigation. No evidence has yet been found that the official Safe front end has been compromised, but out of caution, certain functions of the Safe Wallet have been temporarily suspended. SlowMist's Yu Xian stated that, similar to the previous Radiant Capital case, it may also have been a theft by North Korean hackers. Radiant Capital stated that an attack worth $50 million it encountered in October was related to North Korean hacker organizations, involving complex identity spoofing and multi-layer phishing attacks. The attackers impersonated former contractors to obtain sensitive credentials through social engineering, thereby invading the protocol system to carry out the attack.

Security analysts believe this is similar to WazirX and Radiant, where the signer's computer or intermediary interface was hacked. Possible reasons for this hack include: hackers implanting viruses in the signer's computer/browser, replacing the transaction with a malicious transaction, and then sending it to the hardware wallet. This virus could be located in any part of the stack (e.g., malicious extensions, wallet communication…) - the security interface was hacked, displaying one transaction but sending another to the wallet. The final result is that the signer saw an innocent transaction in the security interface, but in reality, a malicious transaction was sent to their wallet. We cannot determine anything until a complete post-analysis is released.

OneKey stated that the hacker likely confirmed that the computers of Bybit's three multi-signers had been compromised, meeting the conditions for an attack, and were waiting for them to operate. Next, when the multi-signature staff executed signature operations such as daily transfers, the hacker replaced the signature content. The staff looked at the webpage thinking it was a normal transaction like a transfer—little did they know it had been changed to a transaction to "upgrade the Safe contract to replace it with the previously deployed malicious contract." Thus, the tragedy occurred. The backdoor malicious contract allowed the hacker to easily extract all funds.

Bybit stated that they will not immediately purchase ETH but will rely on partners to provide bridge loans. They will ensure that all users can withdraw, but due to traffic being 100 times the usual, it will take some time to process, and some risk confirmations will be needed for large withdrawals.

Dilation Effect pointed out that ordinary hardware wallets combined with the Safe multi-signature mechanism can no longer meet the security management needs of large funds. If an attacker has enough patience to deal with multiple signers, then the entire operation process has no other measures to further ensure security. The security management of large funds must use institutional-grade custody solutions.

According to DeFiLlama data, including the funds that were hacked, Bybit's total outflow in the last 24 hours was $2.399 billion. Currently, the platform's on-chain verifiable assets exceed $14 billion, with Bitcoin and USDT accounting for nearly 70%. Bybit announced that it has reported the case to the relevant authorities and will provide updates after obtaining more information. In addition, cooperation with on-chain analysis providers has helped identify and separate relevant addresses, aiming to reduce the ability of malicious actors to dispose of ETH through legitimate markets.

This incident may spark discussions about an Ethereum fork. Conor Grogan stated that although he believes the calls for a fork are too radical, he expects there will be a real debate on the issue. Arthur Hayes stated that as a large holder of Ethereum, he believes Ethereum has not been a "currency" since the hard fork after the 2016 DAO hack. He stated that if the community decides to roll back again, he would support this decision, as the community had already voted against immutability in 2016; why not do it again?