Original author: SlowMist Security Team
background
On the evening of February 21, 2025, Beijing time, according to the on-chain detective ZachXBT, a large-scale capital outflow occurred on the Bybit platform. This incident resulted in the theft of more than 1.46 billion US dollars, becoming the largest cryptocurrency theft in recent years.
On-chain tracking analysis
After the incident, the SlowMist security team immediately issued a security alert and started tracking and analyzing the stolen assets:
According to the analysis of the SlowMist security team, the stolen assets mainly include:
401,347 ETH (worth about $1.068 billion)
8,000 mETH (worth about $26 million)
90,375.5479 stETH (worth about $260 million)
15,000 cmETH (worth approximately $43 million)
We use the on-chain tracking and anti-money laundering tool MistTrack to identify the initial hacker address.
0x47666Fab8bd0Ac7003bce3f5C3585383F09486E2
After analysis, the following information was obtained:
ETH is being dispersed and transferred, with the initial hacker address dispersing 400,000 ETH to 40 addresses in the format of 1,000 ETH each, and the transfer is continuing.
Among them, 205 ETH was converted to BTC through Chainflip and transferred to the address:
bc1qlu4a33zjspefa3tnq566xszcr0fvwz05ewhqfq.
cmETH Flows: 15,000 cmETH transferred to:
0x1542368a03ad1f03d96D51B414f4738961Cf4443
It is worth noting that mETH Protocol posted on X that in response to the Bybit security incident, the team promptly suspended cmETH withdrawals and prevented unauthorized withdrawals. mETH Protocol successfully recovered 15,000 cmETH from the hackers address.
mETH and stETH transfers: 8,000 mETH and 90,375.5479 stETH were transferred to the following addresses:
0xA4B2Fd68593B6F34E51cB9eDB66E71c1B4Ab449e
Then it was converted to 98,048 ETH through Uniswap and ParaSwap, and then transferred to:
0xdd90071d52f20e85c89802e5dc1ec0a7b6475f92
Address 0x dd 9 dispersed ETH to 9 addresses in the format of 1,000 ETH each, and has not been transferred out yet.
In addition, the address from which the hacker launched the initial attack as introduced in the attack method analysis section is:
0x0fa09C3A328792253f8dee7116848723b72a6d2e
After tracing back, it was found that the initial funds of this address came from Binance.
Current initial hacker address:
0x47666Fab8bd0Ac7003bce3f5C3585383F09486E2
The balance is 1,346 ETH. We will continue to monitor the relevant addresses.
After the incident, SlowMist immediately speculated that the attacker was a North Korean hacker based on the attacker’s method of obtaining Safe multi-signatures and money laundering:
Possible social engineering attack methods:
Using MistTrack analysis, we also found that the hacker address of this incident is associated with the BingX Hacker and Phemex Hacker addresses:
ZachXBT also confirmed that the attack was related to the North Korean hacker group Lazarus Group, which has been conducting transnational cyber attacks and stealing cryptocurrencies as one of its main activities. It is understood that the evidence provided by ZachXBT, including test transactions, associated wallets, forensic charts and time analysis, all show that the attacker used common technical means of the Lazarus Group in multiple operations. At the same time, Arkham stated that all relevant data has been shared with Bybit to help the platform further investigate.
Attack Method Analysis
At 23:44 that night, Bybit CEO Ben Zhou released a statement on X, explaining the technical details of the attack in detail:
Through on-chain signature analysis, we found some traces:
1. The attacker deploys a malicious contract: UTC 2025-02-19 07:15:23, deploys a malicious implementation contract:
0xbDd077f651EBe7f7b3cE16fe5F2b025BE2969516
2. Tampering with the Safe contract logic: UTC 2025-02-21 14: 13: 35, through three Owners signing the transaction, replacing the Safe contract with a malicious version:
0x46deef0f52e3a983b67abf4714448a41dd7ffd6d32d32da69d62081c68ad7882
This leads to the address from which the initial attack on the hacker was launched:
0x0fa09C3A328792253f8dee7116848723b72a6d2e.
3. Embed malicious logic: Write the malicious logic contract to STORAGE 0 via DELEGATECALL:
0x96221423681A6d52E184D440a8eFCEbB105C7242
4. Calling backdoor functions to transfer funds: The attacker used the sweepETH and sweepERC 20 functions in the contract to transfer all 400,000 ETH and stETH (with a total value of approximately US$1.5 billion) in the cold wallet to an unknown address.
From the perspective of attack methods, the WazirX hacking incident and the Radiant Capital hacking incident are similar to this attack. The targets of these three incidents are all Safe multi-signature wallets. In the WazirX hacking incident, the attacker also deployed a malicious implementation contract in advance, signed transactions through three owners, and wrote the malicious logic contract to STORAGE 0 through DELEGATECALL to replace the Safe contract with the malicious implementation contract.
(https://etherscan.io/tx/0x48164d3adbab78c2cb9876f6e17f88e321097fcd14cadd57556866e4ef3e185d)
Regarding the Radiant Capital hack, according to official disclosures, the attacker used a complex method to make the signature verifier see seemingly legitimate transactions on the front end, which is similar to the information disclosed in Ben Zhous tweet.
(https://medium.com/@RadiantCapital/radiant-post-mortem-fecd 6 c d3 8081)
The permission check methods of the malicious contracts involved in these three incidents are the same, and the owner address is hard-coded in the contract to check the contract caller. The error messages thrown by the permission check in the Bybit hacking incident and the WazirX hacking incident are also similar.
In this incident, the Safe contract was fine, but the problem was in the non-contract part, where the front end was tampered with and forged to achieve a deceptive effect. This is not an isolated case. North Korean hackers attacked several platforms in this way last year, such as: WazirX lost $230 M due to Safe multi-signature; Radiant Capital lost $50 M due to Safe multi-signature; DMM Bitcoin lost $305 M due to Gonco multi-signature. This attack method is mature and needs more attention.
According to the official announcement released by Bybit:
(https://announcements.bybit.com/zh-MY/article/incident-update---eth-cold-wallet-incident-blt292c0454d26e9140)
Combined with Ben Zhou’s tweet:
The following questions arise:
1. Routine ETH transfer
The attacker may have obtained the operational information of Bybit’s internal financial team in advance and mastered the timing of the ETH multi-signature cold wallet transfer?
Through the Safe system, the signer was induced to sign a malicious transaction on a forged interface? Was the front-end system of Safe hacked and taken over?
2. Safe contract UI was tampered with
The signer sees the correct address and URL on the Safe interface, but the actual signed transaction data has been tampered with?
The key question is: who initiated the signature request in the first place? How secure is their device?
With these questions in mind, we look forward to the authorities disclosing more investigation results as soon as possible.
Market Impact
Bybit quickly released an announcement after the incident, promising that all customer assets have a 1:1 reserve and the platform can bear the loss. User withdrawals will not be affected.
At 10:51 on February 22, 2025, Bybit CEO Ben Zhou sent a message saying that deposits and withdrawals are now normal:
Last words
This theft once again highlights the severe security challenges facing the cryptocurrency industry. With the rapid development of the crypto industry, hacker groups, especially state-level hackers such as the Lazarus Group, are continuously upgrading their attack methods. This incident has sounded the alarm for cryptocurrency exchanges. The platforms need to further strengthen security protection and adopt more advanced defense mechanisms, such as multi-factor authentication, crypto wallet management, asset monitoring and risk assessment, to ensure the safety of user assets. For individual users, it is also crucial to enhance security awareness. It is recommended to give priority to safer storage methods such as hardware wallets to avoid long-term storage of large amounts of funds in exchanges. In this evolving field, only by continuously upgrading the technical defense line can we ensure the security of digital assets and promote the healthy development of the industry.
