Author: Slow Fog Technology

On the evening of February 21, 2025, Beijing time, according to the link detective ZachXBT, a large-scale capital outflow occurred on the Bybit platform The situation. The incident led to theft of more than $1.46 billion, becoming the largest cryptocurrency theft in recent years.

After the incident, the Slow Fog Security Team immediately issued a security reminder. And track and analyze the stolen assets:

According to the analysis of the Slow Fog Security Team, The stolen assets mainly include:

401,347 ETH (valued at approximately US$1.068 billion)

8,000 mETH (valued approximately 2,600 10,000 US dollars)

90,375.5479 stETH (valued at approximately US$260 million)

15,000 cmETH (valued at approximately US$43 million)

We use on-chain tracking and anti-money laundering tool MistTrack to the initial hacker address 0x47666Fab8bd0Ac7003bce3f5C3585383F09486E2 was analyzed and the following information was obtained:

ETH is diverted and transferred. The initial hacker address disperses 400,000 ETH to 40 addresses in the format of 10,000 ETH, and is continuing. Transfer.

In which, 205 ETH is replaced by Chainflip to BTC and cross-chain to address bc1qlu4a33zjspefa3tnq566xszcr0fvwz05ewhqfq.

cmETH flow direction: 15,000 cmETH is transferred to address 0x1542368a03ad1f03d96D51B414f4738961Cf4443. It is worth noting that mETH Protocol posted on X that in response to the Bybit security incident, the team suspended cmETH withdrawals in time, preventing unauthorized withdrawals. mETH Protocol successfully recycled 15,000 cmETH from the hacker address.

mETH and stETH transfers: 8,000 mETH and 90,375.5479 stETH are transferred to address 0xA4B2Fd68593B6F34E51cB9eDB66E71c1B4Ab449e, then After redeeming to 98,048 ETH through Uniswap and ParaSwap, it is transferred to 0xdd90071d52f20e85c89802e5dc1ec0a7b6475f92, address 0xdd9 at every 10,000 ETH The format of the ETH spreads to 9 addresses and has not been transferred out yet.

In addition, the address of the initial attack by the hacker launched in the attack method analysis section 0x0fa09C3A328792253f8dee7116848723b72a6d2e Tracing the source, it was found that the initial fund for the address came from Binance.

The current initial hacking address is 0x47666Fab8bd0Ac7003bce3f5C3585383F09486E2 Balance 1,346 ETH, we will continue to monitor the relevant addresses.

After the event, Slow Fog immediately obtains Safe multi-signature through the attacker Techniques and coin washing techniques speculate that the attacker is North KoreaHacker:

Possible social engineering attack methods:

Using MistTrack analysis, we also found that the hacker address of this event was associated with the BingX Hacker and Phemex Hacker addresses:

ZachXBT It also confirms that the attack is related to the North Korean hacker group Lazarus Group, which has been one of its main activities to carry out transnational cyber attacks and theft of cryptocurrencies. It is understood that the evidence provided by ZachXBT, including test transactions, associated wallets, evidence forensic charts and time analysis, shows that the attacker used common technical means of Lazarus Group in multiple operations. At the same time, Arkham said that all relevant data has been shared with Bybit to help the platform conduct further investigations.

At 23:44 that night after the incident, Bybit CEO Ben Zhou was X issued a statement explaining the technical details of the attack in detail:

By the chain Signature analysis, we found some traces:

1. The attacker deploys a malicious contract :UTC 2025-02-19 07:15:23, deploy malicious implementation contract 0xbDd077f651EBe7f7b3cE16fe5F2b025BE2969516.

2. Tamper with the logic of Safe contract: UTC 2025-02-21 14:13:35, sign the transaction through three Owners, and replace the Safe contract with a malicious version: 0x46deef0f52e3a983b67abf4714448a41dd7ffd6d32d32da69d62081c68ad7882. This introduces the address 0x0fa09C3A328792253f8dee7116848723b72a6d2e, which initiates the initial attack on the hacker.

3. Embed malicious logic: Write malicious logic contracts to STORAGE 0 via DELEGATECALL Storage: 0x96221423681A6d52E184D440a8eFCEbB105C7242.

4 . Calling the backdoor function to transfer funds: The attacker uses the sweepETH and sweepERC20 functions in the contract to transfer all 400,000 ETH and stETH in the cold wallet (total value of approximately US$1.5 billion) to an unknown address.

From the attack method, the hacked incident of WazirX and the hacked incident of Radiant Capital are similar to this attack. The targets of these three incidents All Safe signs more wallets. For the hacked incident of WazirX, the attacker also deployed a malicious implementation contract in advance, signed the transaction through three Owners, and wrote the malicious logical contract to STORAGE 0 storage through DELEGATECALL to replace the Safe contract as a malicious implementation contract.

( https://etherscan.io/tx/0x48164d3adbab78c2cb9876f6e17f88e321097fcd14cadd57556866e4ef3e185d)

For the hacked incident of Radiant Capital, according to official disclosure, the attacker used a complex approach, Let the signature verifier see seemingly legitimate transactions on the front end, which is in line with Ben Zhou The information disclosed in the tweet is similar.

(https://medium.com/@RadiantCapital/radiant-post-mortem-fecd6cd38081)

And these three times The permission checking methods for malicious contracts involved in the event are the same, and the owner address is hardcoded in the contract to check the contract caller. Among them, the Bybit hacked event is similar to the error message thrown by the permission check of WazirX hacked event.

In this event, there was no problem with the Safe contract, and the problem was in the non-contract part. The front end is tampered with forgery to achieve the effect of deception. This is not an isolated case. North Korean hackers attacked several platforms in this way last year, such as: WazirX lost $230M, which was a multiple sign for Safe; Radiant Capital lost $50M, which was a multiple sign for Safe; DMM Bitcoin lost $305M, which was a multiple sign for Gonco. This attack method is engineered and mature, so more attention is needed.

According to the official announcement released by Bybit:

(https://announcements.bybit.com/zh-MY/article/incident-update---eth-cold-wallet-incident-blt292c0454d26e9140)

In conjunction with Ben Zhou's tweet:

The following questions arise:

1. Routine ETH transfer

The attacker may have obtained the operation information of Bybit's internal financial team in advance and mastered the time point for transferring ETH multiple signs cold wallets?

InduceSigner signs malicious transactions on the forged interface? Was Safe's front-end system broken and taken over?

2. Safe contract UI has been tampered with

Signer What you see on the Safe interface is the correct address and URL, but the actual signed transaction data has been tampered with?

The key question is: Who initiated the signature request first? How safe is its equipment?

We have these questions in mind and look forward to the official disclosure of more investigation results as soon as possible.

Bybit quickly issued an announcement after the incident, promising that all customer assets will be paid 1:1, and the platform can bear the loss. User withdrawals will not be affected.

At 10:51 on February 22, 2025, Bybit CEO Ben Zhou posted X that it is normal to withdraw money:

This theft once again highlights the severe security challenges facing the cryptocurrency industry. With the rapid development of the crypto industry, hacker organizations, especially hackers of the Lazarus Group, are continuing to upgrade their attack methods. This incident sounded the alarm for cryptocurrency exchanges. The platform needs to further strengthen security protection and adopt more advanced defense mechanisms, such as multi-factor authentication, crypto wallet management, asset monitoring and risk assessment, to ensure the security of user assets. For individual users, it is also crucial to improve security awareness. It is recommended to prioritize safer storage methods such as hardware wallets to avoid storing large amounts of funds on exchanges for a long time. In this evolving field, only by continuously upgrading the technical defense line can we ensure the security of digital assets and promote the healthy development of the industry.