On February 21, 2025, the cryptocurrency exchange Bybit suffered a large-scale security breach, resulting in the theft of approximately $1.5 billion in assets from its Ethereum cold wallet. This incident is considered to be the largest single theft in the history of cryptocurrency, surpassing previous records such as Poly Network (2021, $611 million) and Ronin Network (2022, $620 million), and had a shocking impact on the industry.
This article aims to introduce the hacking incident and its fund laundering methods, and warns that in the next few months, there will be a large-scale freeze wave targeting OTC groups and Crypto payment companies.
Theft
According to Bybit Ben Zhou’s description and Bitrace’s preliminary investigation, the theft process is as follows:
Attack preparation: The hacker deployed a malicious smart contract (address: 0xbDd077f651EBe7f7b3cE16fe5F2b025BE2969516) at least three days before the incident (i.e. on February 19), laying the groundwork for subsequent attacks.
Intrusion into the multi-signature system: Bybit’s Ethereum cold wallet uses a multi-signature mechanism, which usually requires multiple authorized signatures to execute transactions. The hacker broke into the computer that manages the multi-signature wallet through unknown means, possibly through a disguised interface or malware.
Disguised transaction: On February 21, Bybit planned to transfer ETH from the cold wallet to the hot wallet to meet daily transaction needs. Hackers took advantage of this opportunity to disguise the transaction interface as normal operation, inducing the signer to confirm a seemingly legitimate transaction. However, the signature actually executed an instruction to change the logic of the cold wallet smart contract.
Fund transfer: After the order came into effect, the hacker quickly took control of the cold wallet and transferred ETH and ETH pledge certificates worth about $1.5 billion at the time to an unknown address (initial tracking address: 0x47666Fab8bd0Ac7003bce3f5C3585383F09486E2). Subsequently, the funds were dispersed to multiple wallets and the money laundering process began.
Money laundering techniques
Fund laundering can be roughly divided into two stages:
The first stage is the early fund splitting stage, where the attacker quickly converts the ETH pledge certificate tokens into ETH tokens instead of stablecoins that may be frozen, and then strictly splits the ETH and transfers it to the subordinate addresses in preparation for laundering.
It was at this stage that the attacker’s attempt to convert 15,000 mETH into ETH was stopped, and the industry was able to recover this loss.
The second stage is fund laundering. The attacker will transfer the acquired ETH through centralized or decentralized industry infrastructure, including Chainflip, Thorchain, Uniswap, eXch, etc. Some protocols are used for fund exchange, while others are used for cross-chain fund transfer.
So far, a large amount of stolen funds have been converted into layer1 tokens such as BTC, DOGE, SOL, etc., and even memecoin has been issued or the funds have been transferred to exchange addresses for fund confusion.
Bitrace is monitoring and tracking the addresses related to the stolen funds. This threat information will be pushed simultaneously in BitracePro and Detrust to prevent users from accidentally receiving the stolen funds.
Criminal Record Analysis
An analysis of 0x457 in the funding link revealed that the address was related to the theft of the BingX exchange in October 2024 and the theft of the Phemex exchange in January 2025, indicating that the mastermind behind these three attacks was the same entity.
Combined with its highly industrialized fund laundering techniques and attack methods, some blockchain security practitioners attributed this incident to the notorious hacker group Lazarus, which has launched multiple cyber attacks on institutions or infrastructure in the Crypto industry over the past few years and illegally seized billions of dollars worth of cryptocurrencies.
Freezing Crisis
During the investigations over the past few years, Bitrace found that in addition to using unlicensed industry infrastructure to launder funds, the organization also used centralized platforms for dumping. This directly led to a large number of exchange user accounts that intentionally or unintentionally received stolen money being subject to risk control, and the business addresses of OTC merchants and payment institutions were frozen by Tether.
In 2024, the Japanese cryptocurrency exchange DMM was attacked by Lazarus, and Bitcoin worth up to $600 million was illegally transferred. The attacker bridged the funds to HuionePay, a cryptocurrency payment institution in Southeast Asia, causing the latter's hot wallet address to be frozen by Tether, and more than $29 million worth of Bitcoin was locked and could not be transferred;
In 2023, Poloniex was attacked by the suspected Lazarus Group, and funds worth more than 100 million US dollars were illegally transferred. Some of the funds were laundered through over-the-counter transactions, resulting in the freezing of a large number of OTC business addresses, or the risk control of exchange accounts used to store business funds, which had a huge impact on business activities.
Summarize
Frequent hacker attacks have caused huge losses to our industry, and the subsequent fund laundering activities have also contaminated more personal and institutional addresses. For these innocent people and potential victims, they should pay more attention to these threatening funds in their business activities to prevent themselves from being affected.
