The largest theft in the history of encryption, Bybit, was stolen about $1.5 billion. How did North Korean hackers do it?

吴说区块链｜2025-02-22 1:20

On-chain analyst ZachXBT has provided solid evidence that Bybit’s $1.5 billion hack was carried out by the North Korean-backed hacker group Lazarus Group.

Author | Wu Talks about Blockchain

On the evening of February 21, Beijing time, ZachXBT, an on-chain detective, first disclosed that he had monitored more than $1.46 billion of suspicious funds outflow from Bybit, and mETH and stETH were currently being exchanged for ETH on DEX. It is certain that this has become the largest theft in the history of cryptocurrency (calculated by the amount at the time).

Conor Grogan, head of Coinbase, said that the North Korean hack of Bybit was the largest hacker theft ever (larger than the theft of the Central Bank of Iraq, worth about $1 billion) and that the amount was about 10 times that of the DAO hack in 2016 (but the percentage of supply was much higher). Expect some calls for an Ethereum fork here. (Amounts here are calculated based on the value at the time of the theft)

Arkham tweeted that on-chain analyst ZachXBT provided conclusive evidence that Bybit's $1.5 billion hack was carried out by the North Korean-backed hacker group Lazarus Group. His submission included a detailed analysis of test transactions, associated wallets, forensic charts, and time analysis. The relevant information has been shared with Bybit to assist its investigation.

Bybit CEO BEN tweeted that about 1 hour ago, the Bybit ETH multi-signature cold wallet just transferred to our hot wallet. It seems that this transaction is forged, and all signatories saw a forged UI that showed the correct address, and the URL came from SAFE. However, the signature information was to change the smart contract logic of our ETH cold wallet. This caused the hacker to take control of the specific ETH cold wallet we signed and transfer all ETH in the cold wallet to this unidentified address. Please rest assured that all other cold wallets are safe. All withdrawals are normal. I will keep you informed of more progress, and if any team can help us track the stolen funds, we will be grateful. Bybit hot wallets, warm wallets, and all other cold wallets are fine. The only cold wallet that was hacked was the ETH cold wallet. All withdrawals are normal.

Bybit's official Twitter account said that Bybit detected unauthorized activity involving one of our ETH cold wallets. At the time of the incident, our ETH multi-signature cold wallet executed a transfer to our hot wallet. Unfortunately, the transaction was manipulated through a sophisticated attack that obscured the signature interface, displayed the correct address, and changed the underlying smart contract logic. As a result, the attacker was able to take control of the affected ETH cold wallet and transfer its assets to an unidentified address. Our security team is actively investigating this incident with leading blockchain forensics experts and partners. Any team with expertise in blockchain analysis and fund recovery and can assist in tracing these assets is welcome to work with us. We would like to assure our users and partners that all other Bybit cold wallets are completely safe. All customer funds are safe and our operations are proceeding as usual without interruption. Transparency and security remain our top priorities and we will provide updates as soon as possible.

Bybit said that all other Bybit cold wallets are safe and customer funds are not affected and remain safe. We understand that the current situation has caused a surge in withdrawal requests. While such high volumes may cause delays, all withdrawals are being processed normally. Bybit has sufficient assets to cover the losses, with an asset management scale of more than $20 billion, and will use bridge loans to ensure the availability of user funds when necessary.

Coinbase director Conor Grogan tweeted that Binance and Bitget had just deposited more than 50,000 ETH directly into Bybit's cold wallet, with Bitget's deposit being particularly notable, accounting for a quarter of all ETH on the exchange. Since the deposit address was skipped, the funds were apparently coordinated by Bybit itself. Bybit CEO Ben Zhou said: Thank you Bitget for reaching out at this moment, we are communicating with Binance and several other partners, and this fund has nothing to do with Binance officials.

Bitget CEO Gracy said that Bybit is a respectable competitor and partner. Although the loss this time is huge, it is only their annual profit. I believe that customer funds are 100% safe and there is no need to panic or run. In addition, Gracy said that what was lent to Bybit was Bitget's own assets, not the users' assets.

The SlowMist team published a post to add some details. The attacker deployed a malicious implementation contract. Then the attacker signed a transaction through three owners to replace the Safe implementation contract with a malicious contract. The attacker used the backdoor functions sweepETH and sweepERC20 in the malicious contract to clear the hot wallet funds.

Dilation Effect analysis points out that compared with previous similar incidents, in the Bybit incident, only one signer needs to be taken down to complete the attack, because the attacker used a "social engineering" technique. Analysis of on-chain transactions shows that the attacker executes a malicious contract's transfer function through delegatecall. The transfer code uses the SSTORE instruction to modify the value of slot 0, thereby changing the implementation address of the Bybit cold wallet multi-signature contract to the attacker's address. It is only necessary to deal with the person/device that initiated this multi-signature transaction, and the subsequent auditors will be greatly less vigilant when they see this transfer. Because normal people think that transfer is a transfer, who knows that it is actually changing the contract.

Chainlink data shows that after the Bybit security incident was disclosed, USDe flashed down to $0.965 and then pulled back to $0.99. Bybit has integrated USDe as a collateral asset to trade perpetual contracts for all assets in the exchange's UTA. ethena_labs posted that they have paid attention to what is happening on Bybit and will continue to monitor progress. All spot assets supporting USDe are held in over-the-counter custody solutions, including cooperation with Bybit through Copper Clearloop. Currently, no spot assets are held on any exchange. The total amount of unrealized PNL associated with Bybit hedging positions is less than $30 million, less than half of the reserve fund. USDe currently remains more than fully collateralized and will provide updates based on the latest information.

Binance co-founder CZ responded that this was not an easy situation to handle and that it might be advisable to suspend all withdrawals as a standard safety precaution and that any assistance would be provided if needed. He Yi expressed his willingness to help.

Safe's security team responded that it is working closely with Bybit to conduct an ongoing investigation. No evidence has been found that the official Safe front-end has been hacked, but out of caution, Safe Wallet has temporarily suspended certain functions. Slow Mist Yuxian said that similar to the previous Radiant Capital case, it may have been stolen by North Korean hackers. Radiant Capital said that a $50 million attack it suffered in October was related to a North Korean hacker group, which involved complex identity forgery and multi-level phishing attacks. The attacker pretended to be a former contractor and obtained sensitive credentials through social engineering to invade the protocol system and carry out the attack.

Security analysts believe that this is similar to WazirX and Radiant, where the signer's computer or an intermediate interface was hacked. The possible reasons for this hack are as follows: The hacker planted a virus in the signer's computer/browser, replacing the transaction with a malicious one, which was then sent to the hardware wallet. This virus could be in any part of the stack (e.g. malicious extension, wallet communication, etc.) - The security interface was hacked, it showed one transaction, but sent another transaction to the wallet. The end result is that the signer saw an innocent transaction in the security interface, but in fact a malicious transaction was sent to their wallet. We cannot be sure until the full post-mortem analysis is out.

OneKey said that the hackers had probably confirmed that Bybit's three multi-signature computers had been hacked and were ready for attack, waiting for them to act. Next, when the multi-signature staff performed signature operations such as daily transfers, the hackers replaced the signature content. The staff looked at the webpage and thought it was a normal transaction such as a transfer - but they didn't know it was changed to a transaction of "upgrading the safe contract to replace the previously deployed malicious contract." So, the tragedy happened. The malicious contract with a backdoor was easily withdrawn by the hacker.

Bybit said that it will not buy ETH immediately, but will rely on partners to provide bridge loans. It will ensure that all users can withdraw money, but since the traffic is 100 times the usual, it will take some time to process, and some risk confirmation will be required for large withdrawals.

Dilation Effect points out that ordinary hardware wallets combined with Safe multi-signature mechanism can no longer meet the security management needs of large funds. If the attacker has enough patience to deal with multiple signatories, there will be no other measures to further ensure the security of the entire operation process. The security management of large funds must use institutional-level custody solutions.

According to DeFiLlama data, including hacked funds, Bybit's total outflow in the past 24 hours was US$2.399 billion. Currently, there are more than US$14 billion in verifiable assets on the platform chain, of which Bitcoin and USDT account for nearly 70%. Bybit announced that it has reported the case to the relevant authorities and will provide updates after obtaining more information. In addition, cooperation with on-chain analysis providers helped identify and separate related addresses, aiming to reduce the ability of malicious actors to dispose of ETH through legal markets.

This incident may trigger a discussion about Ethereum forks. Conor Grogan said that although he thinks the call for a fork is too radical, he expects there will be a real debate on the issue. Arthur Hayes said that as an investor who holds a large amount of Ethereum, he believes that Ethereum is no longer a "currency" after the hard fork of the DAO hack in 2016. He said that if the community decides to roll back again, he will support the decision because the community voted against immutability in 2016, so why not do it again?

Author ：吴说区块链
This article reflects the opinions of PANews's columnist and does not represent the stance of PANews. PANews does not assume legal responsibility. The article and opinions do not constitute investment advice.
Image Source ：吴说区块链 If there is any infringement, please contact the author to remove it.