Author: BitpushNews Mary Liu
While the crypto community was still hotly discussing the direction of the bull market, a sudden black swan event "struck" the market on February 21. The old crypto exchange Bybit was hacked, and nearly $1.5 billion in assets were stolen, mainly ETH, about 401,347 pieces, worth about $1.12 billion.
After the news came out, Bitcoin fell sharply, falling below the $95,000 mark at one point; Ethereum, which was already weak, plummeted 5% in the short term to $2,615, and rebounded to $2,666 as of press time.
The Bybit team responded quickly, and CEO Ben Zhou remained calm and started a live broadcast to promise users that the platform would never close the withdrawal channel. He said that even if the funds could not be fully recovered, Bybit would be able to compensate users for their losses in full.
According to 10x Research statistics, the $1.46 billion stolen from the Bybit exchange is the largest hack in the history of crypto exchanges, and the second largest crypto theft was the $611 million from Poly Network in 2021. In addition, on-chain detective ZachXBT has submitted conclusive evidence confirming that the North Korean hacker group Lazarus Group is behind the attack.
The movement of the hacker address has become the focus of attention. On-chain data shows that the Bybit hacker address has now become the 14th largest ETH holder in the world, holding about 0.42% of the total supply of Ethereum, more than twice the holdings of Fidelity, Vitalik Buterin, and even the Ethereum Foundation.
Industry support: Bybit is definitely not FTX!
Coinbase executive Conor Grogan posted on social media to support Bybit: "After Bybit was hacked, withdrawals seemed to be normal. They have more than $20 billion in assets on the platform, and their cold wallets are intact. Given the isolated nature of the signature hack and Bybit's capital strength, I don't expect contagion."
Grogan also emphasized: “FTX was clear one minute after the run that they had no funds to withdraw. I know everyone has PTSD, but Bybit’s situation is different from FTX. If it was, I would shout it out. They will be fine.”
In response to this incident, many industry participants expressed their support for Bybit.
In the early morning of February 22, Beijing time, on-chain data showed that addresses from Binance and Bitget transferred 50,000 ETH to Bybit's cold wallet. Among them, Bitget's transfer volume accounted for a quarter of its total ETH, which attracted attention. According to Conor Grogan, this transaction was directly coordinated by Bybit, skipping the commonly used deposit address.
Ben Zhou responded by saying: “Thank you Bitget for extending a helping hand at this moment. We are communicating with Binance and several other partners. This fund has nothing to do with Binance.”
Tron founder Justin Sun said on social media that the Tron network is assisting in tracing the funds. OKX Chief Marketing Officer Haider Rafique also said that the exchange has deployed a security team to support Bybit's investigation.
KuCoin stressed that crypto “is a shared responsibility” and called for cross-exchange collaboration to combat cybercrime.
Safe safety raises questions
The attack centers on a technique called blind signing, in which users approve transactions without fully understanding the contents of a smart contract, which was exploited by hackers to bypass security verification.
Bybit CEO Ben Zhou pointed out in a live broadcast that the attacker forged the multi-signature wallet user interface (UI) provided by Safe through the "Musked" technology (i.e., confusing or deceiving the transaction payload), causing the signer to unknowingly authorize malicious transactions. Specifically, the attacker displayed the correct address and URL through a forged UI interface, but in fact the transaction payload had been tampered with, causing the signer to inadvertently approve the fund transfer.
Cryptocurrency security firm Groom Lake further discovered that the Safe multi-signature wallet deployed on Ethereum in 2019 and on Base Layer 2 in 2024 had the same transaction hashes, which is mathematically almost impossible.
Anonymous Groom Lake researcher Apollo said that if the same transaction hash appears on Ethereum and Base, it means that the attacker may have found a way to make a single transaction valid on multiple networks, or may have reused encrypted wallet signatures or transaction data between networks.
However, the Safe team denied that the attack was related to its smart contract vulnerability, saying that the transaction in question was a transaction to deploy a singleton contract and did not use EIP-155 (a security measure to prevent cross-chain transaction replay attacks) to support cross-chain deployment. Introduced in 2016, EIP-155 ensures that transactions used for Ethereum cannot be valid on other chains such as Base by adding chain IDs to signed transactions. This means that even if the private key is leaked, the attacker cannot reuse old signed transactions on different chains. The Safe team said: "If it is (a smart contract vulnerability), the target will not be Bybit", Note: Safe protects more than $100 billion in digital assets in more than 7 million smart accounts.
Hardware wallets are not omnipotent?
However, Safe's explanation did not completely dispel the industry's doubts. Ido Ben Natan, CEO of blockchain security company Blockaid, pointed out that the "blind signature" technology is rapidly becoming a favorite form of attack for advanced threat actors such as North Korean hackers. This attack is the same type of attack used in the Radiant Capital intrusion in December 2023 and the WazirX incident in March 2024. Natan emphasized that even with the best key management solutions, the signing process still relies on the software interface that interacts with the dApp, which opens the door to malicious manipulation of the signing process.
Security expert Odysseus pointed out that if the transaction is signed on a laptop or mobile phone connected to the Internet, the role of hardware wallets will be greatly reduced. He said: "These are highly targeted attacks. Generally speaking, if the device (computer or mobile phone) is hacked, there is little you can do except sign the transaction on a device that is not connected to the Internet and has not been hacked."
In the bull market, security issues are often easily overlooked. It is never too late to mend the fence after the sheep have been lost. The community hopes that Bybit can properly resolve this crisis and minimize the losses. But this attack once again reminds us that in the crypto world, security is always the first line of defense. From the vulnerability of multi-signature wallets to the risks of cross-chain transactions, from user education to industry collaboration, every link should be re-examined.
