Analysis of the hacking techniques and questions behind the nearly $1.5 billion stolen from Bybit

Author: Slow Mist Security Team

Background

On the evening of February 21, 2025, Beijing time, a large-scale outflow of funds occurred on the Bybit platform, as revealed by on-chain detective ZachXBT. This incident resulted in over $1.46 billion being stolen, making it the largest cryptocurrency theft in recent years in terms of loss amount.

On-chain Tracking Analysis

After the incident, the Slow Mist Security Team immediately issued a security alert and began tracking and analyzing the stolen assets:

According to the analysis by the Slow Mist Security Team, the stolen assets mainly include:

• 401,347 ETH (worth about $1.068 billion)
• 8,000 mETH (worth about $26 million)
• 90,375.5479 stETH (worth about $260 million)
• 15,000 cmETH (worth about $43 million)

We used the on-chain tracking and anti-money laundering tool MistTrack to analyze the initial hacker address

0x47666Fab8bd0Ac7003bce3f5C3585383F09486E2

and obtained the following information:

ETH was transferred in a dispersed manner, with the initial hacker address distributing 400,000 ETH to 40 addresses in increments of 1,000 ETH, and the transfers are ongoing.

Among them, 205 ETH was exchanged for BTC through Chainflip and transferred to the address:

bc1qlu4a33zjspefa3tnq566xszcr0fvwz05ewhqfq

cmETH flow: 15,000 cmETH was transferred to the address:

0x1542368a03ad1f03d96D51B414f4738961Cf4443

Notably, the mETH Protocol announced on X that in response to the Bybit security incident, the team promptly suspended cmETH withdrawals, preventing unauthorized withdrawal actions. The mETH Protocol successfully recovered 15,000 cmETH from the hacker's address.

mETH and stETH transfer: 8,000 mETH and 90,375.5479 stETH were transferred to the address:

0xA4B2Fd68593B6F34E51cB9eDB66E71c1B4Ab449e

Subsequently, they were exchanged for 98,048 ETH through Uniswap and ParaSwap and then transferred to:

0xdd90071d52f20e85c89802e5dc1ec0a7b6475f92

Address 0xdd9 dispersed the ETH into 9 addresses in increments of 1,000 ETH, and no further transfers have been made.

Additionally, tracing the initial attack address identified in the attack method analysis section:

0x0fa09C3A328792253f8dee7116848723b72a6d2e

revealed that the initial funds for this address came from Binance.

Currently, the initial hacker address:

0x47666Fab8bd0Ac7003bce3f5C3585383F09486E2

has a balance of 1,346 ETH, and we will continue to monitor the relevant addresses.

After the incident, Slow Mist quickly speculated that the attacker was a North Korean hacker based on the methods used to obtain the Safe multi-signature and money laundering techniques:

Possible social engineering attack methods:

Using MistTrack for analysis, we also found that the hacker address from this incident was associated with the BingX Hacker and Phemex Hacker addresses:

ZachXBT also confirmed that this attack is related to the North Korean hacker organization Lazarus Group, which has been known for conducting transnational cyberattacks and stealing cryptocurrencies. According to reports, the evidence provided by ZachXBT, including test transactions, associated wallets, forensic charts, and time analysis, all indicate that the attacker used techniques commonly associated with the Lazarus Group in multiple operations. Meanwhile, Arkham stated that all relevant data has been shared with Bybit to assist the platform in further investigations.

Attack Method Analysis

On the night of the incident at 23:44, Bybit CEO Ben Zhou released a statement on X, detailing the technical aspects of the attack:

Through on-chain signature analysis, we discovered some traces:

1. The attacker deployed a malicious contract: UTC 2025-02-19 07:15:23, deployed a malicious implementation contract:

0xbDd077f651EBe7f7b3cE16fe5F2b025BE2969516

2. Tampered with the Safe contract logic: UTC 2025-02-21 14:13:35, by having three Owners sign a transaction, replaced the Safe contract with a malicious version:

0x46deef0f52e3a983b67abf4714448a41dd7ffd6d32d32da69d62081c68ad7882

This led to the initial attack address of the hacker:

0x0fa09C3A328792253f8dee7116848723b72a6d2e.

3. Embedded malicious logic: The attacker used DELEGATECALL to write the malicious logic contract into STORAGE 0:

0x96221423681A6d52E184D440a8eFCEbB105C7242

4. Called backdoor functions to transfer funds: The attacker used the sweepETH and sweepERC20 functions in the contract to transfer all 400,000 ETH and stETH (total value of about $1.5 billion) from the cold wallet to an unknown address.

From the perspective of attack methods, the WazirX hack and the Radiant Capital hack share similarities with this attack, as all three incidents targeted Safe multi-signature wallets. In the WazirX hack, the attacker also deployed a malicious implementation contract in advance and had three Owners sign a transaction, using DELEGATECALL to write the malicious logic contract into STORAGE 0 to replace the Safe contract with the malicious implementation contract.

(https://etherscan.io/tx/0x48164d3adbab78c2cb9876f6e17f88e321097fcd14cadd57556866e4ef3e185d)

In the case of the Radiant Capital hack, according to official disclosures, the attacker used a complex method that made the signature verifier see seemingly legitimate transactions on the front end, which is similar to the information disclosed in Ben Zhou's tweet.

(https://medium.com/@RadiantCapital/radiant-post-mortem-fecd6cd38081)

Moreover, the permission check methods for the malicious contracts involved in these three incidents are the same, as they all hard-coded the owner address in the contract to check the contract caller. The error messages thrown by the permission checks in the Bybit hack and the WazirX hack are also similar.

In this incident, the Safe contract itself was not the issue; the problem lay in the non-contract part, where the front end was tampered with and forged to achieve a deceptive effect. This is not an isolated case. North Korean hackers have used this method to attack several platforms last year, such as: WazirX with a loss of $230M, for Safe multi-signature; Radiant Capital with a loss of $50M, for Safe multi-signature; DMM Bitcoin with a loss of $305M, for Gonco multi-signature. This type of attack method has matured and requires increased attention.

According to the official announcement released by Bybit:

(https://announcements.bybit.com/zh-MY/article/incident-update---eth-cold-wallet-incident-blt292c0454d26e9140)

Combined with Ben Zhou's tweet:

the following questions arise:

1. Routine ETH transfer

Did the attacker possibly obtain operational information from Bybit's internal finance team in advance, mastering the timing of ETH multi-signature cold wallet transfers?

Did they use the Safe system to induce signers to sign malicious transactions on a forged interface? Was the Safe front-end system compromised and taken over?

2. Safe contract UI tampering

Did the signers see the correct address and URL on the Safe interface, but the actual signed transaction data was tampered with?

The key question is: who initiated the signature request first? How secure was their device?

With these questions in mind, we look forward to the official team providing more investigation results soon.

Market Impact

Bybit quickly released an announcement after the incident, promising that all customer assets are backed 1:1, and the platform can bear the loss. User withdrawals are unaffected.

On February 22, 2025, at 10:51, Bybit CEO Ben Zhou tweeted that deposits and withdrawals have returned to normal:

Conclusion

This theft incident once again highlights the severe security challenges facing the cryptocurrency industry. With the rapid development of the crypto sector, hacker organizations, especially state-sponsored hackers like the Lazarus Group, are continuously upgrading their attack methods. This incident serves as a wake-up call for cryptocurrency exchanges, emphasizing the need for platforms to further strengthen security measures and adopt more advanced defense mechanisms, such as multi-factor authentication, encrypted wallet management, asset monitoring, and risk assessment, to ensure the safety of user assets. For individual users, enhancing security awareness is equally crucial, and it is recommended to prioritize safer storage methods like hardware wallets to avoid keeping large amounts of funds on exchanges for extended periods. In this ever-evolving field, only by continuously upgrading technological defenses can we ensure the security of digital assets and promote the healthy development of the industry.