Author: SlowMist Security Team
background
On the evening of February 21, 2025, Beijing time, according to the on-chain detective ZachXBT, a large-scale capital outflow occurred on the Bybit platform. This incident resulted in the theft of more than 1.46 billion US dollars, becoming the largest cryptocurrency theft in recent years.
On-chain tracking analysis
After the incident, the SlowMist security team immediately issued a security alert and started tracking and analyzing the stolen assets:
According to the analysis of the SlowMist security team, the stolen assets mainly include:
- 401,347 ETH (worth approximately $1.068 billion)
- 8,000 mETH (worth about $26 million)
- 90,375.5479 stETH (worth about $260 million)
- 15,000 cmETH (worth approximately $43 million)
We used the on-chain tracking and anti-money laundering tool MistTrack to analyze the initial hacker address 0x47666Fab8bd0Ac7003bce3f5C3585383F09486E2 and obtained the following information:
ETH is being dispersed and transferred, with the initial hacker address dispersing 400,000 ETH to 40 addresses in the format of 10,000 ETH each, and the transfer is continuing.
Among them, 205 ETH was exchanged for BTC through Chainflip and transferred across the chain to the address bc1qlu4a33zjspefa3tnq566xszcr0fvwz05ewhqfq.
cmETH flow: 15,000 cmETH was transferred to the address 0x1542368a03ad1f03d96D51B414f4738961Cf4443. It is worth noting that mETH Protocol posted on X that in response to the Bybit security incident, the team promptly suspended cmETH withdrawals and prevented unauthorized withdrawals. mETH Protocol successfully recovered 15,000 cmETH from the hacker's address.
mETH and stETH transfer: 8,000 mETH and 90,375.5479 stETH were transferred to the address 0xA4B2Fd68593B6F34E51cB9eDB66E71c1B4Ab449e, and then converted into 98,048 ETH through Uniswap and ParaSwap, and then transferred to 0xdd90071d52f20e85c89802e5dc1ec0a7b6475f92. Address 0xdd9 dispersed ETH to 9 addresses in the format of 10,000 ETH each, and has not been transferred out yet.
In addition, by tracing the address 0x0fa09C3A328792253f8dee7116848723b72a6d2e where the hacker launched the initial attack, we found that the initial funds of this address came from Binance.
The current initial hacker address 0x47666Fab8bd0Ac7003bce3f5C3585383F09486E2 has a balance of 1,346 ETH. We will continue to monitor the relevant addresses.
After the incident, SlowMist immediately speculated that the attacker was a North Korean hacker based on the attacker’s method of obtaining Safe multi-signatures and money laundering:
Possible social engineering attack methods:
Using MistTrack analysis, we also found that the hacker address of this incident is associated with the BingX Hacker and Phemex Hacker addresses:
ZachXBT also confirmed that the attack was related to the North Korean hacker group Lazarus Group, which has been conducting transnational cyber attacks and stealing cryptocurrencies as one of its main activities. It is understood that the evidence provided by ZachXBT, including test transactions, associated wallets, forensic charts and time analysis, all show that the attacker used common technical means of the Lazarus Group in multiple operations. At the same time, Arkham stated that all relevant data has been shared with Bybit to help the platform further investigate.
Attack Method Analysis
At 23:44 that night after the incident, Bybit CEO Ben Zhou released a statement on X, explaining the technical details of the attack in detail:
Through on-chain signature analysis, we found some traces:
1. The attacker deploys a malicious contract: UTC 2025-02-19 07:15:23, deploys the malicious implementation contract 0xbDd077f651EBe7f7b3cE16fe5F2b025BE2969516.
2. Tampering with the Safe contract logic: UTC 2025-02-21 14:13:35, through three Owners signing transactions, replacing the Safe contract with a malicious version: 0x46deef0f52e3a983b67abf4714448a41dd7ffd6d32d32da69d62081c68ad7882. From this, the address 0x0fa09C3A328792253f8dee7116848723b72a6d2e, which launched the initial attack on the hacker, was derived.
3. Embed malicious logic: Write the malicious logic contract to STORAGE 0 via DELEGATECALL Storage: 0x96221423681A6d52E184D440a8eFCEbB105C7242.
4. Calling backdoor functions to transfer funds: The attacker used the sweepETH and sweepERC20 functions in the contract to transfer all 400,000 ETH and stETH (with a total value of approximately US$1.5 billion) in the cold wallet to an unknown address.
From the perspective of attack methods, the WazirX hacking incident and the Radiant Capital hacking incident are similar to this attack. The targets of these three incidents are all Safe multi-signature wallets. In the WazirX hacking incident, the attacker also deployed a malicious implementation contract in advance, signed transactions through three owners, and wrote the malicious logic contract to STORAGE 0 through DELEGATECALL to replace the Safe contract with the malicious implementation contract.
(https://etherscan.io/tx/0x48164d3adbab78c2cb9876f6e17f88e321097fcd14cadd57556866e4ef3e185d)
Regarding the Radiant Capital hack, according to official disclosures, the attacker used a complex method to make the signature verifier see seemingly legitimate transactions on the front end, which is similar to the information disclosed in Ben Zhou's tweet.
(https://medium.com/@RadiantCapital/radiant-post-mortem-fecd6cd38081)
The permission check methods of the malicious contracts involved in these three incidents are the same, and the owner address is hard-coded in the contract to check the contract caller. The error messages thrown by the permission check in the Bybit hacking incident and the WazirX hacking incident are also similar.
In this incident, the Safe contract was fine, but the problem was in the non-contract part, where the front end was tampered with and forged to achieve a deceptive effect. This is not an isolated case. North Korean hackers attacked several platforms in this way last year, such as: WazirX lost $230M due to Safe multi-signature; Radiant Capital lost $50M due to Safe multi-signature; DMM Bitcoin lost $305M due to Gonco multi-signature. This attack method is mature and needs more attention.
According to the official announcement released by Bybit:
(https://announcements.bybit.com/zh-MY/article/incident-update---eth-cold-wallet-incident-blt292c0454d26e9140)
Combined with Ben Zhou’s tweet:
The following questions arise:
1. Routine ETH transfer
- The attacker may have obtained the operational information of Bybit’s internal financial team in advance and mastered the timing of the ETH multi-signature cold wallet transfer?
- Through the Safe system, the signer was induced to sign a malicious transaction on a forged interface? Was the front-end system of Safe hacked and taken over?
2. Safe contract UI was tampered with
- The signer sees the correct address and URL on the Safe interface, but the actual signed transaction data has been tampered with?
- The key question is: who initiated the signature request in the first place? How secure is their device?
With these questions in mind, we look forward to the authorities disclosing more investigation results as soon as possible.
Market Impact
Bybit quickly released an announcement after the incident, promising that all customer assets have a 1:1 reserve and the platform can bear the loss. User withdrawals will not be affected.
At 10:51 on February 22, 2025, Bybit CEO Ben Zhou sent a message saying that deposits and withdrawals are now normal:
Last words
This theft once again highlights the severe security challenges facing the cryptocurrency industry. With the rapid development of the crypto industry, hacker groups, especially state-level hackers such as the Lazarus Group, are continuously upgrading their attack methods. This incident has sounded the alarm for cryptocurrency exchanges. The platforms need to further strengthen security protection and adopt more advanced defense mechanisms, such as multi-factor authentication, crypto wallet management, asset monitoring and risk assessment, to ensure the safety of user assets. For individual users, it is also crucial to enhance security awareness. It is recommended to give priority to safer storage methods such as hardware wallets to avoid long-term storage of large amounts of funds in exchanges. In this evolving field, only by continuously upgrading the technical defense line can we ensure the security of digital assets and promote the healthy development of the industry.
