Original | Odaily Planet Daily ( @OdailyChina )
Author: Wenser ( @wenser 2010 )
At 11:20 pm on February 21, Beijing time, ZachXBT posted a message saying : We have detected suspicious fund outflows from Bybit, with a scale of up to $1.46 billion. According to Beosin Trace monitoring, a total of 514,723 ETH and derivatives were stolen from Bybit. Subsequently, Bybit co-founder Ben Zhou posted a message confirming that Bybits official cold wallet had been stolen and began to handle it safely.
Odaily Planet Daily will briefly follow up on this matter in this article for readers’ reference.
The funds involved are mainly ETH, with a case size of $1.46 billion
At 11:20, after ZachXBT issued a warning message, Odaily Planet Daily followed up immediately after a brief verification.
What was confirmed at the time was that the hackers related address was 0x47666Fab8bd0Ac7003bce3f5C3585383F09486E2; after stealing the funds, he quickly exchanged mETH stETH for ETH on DEX.
Hackers perform Swap immediately
While the outside world was still speculating, whether such a large amount of funds flowed for Bybits official wallet organization or for other purposes, ZachXBT quickly gave a new hint: My sources confirm its a security incident.
In addition, ZachXBT reminded relevant personnel of major exchanges, service providers, etc.: “ It is recommended to blacklist the following EVM addresses:
0x47666fab8bd0ac7003bce3f5c3585383f09486e2;
0xa4b2fd68593b6f34e51cb9edb66e71c1b4ab449e;
0x36ed3c0213565530c35115d93a80f9c04d94e4cb;
0x1542368a03ad1f03d96D51B414f4738961Cf4443;
0xdD90071D52F20e85c89802e5Dc1eC0A7B6475f92.
This move is intended to cut off the CEX channels used by hackers to launder funds as soon as possible and prevent further loss of Bybit’s stolen funds.
According to Beosin Trace monitoring statistics, the stolen assets include:
401,347 ETH, worth $1.12 billion;
90,376 stETH, valued at $253.16 million;
15,000 cmETH, worth $44.13 million;
8,000 mETH, worth $23 million.
At present, the funds are divided into groups of 10,000 ETH and deposited in more than 40 Ethereum addresses. All hacker addresses have been added to the Beosin KYT tag library. Beosin KYT will issue alerts for all fund transfers involving hacker addresses. The Beosin security team analyzed that the attack method of this incident is similar to that of WazirX. Both of them deceived the front-end UI to make the multi-signature wallet sign malicious content, tampered with the logic implementation contract of the multi-signature wallet, and caused the funds in the multi-signature wallet to be transferred out.
Bybit official response: Multi-signature wallet transactions were attacked and tampered with, other cold wallet assets are safe, and exchange withdrawals are normal
Bybit co-founder Ben Zhou said on X platform: Bybit ETH multi-signature cold wallet made a transfer to Bybit hot wallet about an hour ago. This particular transaction may have been tampered with, and all multi-signature wallet signatories saw the tampered UI interface showing the correct transfer address, and the website link came from @safe . However, the signature information was to change the smart contract logic of our ETH cold wallet. This caused the hacker to control our multi-signature specific ETH cold wallet and transfer all ETH in the cold wallet to an unknown address. Please rest assured that Bybits other cold wallets are safe, and all withdrawals within CEX are operating normally.
In addition, Ben Zhou also immediately sent a message for help to the outside world: We will keep you updated on the latest developments of the incident. If any team can help us track the stolen funds, we will be grateful.
On-chain fund movement: Hackers are dumping ETH quickly, and have transferred 10,000 ETH to 39 addresses
At 11:35, Arkham detected that the $1.4 billion of ETH and stETH that flowed out of Bybit had been transferred to a new address for sale. By then, the hacker had sold $200 million worth of stETH. The on-chain tracking address is https://intel.arkm.com/explorer/address/0x47666Fab8bd0Ac7003bce3f5C3585383F09486E2 .
At exactly midnight, ZachXBT once again updated the latest on-chain fund movements, among which 10,000 ETH were transferred to 39 addresses by the hacker. In addition, the hacker also transferred 10,000 ETH to another 9 addresses.
At 12:18, according to Arkham monitoring statistics, ETH worth about US$100 million (about 400,000 pieces) has been transferred from the hackers original address to a new wallet.
On-chain fund movement
As of the time of writing, the hackers original address only had $3.669 million in assets left, of which ETH holdings dropped sharply to 1,346.
On-chain information
According to a post by Yu Xian, the founder of the security company SlowMist, after a small-scale investigation, based on the Safe multi-signature method and the current currency laundering methods, it is initially suspected that this incident may have been done by North Korean hackers. Specific information still needs further tracking.
Subsequently, SlowMist released the details of the Bybit attacker’s operation:
A malicious implementation contract was deployed at 2025-02-19 7:15:23 UTC: https://etherscan.io/address/0xbdd077f651ebe7f7b3ce16fe5f2b025be2969516
UTC 2025-02-21 14:13:35, the attacker used the three owners to sign a transaction to replace the implementation contract of Safe with a malicious contract: https://etherscan.io/tx/0x46deef0f52e3a983b67abf4714448a41dd7ffd6d32d32da69d62081c68ad7882
The attacker then used the backdoor functions “sweepETH” and “sweepERC 20” in the malicious contract to steal the hot wallet.
The aftermath of the Bybit theft: Currently under control
As much as $1.46 billion of ETH-related assets were stolen, the largest amount of money stolen in a security incident since 2025 or even 2023, which further exacerbated the markets concerns about the performance of ETH prices and the security of Bybit assets. As for the former, there are indeed certain risks in the short term.
But in the medium and long term, market concerns should be resolved. Some people believe that this is because ETH is the most decentralized asset besides BTC, and hackers are likely to hold most ETH rather than directly dumping it at a low price.
Regarding the latter, Bybit officials also responded immediately. At 00:07 on the 22nd , Bybit co-founder Ben Zhou responded in a post : Even if the losses caused by this hacker attack cannot be recovered, Bybits assets are still guaranteed at a 1:1 ratio, and we can bear the losses. This fully demonstrates the confidence and self-confidence of the old exchange.
In addition to the Merkle tree reserve chain proof commonly seen in exchanges, the information previously mentioned by Bybit co-founder and CEO Ben Zhou in an interview can also serve as evidence. He mentioned that about 80% of Bybits assets are stablecoins, and the rest are in the form of fiat currency. The core goal of this configuration is to ensure the financial stability of the exchange, rather than pursuing asset appreciation.
Multiple assistance and statements
After the incident, CZ responded to Ben Zhou’s tweet and said: “This is not an easy situation to handle. It is recommended to temporarily stop all withdrawals as a standard safety precaution. Any help will be provided if needed.” Binance Co-founder He Yi responded to Bybit CEO Ben Zhou, saying, “Support will be provided if necessary.”
TRON founder Justin Sun said in a post that he is “closely following the Bybit security incident and will do his best to assist partners in tracking the relevant funds and provide all possible support.”
In addition, on-chain analyst @ai_9684 xtpa analyzed that: Ethena has 21% of USDe in Bybit to implement a Delta neutral hedging strategy, of which the ETH portion is worth $227 million. It is uncertain whether it will be affected. After Bybit confirmed the theft, ENA has fallen 11.5% and recovered todays gains.
Ethena Labs later issued a statement saying that it has noticed the Bybit incident. All spot assets supporting USDe are held through over-the-counter custody solutions, and no spot value reserve funds are stored in any exchange (including Bybit). At present, the total unrealized gains and losses of Bybits hedging positions are less than 30 million US dollars, less than half of the reserve fund. USDe has sufficient collateral balance and will provide more information in a timely manner after receiving updates.
The latest news is that Bybit CEO Ben Zhou posted on the X platform that he will soon conduct a live broadcast to answer all questions.
Odaily Planet Daily will continue to track the latest news on the Bybit asset theft incident and look forward to a satisfactory outcome to this matter.
