Author: SlowMist Technology
On the evening of February 21, 2025, Beijing time, according to the on-chain detective ZachXBT, a large-scale capital outflow occurred on the Bybit platform. This incident resulted in the theft of more than 1.46 billion US dollars, becoming the largest cryptocurrency theft in recent years.
After the incident, the SlowMist security team immediately issued a security reminder and tracked and analyzed the stolen assets:
According to the analysis of the SlowMist security team, the stolen assets mainly include:
401,347 ETH (worth approximately US$1.068 billion)
8,000 mETH (worth about $26 million) 90,375.5479 stETH (worth about $260 million) 15,000 cmETH (worth about $43 million) We used on-chain tracking and anti-money laundering tool MistTrack to identify the initial hacker address. 0x47666Fab8bd0Ac7003bce3f5C3585383F09486E2 was analyzed and the following information was obtained: ETH was dispersed and transferred. The initial hacker address dispersed 400,000 ETH to 40 addresses in the format of 10,000 ETH each, and the transfer is continuing. Among them, 205 ETH was exchanged for BTC through Chainflip and cross-chained to the address bc1qlu4a33zjspefa3tnq566xszcr0fvwz05ewhqfq.
cmETH flow: 15,000 cmETH was transferred to the address 0x1542368a03ad1f03d96D51B414f4738961Cf4443. It is worth noting that mETH Protocol posted on X that in response to the Bybit security incident, the team promptly suspended cmETH withdrawals and prevented unauthorized withdrawals. mETH Protocol successfully recovered 15,000 cmETH from the hacker's address.
mETH and stETH transfers: 8,000 mETH and 90,375.5479 stETH were transferred to the address 0xA4B2Fd68593B6F34E51cB9eDB66E71c1B4Ab449e, and then converted to 98,048 ETH through Uniswap and ParaSwap, and then transferred to 0xdd90071d52f20e85c89802e5dc1ec0a7b6475f92, the address 0xdd9 dispersed ETH to 9 in the format of 10,000 ETH each. In addition, the address 0x0fa09C3A328792253f8dee7116848723b72a6d2e where the hacker launched the initial attack was traced back to the source, and it was found that the initial funds of this address came from Binance.
The current initial hacker address 0x47666Fab8bd0Ac7003bce3f5C3585383F09486E2 has a balance of 1,346 ETH. We will continue to monitor the relevant addresses.
After the incident, SlowMist immediately speculated that the attacker was a North Korean hacker based on the attacker's method of obtaining Safe multi-signatures and laundering coins:
Possible social engineering attack methods:
Using MistTrack analysis, it was also found that the hacker address of this incident was associated with the BingX Hacker and Phemex Hacker addresses:
At 23:44 that night after the incident, Bybit CEO Ben Zhou released a statement on X, explaining the technical details of the attack in detail:
Through the on-chain signature analysis, we found some traces:
1. The attacker deployed a malicious contract: UTC 2025-02-19 07:15:23, deployed a malicious implementation contract 0xbDd077f651EBe7f7b3cE16fe5F2b025BE2969516. 2. Tampering with the Safe contract logic: UTC 2025-02-21 14:13:35, through three Owners signing a transaction, replacing the Safe contract with a malicious version: 0x46deef0f52e3a983b67abf4714448a41dd7ffd6d32d32da69d62081c68ad7882. This leads to the initial attack address of the hacker, 0x0fa09C3A328792253f8dee7116848723b72a6d2e.
3. Embed malicious logic: Write the malicious logic contract to STORAGE 0 through DELEGATECALL: 0x96221423681A6d52E184D440a8eFCEbB105C7242.
4. Calling backdoor functions to transfer funds:The attacker used the sweepETH and sweepERC20 functions in the contract to transfer all 400,000 ETH and stETH (with a total value of approximately $1.5 billion) in the cold wallet to an unknown address.
From the perspective of attack methods, the WazirX hack and the Radiant Capital hack are similar to this attack. The targets of these three incidents are all Safe multi-signature wallets. In the WazirX hack, the attacker also deployed a malicious implementation contract in advance, signed a transaction with three Owners, and wrote the malicious logic contract to STORAGE 0 through DELEGATECALL to replace the Safe contract with the malicious implementation contract.
(https://etherscan.io/tx/0x48164d3adbab78c2cb9876f6e17f88e321097fcd14cadd57556866e4ef3e185d)
For the Radiant Capital hacking incident, according to official disclosures, the attacker used a complex method to allow the signature verifier to see seemingly legitimate transactions on the front end, which is similar to the information disclosed in Ben Zhou's tweet.
(https://medium.com/@RadiantCapital/radiant-post-mortem-fecd6cd38081)
And the permission check methods of the malicious contracts involved in these three incidents are the same, and the owner address is hard-coded in the contract to check the contract caller. The error messages thrown by the permission check of the Bybit hacking incident and the WazirX hacking incident are also similar.
In this incident, there is no problem with the Safe contract, but the problem lies in the non-contract part, where the front end was tampered with and forged to achieve a deceptive effect. This is not an isolated case. Last year, North Korean hackers attacked several platforms in this way, such as: WazirX lost $230M, due to Safe multi-signature; Radiant Capital lost $50M, due to Safe multi-signature; DMM Bitcoin lost $305M, due to Gonco multi-signature. This attack method is mature and requires more attention.
According to the official announcement released by Bybit:
(https://announcements.bybit.com/zh-MY/article/incident-update---eth-cold-wallet-incident-blt292c0454d26e9140)
Combined with Ben Zhou’s tweet:
The following questions arise:
1. Routine ETH Transfer
The attacker may have obtained the operation information of Bybit's internal financial team in advance and mastered the time point of the ETH multi-signature cold wallet transfer?
Through the Safe system, induce the signer to sign a malicious transaction on the forged interface? Has the front-end system of Safe been hacked and taken over?
2. Safe contract UI has been tampered with
The signer sees the correct address and URL on the Safe interface, but the actual signed transaction data has been tampered with?
The key question is: who initiated the signature request first? How secure is its device?
With these questions, we look forward to the official disclosure of more investigation results as soon as possible.
Bybit quickly issued an announcement after the incident, promising that all customer assets have 1:1 reserves and the platform can bear the losses. User withdrawals are not affected.
At 10:51 on February 22, 2025, Bybit CEO Ben Zhou sent a message saying that deposits and withdrawals are now normal:
This theft incident once again highlights the severe security challenges facing the cryptocurrency industry. With the rapid development of the encryption industry, hacker organizations, especially national hackers such as Lazarus Group, are continuously upgrading their attack methods. This incident has sounded the alarm for cryptocurrency exchanges. The platform needs to further strengthen security protection and adopt more advanced defense mechanisms, such as multi-factor authentication, encrypted wallet management, asset monitoring and risk assessment, to ensure the safety of user assets. For individual users, it is also crucial to enhance security awareness. It is recommended to give priority to safer storage methods such as hardware wallets to avoid long-term storage of large amounts of funds in exchanges. In this evolving field, only by continuously upgrading the technical defense line can we ensure the security of digital assets and promote the healthy development of the industry.
Upon investigation, the trader confirmed that the security breach in their Google Chrome browser was indeed initiated by a keylogger specifically targeting certain crypto wallet extensions.
KikyoSushiSwap's contentious governance proposal, amid allegations of manipulation, raises questions about the platform's future direction.
MiyukiIO.net announces IO token launch post-Bitcoin halving, aiming to enhance network capabilities, decentralize power, and foster community engagement.
WeiliangSpeculation swirls around a collaboration between TON, HashKey, and Oyster Labs for a new "Universal Basic Smartphone," sparked by Robert Lee's post at the TON Blockchain Hackathon. While details remain unconfirmed, anticipation mounts for the official pre-order launch on April 8.
AlexLumoz, formerly Opside, secures $6 million valuation, prepares for Lumoz token launch, aims to simplify zk-rollup technology for developers.
BrianElon Musk has made a bold prediction, foreseeing that advancements in AI will surpass the capabilities of even the most intelligent humans by 2025.
CatherineCrypto.com's Dubai arm secures full operational approval, marking a milestone in serving institutional investors. The UAE's crypto-friendly environment continues to attract businesses, positioning Dubai as a global crypto hub.
WeiliangThe Swiss National Bank rejects the idea of a public digital currency due to potential risks, preferring to focus on wholesale CBDCs. Despite reservations, it's advancing in payment technology. However, it acknowledges challenges ahead and remains cautious yet progressive.
AlexFriend3, in collaboration with ProBit Global, introduces decentralized donation mechanisms and trading competitions, leveraging the utility of F3 tokens to foster community engagement. Through Web3 technology, Friend3 pioneers community creation with innovative monetization options.
AlexThe class-action lawsuit against BitMEX co-founder Ben Delo underscores the need for regulatory clarity and highlights the potential legal risks facing operators in the cryptocurrency industry.
Weiliang