Author: BitpushNews Mary Liu

While the crypto community was still debating the direction of the bull market, on February 21, a sudden black swan event "struck" the market. The well-established crypto exchange Bybit was hacked, with nearly $1.5 billion in assets stolen, primarily in ETH, amounting to approximately 401,347 coins, valued at about $1.12 billion.

After the news broke, Bitcoin fell sharply, briefly dropping below the $95,000 mark; Ethereum, already weak, plummeted 5% to $2,615, and as of the time of writing, it had rebounded to $2,666.

The Bybit team responded quickly, with CEO Ben Zhou calmly going live to assure users that the platform would never close the withdrawal channel. He stated that even if the funds could not be fully recovered, Bybit had the capability to fully compensate users for their losses.

According to statistics from 10x Research, the $1.46 billion stolen from Bybit is the largest hacking incident in the history of crypto exchanges, with the second-largest crypto theft being the $611 million from Poly Network in 2021. Additionally, on-chain detective ZachXBT has submitted conclusive evidence confirming that the North Korean hacker group Lazarus Group is behind this attack.

The movements of the hacker's address have become a focal point of attention. On-chain data shows that the Bybit hacker address has now become the 14th largest ETH holder globally, holding about 0.42% of the total Ethereum supply, surpassing Fidelity, Vitalik Buterin, and even holding more than twice the amount of the Ethereum Foundation.

Industry Support: Bybit is Definitely Not FTX!

Coinbase executive Conor Grogan took to social media to support Bybit: "After being hacked, withdrawals on Bybit seem to be functioning normally. They have over $20 billion in assets on the platform, and their cold wallet is intact. Given the isolated nature of the signature hack and Bybit's capital strength, I do not expect any contagion."

Grogan also emphasized: "It was clear that FTX had no funds to withdraw just one minute after the run began. I know everyone has PTSD, but Bybit's situation is different from FTX; if it were, I would shout it out loud. They will be fine."

In response to this incident, several industry participants expressed their support for Bybit.

In the early hours of February 22, Beijing time, on-chain data showed that addresses from Binance and Bitget transferred 50,000 ETH to Bybit's cold wallet. Notably, the transfer amount from Bitget accounted for a quarter of its total ETH, drawing attention. According to Conor Grogan, this transaction was directly coordinated by Bybit, bypassing the usual deposit addresses.

Ben Zhou responded, "Thank you to Bitget for extending a helping hand at this moment; we are communicating with Binance and several other partners, and this funding is not related to Binance officially."

Tron founder Justin Sun stated on social media that the Tron network is assisting in tracking the funds. OKX Chief Marketing Officer Haider Rafique also mentioned that the exchange has deployed a security team to support Bybit's investigation.

KuCoin emphasized that crypto "is a shared responsibility" and called for cross-exchange cooperation to combat cybercrime.

Questions Raised About Safe Security

The core of this attack lies in a technique known as "Blind Signing." Blind signing refers to users approving transactions without fully understanding the content of the smart contract, a technique exploited by hackers to bypass security verification.

Bybit CEO Ben Zhou pointed out during the live stream that the attackers used "Musked" technology (which obfuscates or deceives transaction payloads) to forge the multi-signature wallet user interface (UI) provided by Safe, causing signers to authorize malicious transactions unknowingly. Specifically, the attackers displayed the correct address and URL through a forged UI, but the transaction payload had been tampered with, leading signers to inadvertently approve the fund transfer.

Crypto security company Groom Lake further discovered that the Safe multi-signature wallets deployed on Ethereum in 2019 and on Base Layer 2 in 2024 had the same transaction hash, which is mathematically nearly impossible.

An anonymous Groom Lake researcher, Apollo, stated that if the same transaction hash appears on both Ethereum and Base, it indicates that the attackers may have found a way to make a single transaction valid across multiple networks or may have reused crypto wallet signatures or transaction data across different networks.

However, the Safe team denied that this attack was related to a vulnerability in their smart contract, stating that the problematic transaction was a deployment of a singleton contract and did not use EIP-155 (a security measure to prevent cross-chain transaction replay attacks) to support cross-chain deployment. EIP-155 was introduced in 2016, ensuring that transactions signed for Ethereum cannot be valid on other chains like Base by adding a chain ID to the signed transaction. This means that even if the private key is leaked, attackers cannot reuse old signed transactions on different chains. The Safe team stated, "If it were (a smart contract vulnerability), then the target would not be Bybit," noting that Safe protects over $100 billion in digital assets across more than 7 million smart accounts.

Are Hardware Wallets Foolproof?

However, Safe's explanation did not completely alleviate industry concerns. Ido Ben Natan, CEO of blockchain security company Blockaid, pointed out that "Blind Signing" technology is rapidly becoming a preferred attack method for advanced threat actors (such as North Korean hackers). This attack is similar to the types used in the Radiant Capital breach in December 2023 and the WazirX incident in March 2024. Natan emphasized that even with the best key management solutions, the signing process still relies on the software interface interacting with dApps, which opens the door to malicious manipulation of the signing process.

Security expert Odysseus noted that if transactions are signed on a laptop or phone connected to the internet, the effectiveness of hardware wallets is significantly reduced. He stated, "These are highly targeted attacks; generally speaking, if the device (computer or phone) is compromised, there is almost nothing that can be done except signing transactions on devices that are offline and uncompromised."

In the midst of bullish sentiment, security issues are often easily overlooked. It is never too late to mend the fold; the community hopes to see Bybit effectively resolve this crisis and minimize losses. But this attack serves as a reminder: in the crypto world, security is always the first line of defense. From vulnerabilities in multi-signature wallets to risks in cross-chain transactions, from user education to industry collaboration, every aspect should be re-examined.

免责声明：本文章仅代表作者个人观点，不代表本平台的立场和观点。本文章仅供信息分享，不构成对任何人的任何投资建议。用户与作者之间的任何争议，与本平台无关。如网页中刊载的文章或图片涉及侵权，请提供相关的权利证明和身份证明发送邮件到support@aicoin.com，本平台相关工作人员将会进行核查。