Author: Spirit, Golden Finance

Event Overview

On February 21, 2025, cryptocurrency exchange Bybit disclosed that its Ethereum multiple-sign cold wallet encounters Authorized activities resulted in the theft of nearly $1.5 billion in ETH and stETH assets. Preliminary analysis points to hackers using carefully planned attacks to successfully control Bybit's ETH cold wallet and transfer funds through complex technical means such as disguising the transaction interface and replacing smart contracts. After the incident, Bybit quickly issued a statement, initiated an investigation, and sought external financial support to deal with the user withdrawal wave. The incident was the largest single stolen incident in cryptocurrency history, triggering market volatility and concerns about the security of centralized exchanges.

Event timeline (HKT, UTC+8)

The following timelines are compiled based on public information, based on Hong Kong time (HKT, UTC+8): p>

February 19, 2025 15:15 HKT (UTC 07:15): The malicious contract was deployed (contract address: `0xbDd077f651EBe7f7b3cE16fe5F2b025BE2969516`). Analysis by the Slow Fog Team shows that the malicious contract is the pre-deployment link of this attack.

February 21, 2025 14:13 HKT (UTC 06:13): The hacker uses three Owner signatures to initiate a transaction (transaction hash: `0x46deef0f52e3a983b67abf4714448a41dd7ffd6d32d32da69d62081c68ad7882 `), replace the Safe implementation contract with Bybit multi-sign cold wallet with the above malicious contract. This is considered a critical step in the attack and paves the way for subsequent fund theft.

February 21, 2025 23:30 HKT: Bybit Ethereum hot wallet abnormal funds transfer, and about US$1.5 billion of ETH and stETH were stolen. X (formerly Twitter) user @OrdzWorld was the first to monitor the abnormal transfer of Bybit cold wallet to warm wallet.

February 21, 2025 23:48 HKT: Bybit CEO Ben Zhou posted on social media, acknowledging that an unauthorized ETH cold wallet transfer occurred, and initially judged it as "blocking UI spoofing attacks", and emphasized that other cold wallets are safe and withdrawals are normal.

February 21, 2025 23:51 HKT: Bybit Official Account @Bybit\_Official issued an official statement on the X platform, confirming that ETH was detected and the cold wallet was cold. unauthorized activities and indicate that the attacker manipulated the transaction through a complex attack that disguised the signature interface. Bybit has declared an investigation started and stressed the security of user funds.

February 22, 2025 00:11 HKT: Bybit CEO Ben Zhou once again emphasized that Bybit is solvency and user assets are guaranteed 1:1.

February 22, 2025 01:00 HKT: Slow Mist Team @SlowMist\_Team disclosed more technical details on the X platform, pointing out that the malicious contract was as early as 2 Deployed on the 19th of the month, the attacker implemented theft using the backdoor functions `sweepETH` and `sweepERC20` and `DELEGATECALL` logic.

February 22, 2025 01:07 HKT:X User @web3golder Report Bybit is facing a wave of user withdrawals, and some stolen assets are already being traded in decentralized The exchange (DEX) into ETH has increased market concerns.

February 22, 2025 01:24 HKT: BitMart founder Sheldon posted on the X platform that BitMart has frozen the relevant addresses and will assist Bybit to recover them assets.

February 22, 2025 01:39 HKT: Security team Beosin analyzed that the handling fee for the initial attack address of the hacker comes from Binance Exchange.

February 22, 2025 05:23 HKT: On-chain Detective ZachXBT (@ZachXBT) posted a document on the X platform, submitting an evidence report, and initially confirming the attack Planning by the North Korean hacker group Lazarus Group. Arkham Intelligence forwarded the message.

February 22, 2025 07:27 HKT: Bybit's official X platform issued a statement saying that it has reported the case to the relevant departments and is cooperating with on-chain analysis providers , to identify and isolate the address involved and prevent hackers from selling ETH.

February 22, 2025 09:09 HKT: On-chain data analyst Yu Ember (@EmberCN) monitored that Bitget has supported 40,000 ETHs to Bybit Borrow to alleviate the pressure of withdrawal.

February 22, 2025 09:14 HKT:Bitget CEO Gracy Chen posted a letter to support Bybit on the X platform, expressing his belief that Bybit's customers' funds are safe and there is no need to panic.

February 22, 2025 09:21 HKT: Web3 audit agency Hacken released a certificate of reserve update, saying that Bybit reserves still exceed liabilities and the user funds were fully funded support. Bybit CEO Ben Zhou replied that Hacken's audit proved Bybit's ability to compensate for customer losses.

February 22, 2025 09:28 HKT:KuCoin CEO BC Wong expressed support for Bybit and said that KuCoin has assisted in monitoring the flow of funds and freezing suspicious assets.

February 22, 2025 09:30 HKT: Binance founder Changpeng Zhao (CZ) responded on social media that Binance has not yet borrowed money from Bybit Funds, related funds transfer may be personal behavior of giant whales.

February 22, 2025 09:35 HKT: Multi-sign wallet agreement Safe officially issued a statement saying that no code base leak was found and that the Safe function has been suspended for operation Exactly check.

February 22, 2025 09:38 HKT: On-chain monitoring shows that MEXC hot wallet has transferred 12,600 stETH to Bybit cold wallet to further provide liquidity support.

20February 22, 2025 09:55 HKT: Bybit CEO Ben Zhou said that Bybit is transferring USDT from cold wallets to hot wallets, which is a planned strategy and is not hacked again.

All parties support and liquidity response

Bybit takes action quickly after the incident and seeks support from multiple parties to deal with potential liquidity crises and user trust crises: p>

Bitget's ETH loan: Bitget urgently lent 40,000 ETH (approximately US$105.9 million) to Bybit and directly transfer it to Bybit's cold wallet address to alleviate user withdrawals Coin pressure. This loan reflects the spirit of mutual assistance between exchanges in the same industry.

Bridge Loan: Bybit CEO Ben Zhou revealed that he has reached a bridge loan agreement with his partners, which is approximately 80% of the value of the stolen ETH (approximately 80% of the value of the stolen ETH). $1.12 billion). The specific source of the loan has not been made public, but it may include Bitget’s loan. Bridging loans, as a short-term financing tool, are designed to quickly replenish liquidity and avoid Bybit’s need to buy ETH in the market immediately, causing further market volatility.

KuCoin Assisted in Monitoring and Freezing: The CEO of KuCoin said it has assisted Bybit to monitor the flow of stolen funds and freeze suspicious assets, trying to reduce losses.

Financial audit and solvency proof: Hacken, a Web3 audit agency partnered by Bybit, has issued a certificate of reserve update. Bybit's reserve fund still exceeds liabilities, and the user's funds can be fully funded. support. Bybit CEO Ben Zhou also said that Bybit is solvency and user assets are guaranteed 1:1. Even if the losses of hacker incidents cannot be recovered, Bybit can make up for user losses.

User Withdrawal Processing: Bybit CEO said that the platform withdrawal function is operating normally and emphasized that 99.994% of withdrawal requests have been completed, but admitted that a large number of withdrawal requests were processed There may be delays.

Event background and reveal industry trends

Bybit Exchange Overview: Bybit was founded in 2018 and is headquartered in Singapore. It is aIt is a cryptocurrency exchange that mainly focuses on derivatives trading, with more than 10 million users and has a certain influence in the industry.

Cryptocurrency theft incidents occur frequently: In recent years, centralized exchanges have become high-value targets for hackers due to their concentrated funds. The amount of stolen cryptocurrencies globally reached US$2.3 billion in 2024, while Bybit's stolen amount exceeded 60% of the industry's stolen amount last year, highlighting the severity of the industry's security situation. Previously, well-known projects such as Ronin Network have also suffered large-scale thefts, indicating that hacker attack technology is constantly evolving and centralized platforms are facing continuous security challenges.

Preliminary warning and long-term planning: The security agency disclosed that the malicious contract was deployed as early as February 19, indicating that the attack was not a temporary intention, but It is carefully planned and carefully prepared after a long period of time.

Event Cause Analysis

Technical vulnerabilities and social engineering attacks:

Preliminary analysis shows that the attack The user may have taken advantage of the signature process loophole of Bybit's multi-sign cold wallet, and tricked the Owner into signing malicious transactions by pretending to the transaction interface and replacing Safe to implement contracts.

The attacker may have combined social engineering methods (refer to the attack incident in October last year), such as invading the signature's computer or intermediate communication link, to make normal transactions Replacement of requests with malicious transactions reduces signers' vigilance.

DELEGATECALL directive is exploited in malicious contracts, which may allow malicious code to be executed in the context of a multi-sign wallet, thereby modifying the contract logic and transferring funds.

The inherent risks of centralized exchanges:

The centralized exchanges are used as users' funds The centralized custodian naturally has the risk of "single point of failure" and is easily the target of hackers. Bybit CEO Ben Zhou publicly acknowledged this inherent vulnerability of CEX as early as 2020.

External environmental factors:

The overall cryptocurrency market rebounded in February 2025, ETH price Rises may stimulateThe hacker's motive for theft.

Recently other encryption platforms (such as ZkLend) have also been attacked, reflecting that the overall security environment of the industry may deteriorate.

The impact of the incident

The direct impact on Bybit:

Crowd loss of funds: US$1.5 billion assets Theft accounts for a large proportion (about 75%) of Bybit ETH deposits, causing direct economic losses to the exchange.

User trust crisis and currency withdrawal wave: Large-scale theft incidents may trigger users' trust crisis in the security of Bybit platform, resulting in users' centralized withdrawals and mobile platforms Sex puts huge pressure on it.

ETH price fluctuates in the short-term: After the event, the ETH price fell by about 3%, reflecting the market's negative sentiment towards the event.

Reputation damage: Although Bybit actively responded and emphasized solvency, this incident undoubtedly had a certain negative impact on Bybit's reputation.

Impact on the cryptocurrency industry:

Intensify the CEX trust crisis: The Bybit incident further intensifies Users' concerns about the security of centralized exchanges may prompt some users to transfer funds to decentralized exchanges (DEXs) or choose a safer asset custody solution.

Regulatory pressure may increase: Historically, large-scale exchange security incidents have often attracted the attention and intervention of regulators. The Bybit incident may prompt regulators across countries to strengthen security audit and compliance regulatory requirements for CEX.

Promote industry security upgrades: This incident may become an important turning point in the field of crypto security, prompting exchanges, security agencies and developer communities to jointly promote technical security and Comprehensive upgrade of the governance mechanism will improve the overall safety level of the industry.

May trigger discussions about the Ethereum fork: Coinbase director Conor Grogan and cryptocurrency industry figure Arthur Hayes and others have publicly discussed whether the incident may trigger a similar DAThe discussion of Ethereum fork after the O incident, although the call for fork may be more radical, also reflects the severity of the incident and the potential considerations of extreme situations within the industry.

Response from all parties in the industry

Bybit Official: Bybit CEO Ben Zhou quickly disclosed the details of the incident after the incident, and communicated with users through social media, live broadcasts, etc., emphasizing that The platform's solvency and operation are normal, and it is trying to regain user trust through transparency and active communication. Bybit's official statement has reported the case to the relevant departments and cooperated with security agencies to conduct investigations and funding tracking.

Audit security agency: Blockchain security companies such as SlowMist and Beosin quickly intervened after the incident, analyzed the technical details of the attack, and assisted Bybit to track the incident. Steal funds and issue safety warnings to the industry.

Centralized Exchanges (CEX) Peers: Bitget, KuCoin, MEXC and Jucoin have publicly expressed their support for Bybit and provided financial and technical assistance. BitMart promised to freeze suspicious addresses, and Binance founder Zhao Changpeng also said that Binance is willing to provide help if necessary. The collective support and mutual assistance of leading industry exchanges shows a attitude of responding to industry security risks.

Community and Analysts: Cryptocurrency communities and industry analysts generally expressed concern and concern about this incident. Some users affirmed Bybit's transparent communication, but more users expressed general concerns about CEX's security. Analysts pointed out that the incident may prompt CEX to revisit and improve the multi-signature mechanism, smart contract security audit, and internal security processes.

Summary

Bybit The $1.5 billion theft incident suffered by the exchange was the largest single capital loss in the history of the cryptocurrency industry, and once again sounded centralized transactions A wake-up call for security risks. The hackers carefully planned attacks, using technical vulnerabilities and social engineering methods, broke through the exchange's multiple security lines, causing huge economic losses and trust crises.

Although Bybit encountered emergencies of security incidents, its rapid response and relatively open and transparent handling methods have effectively alleviated market anxiety. What is even more encouraging is that the assistance from peers and the active support of security agencies fully demonstrates the solidarity spirit of the cryptocurrency community to watch out for each other. While this incident reminds us of the risks in the industry, it also allows us to see the increasingly mature and strong resilience of the crypto field.

In the future, the cryptocurrency industry may usher in a comprehensive upgrade in the security field due to the incident. Centralized exchanges need to continue to strengthen investment in technology security and improve the level of security protection in multiple signing wallets, smart contracts, internal risk control, etc. Regulators may also further strengthen compliance supervision of CEX to promote healthier and orderly development of the industry. For users, this incident once again reminds users that asset security has always been the primary consideration for participating in the cryptocurrency market. It is becoming increasingly important to reasonably diversify risks and choose a safer asset custody solution.

Latest progress (as of February 22, 2025 09:55 HKT)

Bybit cooperates with Web3 audit agency Hacken to issue reserve certificates to prove the platform's solvency.

Bybit CEO: USDT will be transferred from cold wallet to hot wallet

Bybit CEO Executive: Nearly 80% of the stolen ETH from partners as a bridge loan

Bitget provides Bybit with 40,000 ETH loans, MEXC hot wallet transfer 12,652 stETH to Bybit to alleviate liquidity pressure.

KuCoin assists Bybit in monitoring fund flows and freezing suspicious assets.

Safe officially suspends Wallet function for comprehensive security checks.

Binance founder Zhao Changpeng clarified that Binance has not provided loans to Bybit, and the transfer of related funds may be the personal behavior of giant whale.

On-chain detective ZachXBT confirmed that Lazarus Group was the mastermind of the attack.

Bybit Hacker tried to unstake cmETH and was returned by the contract.

Bybit CEO said that all withdrawals have been processed and a complete incident report will be released.