ChainCatcher message, according to a post by the security community Dilation Effect on platform X: "Compared to previous similar incidents, in the Bybit incident, only one signer needed to be compromised to complete the attack, as the attacker used a 'social engineering' technique.Analyzing on-chain transactions reveals that the attacker executed a malicious contract's transfer function through delegatecall. The transfer code modifies the value of slot 0 using the SSTORE instruction, thereby changing the implementation address of Bybit's cold wallet multi-signature contract to the attacker's address. The transfer here is very clever; it only requires dealing with the person/device initiating this multi-signature transaction, and the subsequent reviewers will significantly lower their guard when they see this transfer. Because a normal person seeing a transfer would think it's just a transfer, who would know it's actually changing the contract? The attacker's methods have evolved again."

ChainCatcher message, Slow Fog Yu Xian posted on platform X stating: "Although there is currently no clear evidence, based on the methods used for Safe multi-signature and the current money laundering techniques, it resembles North Korean hackers. North Korean hackers, if I have wronged you, please correct me, and I will apologize..."