Previously, Beosin had conducted a complete link analysis of Bybit events, and now, hackers are "cleaning" the stolen funds. At the same time, Bybit has passed loans, large deposits and ETH 购买等多种渠道获得约446,869 枚ETH（价值约12.3 亿美元），目前Bybit 已接近弥补因黑客事件造成的资金缺口。 Beosin团队也在和Bybit团队同步分析进展。

Bybit黑客攻击事件概览

Bybit是一家全球领先的加密货币衍生品交易所，成立于2018年，总部位于新加坡，并在阿联酋迪拜设有运营中心，此外，还在塞浦路斯、哈萨克斯坦、格鲁吉亚等 获得了对应的VASP牌照。 The exchange focuses on providing services such as perpetual contracts, option contracts, spot trading in cryptocurrencies, and is committed to creating a safe, efficient and transparent digital asset trading platform for users.

At 22:56 on February 21, Beijing time, the cryptocurrency trading platform Bybit was hacked, with a huge scale of attacks, with a total asset value of approximately US$1.44 billion (approximately US$1.44 billion). More than 400,000 ETH and stETH were transferred to unknown addresses in total.

According to the analysis of Beosin security team, the stolen assets mainly include:

401,347 ETH( Valued at approximately US$1.12 billion)

8,000 mETH (valued at approximately US$23 million)

90,375.5479 stETH (valued approximately US$250 million)

15,000 cmETH (valued approximately US$44 million)

The complete review of the incident

Combined with the information released by Bybit, the hacker invaded Bybit's internal employees in some way The computer actually signed the hacker when the signer confirmed that the URL of Safe is correct by tampering with the content displayed on the front end of the UI.A malicious transaction constructed by the heart, which is essentially a logical implementation of a wallet contract, allowing the hacker to completely take over the wallet. Because the hacker controls the employee's computer, he can get the final transaction signature and submit the transaction to the link. After the transaction was packaged and broadcast, the hacker fully grasped the wallet. The hacker then transferred all assets in the wallet out.

Technical details and timeline of the attack process

1. Attack timeline restoration

Before February 21, 2025:

The hacker organization Lazarus Group may have lurked in the process of Trojans and other means Prepare for subsequent attacks in the devices of Bybit team members

February 21, 2025:

The hacker tampers with the front-end interface of Safe multi-sign wallet accessed by the Bybit team, induces signing personnel to sign malicious transactions, and changes the smart contract logic of the ETH cold wallet to a malicious contract controlled by the hacker, thus completely controlling the wallet.

UTC time 2025-02-21 14:16:11, Bybit Exchange hot wallets have ETH and stETH worth more than US$1.46 billion to the hacker address p>

0x47666fab8bd0ac7003bce3f5c3585383f09486e2, becoming the largest theft in cryptocurrency history.

UTC time 2025-02-21 14:44:00, Bybit's co-founder Ben Zhou confirmed the incident as soon as possible, saying that Bybit's The official cold wallet was hacked and the relevant security issues were urgently dealt with.

We conducted in-depth tracking and analysis of the stolen funds in the Bybit exchange hacking incident. The study found that one of the stolen funds was deposited

0x36ed3c0213565530c35115d93a80f9c04d94e4cb.

UTC时间2025年2月22日06:28:23，将5000 ETH转移至拆分地址0x4571bd67d14280e40bf3910bd39fbf60834f900a。随后，资金以数分钟一次的频率被拆分为数十至数百ETH不等的金额，并进一步转移至多个地址。 It is worth noting that after several transfers, some funds tried to cross-chain to the BTC chain address through Chainflip

bc1qlu4a33zjspefa3tnq566xszcr0fvwz05ewhqfq, showing that the hacker tried to further operate through cross-chain and other operations. An attempt to conceal the flow of funds.

In addition, on the path of our Bybit hacker attack on the sales of stolen goods, we also found the same address on the path of Bingx and Phemex hackers attacking the sales of stolen goods. We suspected that these attacks were the same group. Or the same sales method was used, and the overlapping address was:

0x33d057af74779925c4b2e720a820387cb89f8f65

0xd555789b146256253cd4540da28dcff6e44f6e50.

这一关键发现进一步印证了我们此前基于攻击模式与WazirX事件相似性所做出的推论，即Bybit交易所黑客攻击事件极有可能Related to Lazarus Group.

2025年2月23日：

Bybit黑客销赃模式趋于稳定，主要使用Thorchain将资产转移至BTC公链，以及利用OKX DEX兑换为DAI再进行流转。

2. 攻击技术手段分析

a. 漏洞利用方式（如钓鱼攻击和与社会工程学手段、前端UI篡改、恶意合约部署）。

钓鱼攻击与社会工程学

The attacker hacked into the computer of Bybit's internal employees through phishing attacks (such as forged emails or malicious links) and obtained operational permissions. Using social engineering methods, the attacker may disguise himself as an insider or partner, induce Employees click on malicious links or download malware to implant the backdoor.

Front-end UI tamper

The attacker tampers with the front-end interface of Safe's multi-sign wallet, forged a seemingly normal transaction prompt page, and induced the signer to sign a malicious transaction. When the signer confirms the URL "Safe", the actual signed transaction content has been tampered with , resulting in the malicious contract logic being implanted.

Malicious contract deployment

The attacker deployed a malicious contract before the attack (address: 0xbDd077f651EBe7f7b3cE16fe5F2b025BE2969516) and wrote malicious logic into the Safe contract through DELEGATECALL In STORAGE[0x0]. The malicious contract contains backdoor functions (such as sweepETH and sweepERC20) to transfer assets in cold wallets

b. How to circumvent the attacker Pass the risk control system (such as forging IP or pages, simulating normal user signature behavior, etc.).

Forged pages and transaction prompts

The attacker forged the seemingly legal interface of Safe multi-sign wallet The transaction prompt page of the signature staff mistakenly thinks that the transaction content is normal. The transaction content seen by the signature staff on the hardware wallet is inconsistent with the actual transaction content executed, resulting in a "blind signing".

Simulate normal user behavior

After the attacker invaded the employee equipment, he simulated normal user operation behavior (such as login, signature, etc.), avoiding the detection of abnormal behaviors that triggered the risk control system. By forging IP addresses or using a proxy server, the attacker hides it.

Utilize the limitations of hardware wallets

align: left;">Hardware wallets have parsing capabilities when handling complex transactionsThe lack of problem is that the detailed transaction data of Safe multi-signed wallet cannot be fully displayed, resulting in the signer being unable to verify the authenticity of the transaction content. The attacker took advantage of this flaw and induced the signature personnel to "blind sign" by forging transaction content.

Trust vulnerability to bypass the multi-signature mechanism

Although Bybit adopts the multi-signature mechanism, However, multiple signature parties rely on the same infrastructure and verification process. Once one of the links is broken, the entire security system will be broken. An attacker only needs to break through a signer's device, and can forge transactions and obtain sufficient signature permissions.

The path of money laundering stolen funds and breakthroughs in key nodes

1. Dismantling of money laundering methods

a . Cross-chain bridge conversion: transfer assets through Chainflip, ChangeNow, Thorchain, LiFi, DLN, etc.

Lazarus Group is good at using various cross-chain bridges to avoid on-chain tracking. In addition to Chainflip, the organization has also widely used cross-chain tools such as Avalanche Bridge, BitTorrent Bridge, Thorchain, Threshold and Swft to transfer funds in previous attacks. For example, Avalanche Bridge can be seen in the stolen incidents of Atomic Wallet, Alphapo incidents, Stake.com incidents, DMM Bitcoin incidents, Harmony cross-chain bridge attacks, and Coinspaid incidents.

b. Use of the mixed currency platform: eXch mixed currency exchange

< p style="text-align: left;">Lazarus Group has used platforms such as Tornado Cash, Sinbad and Railgun for funding confusion and cleaning.

Tornado Cash was sanctioned by the U.S. Treasury Office of Foreign Assets Control (OFAC) in 2022 for being used to assist in money laundering of Lazarus Group. The organization then stopped Use this coin mixer. However, since March 2024,Lazarus Group once again uses Tornado Cash for a massive funding cleanup. It is worth mentioning that we are fully prepared for the Bybit incident. Once the relevant funds enter the Tornado.cash currency mixer, Beosin will immediately start the fund penetration analysis. The special working group has been equipped with the latest version of the Tornado Cash penetration algorithm, and has joined several professional analysts who have successfully completed fund penetration in similar cases to ensure that the flow of funds can be tracked efficiently and provide strong support for follow-up actions.

Sinbad was designated by OFAC as the main money laundering tool for Lazarus Group, especially in the case of CoinEX theft, which transferred large amounts of stolen assets to Sinbad for mixing coins operate.

Railgun is also an important channel for Lazarus Group's funds cleaning. In early 2023, the FBI reported that Lazarus Group cleaned more than $60 million in illegal funds through Railgun.

c. OTC money laundering

Lazarus Group usually adopts a chain money laundering process of cross-chain transfer + coin mixer cleaning + OTC monetization after stealing crypto assets. The organization will first transfer the stolen funds repeatedly between multiple cross-chain bridges, and cover up the source of funds through a coin mixer, then withdraw them to a specific address cluster, and then convert crypto assets into fiat currency with the help of off-market OTC transactions.

Statistics show that exchanges such as Paxful, Noones, MEXC, KuCoin, ChangeNOW, FixedFloat and LetsExchange have received Lazarus Group-related funds. In addition to on-chain money laundering, the organization also frequently uses over-the-counter transactions to evade supervision. Previous reports show that since 2022, OTC trader Yicong Wang has long provided funding cleaning services to the Lazarus Group, helping the organization convert tens of millions of dollars worth of stolen crypto assets into cash through bank transfers. Lazarus Group demonstrates a highly systematic operation model during the fund cleaning process. This multi-level, decentralized money laundering method further increases funds.Tracking difficulty.

加密资产平台如何进行事前防御、事中响应、事后追踪

1. 事前防御

a. Strengthen the security construction of internal multi-signature processes, use proprietary networks and devices for signature review and operation, and avoid equipment being controlled by hackers and thus becoming a breakthrough for hackers to enter the intranet;

b. When the signing personnel reviews the signed content, they should clearly compare the consistency between the signature displayed in the process and the content displayed in the wallet. If an abnormality is found, the signature process should be stopped immediately and an emergency response should be made;

c. 还可以通过风控系统实时监控冷热钱包的资金动态，对异常的行为及时告警；

d. 对于多签钱包签名数据向链上提交时，可以指定只有固定的几个地址才能够进行签名数据提交工作，将交易提交与签名权限都控制在企业内部，

2. 事中应急响应

a. 威胁情报共享：通过Beosin安全情报网络快速预警。

b. 应急响应机制：发现异常交易后，迅速启动应急响应，第一时间评估是否需要暂停客户钱包充提，向社区同步情况，利用整个安全社区的力量阻碍被盗资金的流转；

c. 攻击溯源分析：结合链上数据与链下日志追踪攻击来源和资金去向.

d. 资金冻结协助：联动金融与执法机构冻结被盗资金。

3. 事后追踪与复盘

a. 资金流向图谱：利用Beosin Trace Tools visualize money laundering paths.

b. 反洗钱（AML）标注：Beosin迅速的将所有黑客相关的钱包地址标记为黑客，并对所有的资金转账行为进行告警，堵住了黑客通过Beosin的客户平台进行洗钱的途径。

c. Judicial evidence support: provide on-chain evidence links that meet legal standards.

The warnings brought by this incident and the direction of industry improvement:

Bybit incident exposed The loopholes in the cryptocurrency industry in fund security management have also sounded the alarm for the entire industry. The following are some important revelations brought by this incident:

Improve the security of the multi-signature process

Management of funds is a common practice in the industry, but its security still needs to be strengthened. In this incident, the hacker implemented signature spoofing and tampered with signature data by hacking into the internal Safe signature system workflow. Therefore, the security of the signature system is the top priority, and similar attacks must be prevented through technical upgrades and strict permission management.

Strengthen the audit and monitoring of the signature process

In the signature process, the operator needs to be careful Review the signature content, for example, when signing a cold wallet, you should compare it with the signature content displayed on the front end to find potential exceptions. In addition, it is recommended to simulate the signed data, confirm that the execution results are consistent with the expectations before broadcasting the transaction. Although the hackers directly obtained the signed content and broadcast the transaction in this incident, this step can still effectively prevent other types of attacks.

Establish an industry alliance to jointly respond to security threats

Establish a VASP (virtual asset service provider) ) Industry alliances, the members of the alliance share the latest major incident information and security threat intelligence, and gather industry forces to jointly deal with hacker attacks and money laundering. This collaborative mechanism can enhance the defense capabilities of the entire industry.

Strengthen compliance construction and prevent the risks of money laundering

Decentralized protocols and VASP platforms require Further strengthen compliance construction to avoid being used by hackers for money laundering activities. Once the platform is marked as a high-risk entity by the compliance department, it will seriously affect the deposit and withdrawal operations of normal users. Therefore, exchanges and decentralized platforms should improve anti-money laundering (AML) and understanding your customers (KYC) mechanisms to ensure compliance operations.

Continuously optimize safety and compliance mechanisms

Security and compliance are a dynamic process that requires continuous optimization based on the latest threats and technological developments. Industry practitioners should remain vigilant, regularly review and upgrade safety measures, and actively participate in the formulation and improvement of industry standards.

Bybit incident is not only an exposure of security vulnerabilities, but also a test of the security and compliance system of the entire industry. Only through technological upgrades, process optimization, industry collaboration and compliance construction can we effectively respond to increasingly complex cybersecurity threats, ensure the security of user assets, and promote the healthy development of the industry.