Case Summary
On the evening of February 21, 2025 (Beijing time), Bybit exchange was attacked by APT, forging "blind signatures" to break through the multi-signature mechanism, resulting in the theft of nearly $1.5 billion in assets from cold wallets. As of 8 a.m. on the 22nd (Beijing time), the stolen assets were distributed in 51 addresses.
As a professional traceability company in the industry, BitJungle provides a panoramic view of hacker attacks through public data.
Secret 1: Hacker attack methods
1. Hackers gained access to Bybit employees’ computers through APT attacks
2. Hackers lurked for a long time and observed the Bybit currency transfer process
3. Hacker deploys malicious Safe contract: 0xbdd077f651ebe7f7b3ce16fe5f2b025be2969516
4. Forged Safe front-end transaction prompts, deceived Bybit employees to multi-sign, and replaced the safe implementation contract with a malicious contract
5. Transferring cold wallet assets through malicious contracts
Secret 2: Fund transfer and attacker portrait
As of 8:00 a.m. on the 22nd (Beijing time), the stolen assets were distributed in 51 addresses (the yellow addresses in the picture)
At the same time, according to the latest situation, the stolen funds from Bybit and the funds flowing out of the initial hacker address of Phemex have been mixed and transferred to the same address. This address has been used since November 2024 and has performed multiple exchanges and cross-chain transactions in history, confirming that the two were hacked by North Korean hackers.
Secret 3: Possible secondary financial risks
1. Hacker selling or market panic may trigger a run on the exchange, or cause Bybit to face a surge in withdrawals and pressure on its capital chain, requiring emergency response to stabilize confidence.
2. As a highly volatile asset, the price of ETH is significantly affected by market sentiment, supply and demand, and macroeconomic factors. This theft may cause ETH price fluctuations and lead to greater losses;
Secret 4: Preventive measures
1. Train employees to receive advanced phishing and social engineering defense training to reduce internal network security risks.
2. Isolate the network and equipment, use dedicated machines for dedicated purposes, and separate important machines or finance-related machines from ordinary office computers or daily computers to reduce the attack surface.
3. Distribute storage assets to multiple cold wallets to reduce the impact of single-point theft and improve overall security.
4. Establish your own professional security team and cooperate with Web3 security companies like BitJungle to fight against hackers together.
5. Reduce losses caused by security incidents by purchasing insurance.
Secret 5: Safe Wallet’s multi-signature security mechanism has not been breached
Safe (formerly Gnosis Safe) is a multi-signature solution widely used in the industry. Its security relies on multi-party signatures and the immutability of smart contract logic.
This attack shows that the hacker did not crack Safe’s multi-signature mechanism or exploit its code vulnerabilities, but instead obtained sufficient signing permissions through phishing.
Secret 6: What can BitJungle do?
1. Find out the truth, restore the hacker's complete intrusion path, and identify other hidden security risks.
2. BitJungle has currently established connections with more than a dozen large exchanges and organizations. Through the Zhong Kui system, stolen assets can be automatically frozen to help users recover losses as quickly as possible.
3. Use professional technology and rich experience to quickly locate and assist judicial authorities in arresting suspects.
