Source: Bitrace

On February 21, 2025, cryptocurrency exchange Bybit encountered a large-scale security breach, resulting in a date in its Ethereum cold wallet $1.5 billion in assets were stolen. This incident is considered the largest single theft in cryptocurrency history, surpassing previous records such as Poly Network ($611 million in 2021) and Ronin Network ($620 million in 2022), causing an impact on the industry the effect of sexuality.

This article aims to introduce hacker incidents and their fund cleaning methods, and warns that there will be a wave of large-scale freezing against OTC groups and Crypto payment companies in the next few months.

According to Bybit Ben Zhou's description and Bitrace's preliminary investigation, theft process is as follows:

Attack preparation: Hackers before the incident A malicious smart contract was deployed for at least three days (i.e. February 19) (address: 0xbDd077f651EBe7f7b3cE16fe5F2b025BE2969516), laying the groundwork for subsequent attacks.

Invade the multi-signature system: Bybit's Ethereum cold wallet adopts a multi-signature mechanism, which usually requires multiple authorized parties to sign to execute transactions. Hackers have invaded computers that manage multi-signing wallets through unknown means, possibly through disguised interfaces or malware.

Disguised Transactions: On February 21, Bybit plans to transfer ETH from cold wallets to hot wallets to meet daily trading needs. The hackers took advantage of this opportunity to disguise the transaction interface as normal operations, inducing the signer to confirm a seemingly legitimate transaction. However, what the signature actually executes is an instruction to change the logic of the cold wallet smart contract.

Fund transfer: After the instruction came into effect, the hacker quickly controlled the cold wallet and transferred the ETH and ETH pledge certificates worth about $1.5 billion at that time to an unknown address ( Preliminary tracking address: 0x47666Fab8bd0Ac7003bce3f5C3585383F09486E2). Subsequently, funds are spread to multiple wallets and the money laundering process begins.

The cleaning of funds can be roughly divided into two stages:

The first stage is the early stage of fund splitting, and the attacker quickly exchanged the ETH pledge certificate tokens for ETH tokens, rather than the stablecoin that exists the possibility of freezing, then the ETH is strictly split and transferred to the subordinate address, ready to be cleaned.

It was at this stage that the attacker's attempt to exchange 15,000 mETH for ETH was stopped, and the industry then recovered this part.loss.

The second stage is fund cleaning. The attacker will transfer the ETH that has been acquired through centralized or decentralized industry infrastructures, including Chainflip, Thorchain, Uniswap, eXch, etc. Some agreements are used for capital redemption, while some agreements are used for cross-chain transfer of funds.

As of now, a large number of stolen funds have been exchanged for layer1 tokens such as BTC, DOGE, SOL and other layer1 tokens for transfer, and even issued memecoin or transferred funds to the exchange address for funds to be confused.

Bitrace is monitoring and tracking the addresses related to stolen funds. This part of the threat information will be pushed simultaneously in BitracePro and Detrust to prevent users from accidentally collecting stolen funds.

Analysis of 0x457 in the capital link found that the address was related to the BingX exchange stolen incident in October 2024 and the Phemex exchange stolen incident in January 2025, indicating that The mastermind behind these three attacks is the same entity.

Combined with its highly industrialized fund cleaning techniques and attack methods, some blockchain security practitioners blamed the incident as notorious Lazarus, a hacker group, has launched multiple cyber attacks on institutions or infrastructure in the Crypto industry over the past few years and illegally seized billions of dollars in cryptocurrencies.

Bitrace has found that in the past few years, in addition to using unlicensed industry infrastructure to clean up funds, the organization also uses a large number of centralized platforms for dumping, which directly leads to a large number of intentional Or the exchange user accounts that were not intentionally collected stolen money were risk-controlled, and the business addresses of OTC merchants and payment institutions were frozen by TEDA.

In 2024, the Japanese cryptocurrency exchange DMM was attacked by Lazarus, and Bitcoin worth up to $600 million was illegally transferred. Among them, the attacker bridged the funds to HuionePay, a cryptocurrency payment agency in Southeast Asia, resulting in the latter's hot wallet address being frozen by TEDA, with a value of more than 29 million US dollars locked and unable to be transferred;

In 2023, Poloniex was attacked, The attacker is suspected to be the Lazarus Group, and funds worth more than US$100 million were illegally transferred. Some of the funds are cleaned through over-the-counter trading, resulting in the business addresses of a large number of OTC vendors being frozen, or the exchange accounts used to store business funds being risk-controlled, which has a huge impact on business activities.

FrequentHacker attacks have caused huge losses to our industry, and subsequent fund cleaning activities have also polluted more personal and institutional addresses. For these innocent people and potential victims, these threats should be paid more attention to in business activities. Funds to prevent themselves from being affected.

This also sounded the alarm for us, and it was time to pay attention to Crypto Anti-Money Laundering Awareness and KYT Program.