Bybit: Hacker Tactics and Questions Behind the Nearly $1.5 Billion Heist
Original Article Title: "The Hacker Technique and Questions Behind the Nearly $1.5 Billion Bybit Hack"
Original Source: SlowMist Technology
Background
On the evening of February 21, 2025, Beijing time, according to on-chain detective ZachXBT, a large-scale fund outflow occurred on the Bybit platform. This event resulted in over $14.6 billion being stolen, making it the largest cryptocurrency theft in terms of amount lost in recent years.
On-Chain Tracking Analysis
Following the event, the SlowMist security team immediately issued a security alert and conducted tracking analysis on the stolen assets:
According to the SlowMist security team's analysis, the stolen assets mainly include:
· 401,347 ETH (valued at approximately $10.68 billion)
· 8,000 mETH (valued at approximately $26 million)
· 90,375.5479 stETH (valued at approximately $260 million)
· 15,000 cmETH (valued at approximately $43 million)
Using on-chain tracking and anti-money laundering tool MistTrack, we analyzed the initial hacker address 0x47666Fab8bd0Ac7003bce3f5C3585383F09486E2 and obtained the following information:
The ETH was dispersed in transfers, with the initial hacker address dispersing 400,000 ETH in increments of 10,000 ETH to 40 addresses and continuing to transfer.
Among them, 205 ETH was swapped to BTC via Chainflip and cross-chain transferred to the address bc1qlu4a33zjspefa3tnq566xszcr0fvwz05ewhqfq.
cmETH Destination: 15,000 cmETH was transferred to the address 0x1542368a03ad1f03d96D51B414f4738961Cf4443. It is worth noting that mETH Protocol posted on X, stating that in response to the Bybit security incident, the team promptly suspended cmETH withdrawals, preventing unauthorized withdrawal actions. mETH Protocol successfully reclaimed 15,000 cmETH from the hacker address.
mETH and stETH Transfer: 8,000 mETH and 90,375.5479 stETH were transferred to address 0xA4B2Fd68593B6F34E51cB9eDB66E71c1B4Ab449e. Subsequently, they were exchanged for 98,048 ETH via Uniswap and ParaSwap and then transferred to 0xdd90071d52f20e85c89802e5dc1ec0a7b6475f92. Address 0xdd9 then dispersed the ETH to 9 addresses in 10,000 ETH increments and has not yet made further transfers.
Additionally, tracing back to the address 0x0fa09C3A328792253f8dee7116848723b72a6d2e, which initiated the hack according to the attack methodology analysis section, it was found that the initial funds of that address originated from Binance.
Currently, the initial hacker address 0x47666Fab8bd0Ac7003bce3f5C3585383F09486E2 holds a balance of 1,346 ETH. We will continue to monitor the relevant addresses.
Following the event, SlowMist promptly speculated on the attacker being associated with a North Korean hacker group by analyzing the attacker's acquisition of the Safe multisig and money laundering techniques.
Possible social engineering attack methods that may have been utilized:
Through MistTrack analysis, it was also discovered that the hacker address in this event is linked to the BingX Hacker and Phemex Hacker addresses.
ZachXBT has also confirmed the connection between this attack and the Lazarus Group, a North Korean hacker organization known for conducting international network attacks and cryptocurrency theft. According to ZachXBT's evidence, including test transactions, linked wallets, forensic charts, and time analysis, all demonstrate that the attacker employed common Lazarus Group techniques in multiple operations. Additionally, Arkham stated that all related data has been shared with Bybit to assist the platform in further investigation.
Attack Method Analysis
On the night of the incident at 23:44, Bybit CEO Ben Zhou posted a statement on X, explaining in detail the technical details of the attack:
Through on-chain signature analysis, we discovered some traces:
1. Attacker Deploys Malicious Contract: UTC 2025-02-19 07:15:23, deploys a malicious implementation contract 0xbDd077f651EBe7f7b3cE16fe5F2b025BE2969516.
2. Tampering with Safe Contract Logic: UTC 2025-02-21 14:13:35, through transactions signed by three Owners, replaces the Safe contract with a malicious version: 0x46deef0f52e3a983b67abf4714448a41dd7ffd6d32d32da69d62081c68ad7882. This reveals the address 0x0fa09C3A328792253f8dee7116848723b72a6d2e that initiated the initial attack.
3. Embedding Malicious Logic: Uses DELEGATECALL to write the malicious logic contract to STORAGE 0: 0x96221423681A6d52E184D440a8eFCEbB105C7242.
4. Calling Backdoor Function to Move Funds: The attacker uses the sweepETH and sweepERC20 functions in the contract to transfer all 400,000 ETH and stETH from the cold wallet to an unknown address (total value of approximately $1.5 billion).
From the attack methods, the WazirX hack and the Radiant Capital hack share similarities with this attack, as all three targeted Safe multisig wallets. In the WazirX hack, the attacker similarly deployed a malicious implementation contract in advance, replaced the Safe contract with a malicious implementation contract through transactions signed by three Owners, and used DELEGATECALL to write the malicious logic contract to STORAGE 0 to replace the Safe contract with the malicious implementation contract.
(https://etherscan.io/tx/0x48164d3adbab78c2cb9876f6e17f88e321097fcd14cadd57556866e4ef3e185d)
Regarding the Radiant Capital hack incident, according to official disclosure, the attacker utilized a sophisticated method that caused the signature validator to see a seemingly legitimate transaction on the frontend, similar to the information disclosed in Ben Zhou's tweet.
(https://medium.com/@RadiantCapital/radiant-post-mortem-fecd6cd38081)
Furthermore, the permission check method used by the malicious contracts involved in these three incidents was the same, where the owner's address was hardcoded in the contract to check the caller's permissions. The error messages thrown by the permission checks in the Bybit and WazirX hack incidents were also similar.
In this incident, the Safe contract was not the issue; the issue lay in the non-contract part where the frontend was tampered with to achieve a deceptive effect. This is not an isolated case. Last year, North Korean hackers used this method to attack several platforms, such as: WazirX losing $230M involving Safe multisig; Radiant Capital losing $50M involving Safe multisig; DMM Bitcoin losing $305M involving Gonco multisig. This attack method is highly engineered and requires extra caution.
According to the official announcement from Bybit:
(https://announcements.bybit.com/zh-MY/article/incident-update---eth-cold-wallet-incident-blt292c0454d26e9140)
Combined with Ben Zhou's tweet:
The following questions arise:
1. Routine ETH Transfer
· Did the attacker possibly obtain advance information from Bybit's internal finance team, knowing the timing of the ETH multi-signature cold wallet transfer?
· Did they induce signers through the Safe system to sign a malicious transaction on a forged interface? Was the Safe frontend system hacked and compromised?
2. Safe Contract UI Tampering
· Did signers see the correct address and URL on the Safe interface, but the actual signed transaction data was tampered with?
· The key question is: Who initiated the signature request first? How secure was their device?
With these questions in mind, we look forward to the official disclosure of further investigation results.
Market Impact
After the incident, Bybit promptly released a statement, ensuring that all customer assets are fully reserved and the platform can absorb this loss. User withdrawals are unaffected.
At 10:51 on February 22, 2025, Bybit CEO Ben Zhou announced that deposits and withdrawals are now back to normal:
Final Thoughts
This theft incident once again highlights the significant security challenges facing the cryptocurrency industry. With the rapid growth of the crypto industry, hacker groups, especially nation-state hackers like the Lazarus Group, are continuously upgrading their attack methods. This event serves as a wake-up call for cryptocurrency exchanges, urging them to further strengthen their security measures through advanced defense mechanisms such as multi-factor authentication, encrypted wallet management, asset monitoring, and risk assessment to safeguard user assets. For individual users, raising security awareness is equally crucial, and it is recommended to prioritize more secure storage methods like hardware wallets to avoid keeping large amounts of funds on exchanges for an extended period. In this evolving field, only by continuously enhancing technological defenses can we ensure the security of digital assets and promote the industry's healthy development.
You may also like
OpenAI Reveals It Has Confidentially Submitted an S-1 to the SEC, Keeping the Door Open for a Future IPO
On June 9, according to an OpenAI announcement, the company recently confidentially submitted a draft S-1 registration statement to the U.S. Securities and Exchange Commission (SEC), beginning the preliminary compliance process for a potential initial public offering. OpenAI said it chose to disclose this proactively because it expected the news might leak; however, the company has not yet set a specific listing timeline, and related arrangements may still take some time.
Latest research from 13 top universities including Cornell University: The current state, challenges, and misconceptions of the fusion of Crypto and AI
Deconstructing Anthropic: The Best AI Company, Possibly Also a Type of Organizational Invention
Apollo and Blackstone Reportedly Back $35 Billion Anthropic Chip Financing as Deal Details Remain Unclear
On June 9, according to currently available news alerts, Apollo and Blackstone Group participated in a $35 billion financing for an Anthropic “chip project.” Based on the original wording of the report, the funding has already been raised, but public information remains limited. The financing structure, use of proceeds, project entity, and whether Apollo and Blackstone participated through equity, debt, or project financing have not yet been disclosed.
Humanity Protocol Security Incident Escalates: More Than $31 Million Stolen From Related Addresses as Attacker Continues Selling H for ETH
On June 9, according to monitoring by Onchain Lens, more than $31 million has been stolen from addresses linked to Humanity Protocol, and the attack is still ongoing, with the hacker continuously swapping H tokens for ETH. Project founder Terence Kwok later confirmed the security incident on X, saying the issue involved a private key leak.
Bloomberg: As Bitcoin Weakens, Stablecoins and RWA Continue to Drive Expansion in Crypto Businesses
In June, Bloomberg reported that despite Bitcoin falling below $60,000 last week, wiping out about $235 billion in market value within seven days, and dropping close to 50% from last year’s peak, some core businesses in the crypto industry are still expanding, mainly in stablecoins, real-world asset tokenization (RWA), payments, and infrastructure. The report also noted that overall altcoin activity has contracted significantly: altcoin market capitalization has fallen from a peak of about $431 billion in November 2021 to around $170 billion, and among the tens of millions of tokens issued in recent years, fewer than 1,700 still maintain meaningful trading activity.
Galaxy Deep Research Report: How Hyperliquid's HIP-4 Upgrade Changes the Landscape of Prediction Markets?
Binance Research: RWA Market Expected to Expand Nearly 6x from Early 2025, with Public Equities and Onchain Payments Heating Up Together
In June, Binance Research said in its monthly market report that the real-world asset (RWA) market is expected to grow by about 589% from the beginning of 2025. Bond- and money market fund-related RWA expanded by about $6.5 billion, up 83% year over year, while publicly traded equity RWAs grew by about 422%. The report also noted that monthly crypto debit card transaction volume exceeded $747 million in May, up 48.6% year to date.
Japan to Assess a Framework for Yen Stablecoins and Crypto ETFs as Asia’s Compliant Payments Narrative Heats Up
Recently, according to the original report, Japan is considering the launch of yen stablecoins and cryptocurrency ETFs. Public information remains limited at this stage, and there is still no complete policy text, regulatory draft, or clear implementation timeline, so this is better characterized as a “policy discussion” rather than formal implementation. The original wording also noted that advancing stablecoin regulation in Asia is driving XRP usage and supporting growth in the XRPL ecosystem. However, based on currently available public information, there is not enough evidence to directly establish a clear causal relationship between this round of discussion in Japan and XRP or XRPL.
ZachXBT: Humanity private key leak and abnormal surge in H token should be viewed separately
On June 9, according to related disclosures, on-chain investigator ZachXBT posted an update on Humanity’s roughly $31 million security incident, saying that after further analyzing fund flows, he currently tends to believe the project team was not involved in an “inside job” or a self-staged attack. According to him, the official explanation about the private key leak was broadly accurate, but before the token unlock, the price of H had been artificially pushed higher, and the hacker later took advantage of that market environment; therefore, the private key leak and the earlier abnormal price pumping should be regarded as two separate and independent events. This reframing has shifted the market’s understanding of the nature of the incident. Earlier discussion around Humanity had focused on whether the team directly participated in the attack or used the security incident to cover up internal operations. ZachXBT’s latest remarks shift the focus from “whether it was self-theft” to “whether there were pre-unlock market structure issues.” He also questioned whether the team may have.
Morning Report | OpenAI has submitted an S-1 registration statement draft to the U.S. SEC; Morpho completes $175 million financing
Morning Report | BitMine increased its holdings by 126,971 ETH last week; trader Eugene announced his exit from the crypto market
Wang Chuan: How can one not feel anxious after the neighbor Old Wang made thirty times profit by investing in storage stocks? (Seven) - A quarter-century cycle
Cryptocurrency CEXs are flocking to sell US stocks, and traditional brokerages are facing an "uninvited guest."
$75 billion in foreign capital has fled, and South Korean retail investors have absorbed it all using leverage
Japan’s Three Megabanks Plan Joint Stablecoin Issuance in Fiscal 2026
MUFG, SMBC, and Mizuho reportedly plan to jointly issue fiat-pegged stablecoins in fiscal 2026, signaling Japan’s growing push into bank-led digital payment infrastructure.
Humanity Discloses H Token Dual-Chain Attack Details, With Losses on Ethereum and BSC Exceeding $36 Million
Humanity said the H token attack across Ethereum and BSC caused more than $36 million in losses after leaked ProxyAdmin keys enabled malicious contract upgrades and token minting.
White House Discusses CLARITY Act With Law Enforcement Ahead of Senate Vote
The White House discussed the CLARITY Act with law enforcement ahead of a Senate vote, focusing on illicit finance risks and developer protections.
OpenAI Reveals It Has Confidentially Submitted an S-1 to the SEC, Keeping the Door Open for a Future IPO
On June 9, according to an OpenAI announcement, the company recently confidentially submitted a draft S-1 registration statement to the U.S. Securities and Exchange Commission (SEC), beginning the preliminary compliance process for a potential initial public offering. OpenAI said it chose to disclose this proactively because it expected the news might leak; however, the company has not yet set a specific listing timeline, and related arrangements may still take some time.
Latest research from 13 top universities including Cornell University: The current state, challenges, and misconceptions of the fusion of Crypto and AI
Deconstructing Anthropic: The Best AI Company, Possibly Also a Type of Organizational Invention
Apollo and Blackstone Reportedly Back $35 Billion Anthropic Chip Financing as Deal Details Remain Unclear
On June 9, according to currently available news alerts, Apollo and Blackstone Group participated in a $35 billion financing for an Anthropic “chip project.” Based on the original wording of the report, the funding has already been raised, but public information remains limited. The financing structure, use of proceeds, project entity, and whether Apollo and Blackstone participated through equity, debt, or project financing have not yet been disclosed.
Humanity Protocol Security Incident Escalates: More Than $31 Million Stolen From Related Addresses as Attacker Continues Selling H for ETH
On June 9, according to monitoring by Onchain Lens, more than $31 million has been stolen from addresses linked to Humanity Protocol, and the attack is still ongoing, with the hacker continuously swapping H tokens for ETH. Project founder Terence Kwok later confirmed the security incident on X, saying the issue involved a private key leak.
Bloomberg: As Bitcoin Weakens, Stablecoins and RWA Continue to Drive Expansion in Crypto Businesses
In June, Bloomberg reported that despite Bitcoin falling below $60,000 last week, wiping out about $235 billion in market value within seven days, and dropping close to 50% from last year’s peak, some core businesses in the crypto industry are still expanding, mainly in stablecoins, real-world asset tokenization (RWA), payments, and infrastructure. The report also noted that overall altcoin activity has contracted significantly: altcoin market capitalization has fallen from a peak of about $431 billion in November 2021 to around $170 billion, and among the tens of millions of tokens issued in recent years, fewer than 1,700 still maintain meaningful trading activity.
