GuShiio.com Background
On the evening of February 21, 2025, Beijing time, according to detective ZachXBT on the chain, there was a large-scale capital outflow from the Bybit platform. The incident led to the theft of more than 1.46 billion US dollars, making it the largest loss of encrypted currency theft in recent years.
Chain tracking analysis
After the incident, the slow Fog security team immediately issued a security reminder and carried out a tracking analysis of the stolen assets:
According to the analysis of the slow Fog Security team, the stolen assets mainly include:
& middot; 401347 ETH (worth approximately $1.068 billion)
& middot; 8000 mETH (worth approximately $26 million)
& middot; 90375.5479 stETH (worth approximately $260 million)
& middot; 15000 cmETH (worth approximately $43 million)
We use the chain tracking and anti-money laundering tool MistTrack to analyze the initial hacker address 0x47666Fab8bd0Ac7003bce3f5C3585383F09486E2 and get the following information:
ETH has been dispersed, and the initial hacker address will be 400000 cubic nbsp; ETH in the format of 40 addresses per 1000 roomnbsp; ETH, and the transfer is continuing.
Among them, 205ETH is changed to BTC through Chainflip to cross-chain to address bc1qlu4a33zjspefa3tnq566xszcr0fvwz05ewhqfq.
CmETH flow: 15000 cmETH is transferred to the address 0x1542368a03ad1f03d96D51B414f4738961Cf4443. It is worth noting that mETH Protocol posted on X that in response to the Bybit security incident, the team suspended cmETH withdrawals in time to prevent unauthorized withdrawals, and mETH Protocol successfully recovered 15000 cmETH from the hacker address.
METH and stETH transfer: 8000 mETH and 90375.5479 stETH are transferred to address 0xA4B2Fd68593B6F34E51cB9eDB66E71c1B4Ab449e, then converted to 98048 ETH through Uniswap and ParaSwap, and then transferred to 0xdd90071d52f20e85c89802e5dc1ec0a7b6475f92. Address 0xdd9 distributes ETH to 9 addresses per 1000 ETH format, not yet transferred.
In addition, the address 0x0fa09C3A328792253f8dee7116848723b72a6d2e of the initial attack launched by the hackers introduced in the attack method analysis section is traced back to the source, and it is found that the initial funding of this address comes from Binance.
At present, the initial hacker address 0x47666Fab8bd0Ac7003bce3f5C3585383F09486E2 has a balance of 1346 ETH. We will continue to monitor the relevant address.
After the incident, slow fog immediately speculated that the attacker was a North Korean hacker through the way the attacker obtained multiple Safe signatures and money laundering:
Possible social engineering attacks:
Using MistTrack analysis, it is also found that the hacker address of the event is associated with BingX Hacker and Phemex Hacker addresses:
ZachXBT also hammered the attack with the North Korean hacker organization Lazarus Group, which has been carrying out cross-border cyber attacks and stealing encrypted currencies as one of its main activities. It is understood that the evidence provided by ZachXBT, including test transactions, associated wallets, forensic charts and time analysis, shows that attackers used common Lazarus Group techniques in multiple operations. At the same time, Arkham said that all relevant data has been shared with Bybit to help the platform conduct further investigations.
Analysis of attack techniques
In a statement posted on X the night after the incident, 23pur4Jing Bybit CEO Ben Zhou explained in detail the technical details of the attack:
Through the analysis of the signature on the chain, we found some traces:
1. The attacker deployed the malicious contract: UTC 2025-02-19 07:15:23, deployed the malicious implementation contract 0xbDd077f651EBe7f7b3cE16fe5F2b025BE2969516.
two。 Tamper with the Safe contract logic: UTC 2025-02-21 14:13:35, sign the transaction through three Owner, replacing the Safe contract with a malicious version: 0x46deef0f52e3a983b67abf4714448a41dd7ffd6d32d32da69d62081c68ad7882. This leads to the address 0x0fa09C3A328792253f8dee7116848723b72a6d2e that launched the initial attack on the hacker.
3. Embed malicious logic: write malicious logical contracts to STORAGE 0 storage: 0x96221423681A6d52E184D440a8eFCEbB105C7242 through DELEGATECALL.
4. Call the backdoor function to transfer funds: the attacker uses the sweepETH and sweepERC20 functions in the contract to transfer all 400000 ETH and stETH (with a total value of about $1.5 billion) from the cold wallet to an unknown address.
From the perspective of attack techniques, WazirX hacking and Radiant Capital hacking are similar to this attack, and the targets of these three events are Safe multi-signature wallets. For the WazirX hacking event, the attacker also deployed the malicious implementation contract in advance, signed the transaction through three Owner, and wrote the malicious logical contract to STORAGE 0 storage through DELEGATECALL to replace the Safe contract with the malicious implementation contract.
(https://etherscan.io/tx/0x48164d3adbab78c2cb9876f6e17f88e321097fcd14cadd57556866e4ef3e185d)
With regard to the Radiant Capital hacking incident, according to official disclosure, the attacker used a complex method to make the signature verifier see a seemingly legitimate transaction at the front end, similar to the information disclosed in Ben Zhou tweets.
(https://medium.com/@RadiantCapital/radiant-post-mortem-fecd6cd38081)
And the permissions of the malicious contracts involved in these three events are all checked in the same way, and the owner address is hard-coded in the contract to check the contract caller. The error messages thrown by Bybit hacked event and WazirX hacked event privilege check are also similar.
In this case, there is no problem with the Safe contract, but the problem lies in the non-contract part, the front end is tampered with and forged to achieve the deceptive effect. This is not an isolated case. North Korean hackers attacked several platforms in this way last year, such as: WazirX lost $230m for Safe, Radiant Capital lost $50m for Safe, and DMM Bitcoin lost $305m for Gonco. This kind of attack method is mature in engineering and needs more attention.
According to the official announcement issued by Bybit:
(https://announcements.bybit.com/zh-MY/article/incident-update—eth-cold-wallet-incident-blt292c0454d26e9140)
Combined with Ben Zhou’s tweet:
The following questions arise:
1. Routine ETH transfer
The attacker may have obtained the operation information of Bybit’s internal finance team in advance and got the timing of ETH’s multi-signature cold wallet transfer.
Through the Safe system, induce the signer to sign a malicious transaction on the forged interface? Has the front-end system of Safe been breached and taken over?
2. Safe contract UI has been tampered with
The signer sees the correct address and URL on the Safe interface, but the actual signed transaction data has been tampered with.
The key question is: who first initiated the signature request? What is the security of its equipment?
With these questions, we look forward to the official disclosure of more investigation results as soon as possible.
Market impact
Bybit issued an announcement quickly after the incident, promising that all customer assets would be provided at 1:1, and the platform could bear the loss. User withdrawal will not be affected.
On February 22, 2025, 10Ru 51 Bybit CEO Ben Zhou posted an X saying that the recharge and withdrawal is normal:
Write at the end
The theft once again highlights the serious security challenges facing the cryptocurrency industry. With the rapid development of the encryption industry, hacker organizations, especially national hackers such as Lazarus Group, are constantly upgrading their attack methods. The incident is a wake-up call for cryptocurrency exchanges, and the platform needs to further strengthen security and adopt more advanced defense mechanisms, such as multiple authentication, encrypted wallet management, asset monitoring and risk assessment, to ensure the security of users’ assets. It is also important for individual users to raise security awareness, and it is recommended to give priority to more secure storage methods such as hardware wallets to avoid keeping large amounts of money on the exchange for a long time. In this evolving field, only by continuously upgrading the technological line of defense can we ensure the security of digital assets and promote the healthy development of the industry.
Reading the original text
