Analysis of the Hacking Techniques and Questions Behind the Nearly 1.5 Billion Dollars Stolen from Bybit

CN
深潮TechFlow
Follow
11 hours ago

Hacker organizations, especially state-level hackers like the Lazarus Group, are continuously upgrading their attack methods.

Author: Slow Mist Security Team

Background

On the evening of February 21, 2025, Beijing time, on-chain detective ZachXBT revealed that a large-scale outflow of funds occurred on the Bybit platform. This incident resulted in over $1.46 billion being stolen, making it the largest cryptocurrency theft in recent years.

On-chain Tracking Analysis

After the incident, the Slow Mist Security Team immediately issued a security alert and began tracking and analyzing the stolen assets:

According to the analysis by the Slow Mist Security Team, the stolen assets mainly include:

· 401,347 ETH (worth approximately $1.068 billion)
· 8,000 mETH (worth approximately $26 million)
· 90,375.5479 stETH (worth approximately $260 million)
· 15,000 cmETH (worth approximately $43 million)

We used the on-chain tracking and anti-money laundering tool MistTrack to analyze the initial hacker address 0x47666Fab8bd0Ac7003bce3f5C3585383F09486E2, obtaining the following information:

ETH was dispersed and transferred; the initial hacker address distributed 400,000 ETH to 40 addresses in increments of 1,000 ETH and is continuing to transfer.

Among them, 205 ETH was exchanged for BTC via Chainflip and transferred to address bc1qlu4a33zjspefa3tnq566xszcr0fvwz05ewhqfq.

cmETH Flow: 15,000 cmETH was transferred to address 0x1542368a03ad1f03d96D51B414f4738961Cf4443. Notably, the mETH Protocol announced on X that in response to the Bybit security incident, the team promptly suspended cmETH withdrawals, preventing unauthorized withdrawal actions, and successfully recovered 15,000 cmETH from the hacker address.

mETH and stETH Transfer: 8,000 mETH and 90,375.5479 stETH were transferred to address 0xA4B2Fd68593B6F34E51cB9eDB66E71c1B4Ab449e, which were then exchanged for 98,048 ETH through Uniswap and ParaSwap, and subsequently transferred to 0xdd90071d52f20e85c89802e5dc1ec0a7b6475f92. Address 0xdd9 dispersed the ETH into 9 addresses in increments of 1,000 ETH, and no transfers have been made yet.

Additionally, tracing the initial attack address 0x0fa09C3A328792253f8dee7116848723b72a6d2e revealed that the initial funds came from Binance.

Currently, the initial hacker address 0x47666Fab8bd0Ac7003bce3f5C3585383F09486E2 has a balance of 1,346 ETH, and we will continue to monitor the related addresses.

After the incident, Slow Mist speculated that the attacker was a North Korean hacker based on the methods used to obtain Safe multi-signature and money laundering techniques:

Possible social engineering attack methods:

Using MistTrack analysis, it was also found that the hacker address related to this incident is associated with the BingX Hacker and Phemex Hacker addresses:

ZachXBT also confirmed that this attack is related to the North Korean hacker organization Lazarus Group, which has been primarily engaged in conducting transnational cyberattacks and stealing cryptocurrencies. It is understood that the evidence provided by ZachXBT, including test transactions, associated wallets, forensic charts, and time analysis, all indicate that the attacker used techniques commonly associated with the Lazarus Group in multiple operations. Meanwhile, Arkham stated that all relevant data has been shared with Bybit to assist the platform in further investigations.

Attack Method Analysis

On the night of the incident at 23:44, Bybit CEO Ben Zhou released a statement on X, detailing the technical aspects of the attack:

Through on-chain signature analysis, we discovered some traces:

  1. The attacker deployed a malicious contract: UTC 2025-02-19 07:15:23, deployed a malicious implementation contract:

0xbDd077f651EBe7f7b3cE16fe5F2b025BE2969516

  1. Tampered with Safe contract logic: UTC 2025-02-21 14:13:35, through three Owner signatures, replaced the Safe contract with a malicious version:

0x46deef0f52e3a983b67abf4714448a41dd7ffd6d32d32da69d62081c68ad7882

This led to the initial attack address of the hacker:

0x0fa09C3A328792253f8dee7116848723b72a6d2e.

  1. Embedded malicious logic: Used DELEGATECALL to write the malicious logic contract into STORAGE 0:

0x96221423681A6d52E184D440a8eFCEbB105C7242

  1. Called backdoor functions to transfer funds: The attacker used the sweepETH and sweepERC20 functions in the contract to transfer all 400,000 ETH and stETH (total value approximately $1.5 billion) from the cold wallet to an unknown address.

From the perspective of attack methods, the WazirX hack incident and the Radiant Capital hack incident share similarities with this attack; all three incidents targeted Safe multi-signature wallets. In the WazirX hack incident, the attacker also pre-deployed a malicious implementation contract and replaced the Safe contract with a malicious implementation contract through three Owner signatures, using DELEGATECALL to write the malicious logic contract into STORAGE 0.

(https://etherscan.io/tx/0x48164d3adbab78c2cb9876f6e17f88e321097fcd14cadd57556866e4ef3e185d)

Regarding the Radiant Capital hack incident, according to official disclosures, the attacker utilized a complex method that made the signature validators see seemingly legitimate transactions on the front end, which is similar to the information disclosed in Ben Zhou's tweet.

(https://medium.com/@RadiantCapital/radiant-post-mortem-fecd6cd38081)

Moreover, the permission check methods involved in these three incidents of malicious contracts are the same, as they all hard-coded the owner address in the contract to check the contract caller. The error messages thrown by the permission checks in the Bybit hack incident and the WazirX hack incident are also similar.

In this incident, the Safe contract itself was not the issue; the problem lay in the non-contract part, where the front end was tampered with and forged to achieve a deceptive effect. This is not an isolated case. North Korean hackers attacked several platforms last year using this method, such as: WazirX with a loss of $230M, for Safe multi-signature; Radiant Capital with a loss of $50M, for Safe multi-signature; DMM Bitcoin with a loss of $305M, for Gonco multi-signature. This type of attack method has matured in engineering and requires increased attention.

According to the official announcement from Bybit:

(https://announcements.bybit.com/zh-MY/article/incident-update---eth-cold-wallet-incident-blt292c0454d26e9140)

Combined with Ben Zhou's tweet:

This raises the following questions:

  1. Routine ETH Transfer

Did the attacker possibly obtain operational information from Bybit's internal finance team in advance, mastering the timing of ETH multi-signature cold wallet transfers?

Did they induce signers to sign malicious transactions on a forged interface through the Safe system? Was the front-end system of Safe compromised and taken over?

  1. Safe Contract UI Tampering

Did the signers see the correct address and URL on the Safe interface, but the actual signed transaction data was tampered with?

The key question is: who initiated the signature request first? How secure was their device?

With these questions in mind, we look forward to the official disclosure of more investigation results soon.

Market Impact

Bybit quickly released an announcement after the incident, promising that all customer assets are backed 1:1, and the platform can bear the loss from this incident. User withdrawals are not affected.

On February 22, 2025, at 10:51, Bybit CEO Ben Zhou tweeted that deposits and withdrawals are now normal:

Final Thoughts

This theft incident once again highlights the severe security challenges faced by the cryptocurrency industry. With the rapid development of the crypto industry, hacker organizations, especially state-level hackers like the Lazarus Group, are continuously upgrading their attack methods. This incident serves as a wake-up call for cryptocurrency exchanges, emphasizing the need for platforms to further strengthen security measures and adopt more advanced defense mechanisms, such as multi-factor authentication, encrypted wallet management, asset monitoring, and risk assessment, to ensure the safety of user assets. For individual users, enhancing security awareness is equally crucial; it is recommended to prioritize safer storage methods like hardware wallets and avoid keeping large amounts of funds on exchanges for extended periods. In this ever-evolving field, only by continuously upgrading the technological defenses can we ensure the security of digital assets and promote the healthy development of the industry.

免责声明:本文章仅代表作者个人观点,不代表本平台的立场和观点。本文章仅供信息分享,不构成对任何人的任何投资建议。用户与作者之间的任何争议,与本平台无关。如网页中刊载的文章或图片涉及侵权,请提供相关的权利证明和身份证明发送邮件到support@aicoin.com,本平台相关工作人员将会进行核查。

Share To

Related Articles

avatar
avatarPANews
1 hour ago
Weekly Preview | Arkham Exchange offers spot trading to 17 states in the U.S.; VitaDAO plans to launch a new token on Pump Science.
avatar
avatar白话区块链
1 hour ago
The popularity of memecoins is an inevitable phenomenon driven by market demand, or is it a speculative frenzy caused by the absence of regulation?
avatar
avatar链捕手
1 hour ago
Weekly Report | The Wall Street Journal: Bybit incident is the largest theft in crypto history; Vitalik: Ethereum is a decentralized ecosystem, not a company; Coinbase CEO: An agreement has been reached with the SEC, the SEC will withdraw the lawsuit and will not impose fines.
avatar
avatarOdaily星球日报
3 hours ago
External Innovation and Internal Dilemmas: Crypto Navigating Through the Fog
avatar
avatarPANews
4 hours ago
PA Daily | Bybit launches a bounty recovery plan for 10% of stolen funds; Kanye allegedly sells the publishing rights of his X account for $20 million.
APP

X

Telegram

Facebook

Reddit

CopyLink