GuShiio.com This article aims to introduce hacking incidents and their fund laundering methods, and warn of the imminent large-scale freezes targeting OTC groups and Crypto payment companies in the next few months.
On February 21, 2025, cryptocurrency exchange Bybit suffered a large-scale security breach, resulting in the theft of approximately US$1.5 billion in assets from its Ethereum cold wallet. This incident is considered to be the largest single theft in cryptocurrency history, exceeding previous records such as Poly Network (2021,$611 million) and Ronin Network (2022,$620 million), and having a devastating impact on the industry.
This article aims to introduce hacking incidents and their fund laundering methods, and warn of the imminent large-scale freezes targeting OTC groups and Crypto payment companies in the next few months.
theft
According to Bybit Ben Zhou’s description and Bitrace’s preliminary investigation, the theft process was as follows:
Attack preparation: The hacker deployed a malicious smart contract (address: 0xbDd077f651EBe7f7b3cE16fe5F2b025BE2969516) at least three days before the incident (i.e. February 19), laying the groundwork for subsequent attacks.
Intruding into the multi-signature system: Bybit’s Ethereum cold wallet uses a multi-signature mechanism, which usually requires multiple authorizers to sign a transaction. The hacker hacked into the computer that manages the multi-signed wallet through unknown means, possibly through a disguised interface or malware.
Disguise transactions: On February 21, Bybit plans to transfer ETH from cold wallets to hot wallets to meet daily transaction needs. The hacker took advantage of this opportunity to disguise the transaction interface as normal operation and induce the signer to confirm a seemingly legal transaction. However, what the signature actually executes is an instruction that changes the logic of the cold wallet smart contract.
Transfer of funds: After the order came into effect, the hacker quickly took control of the cold wallet and transferred ETH and ETH pledge certificates worth approximately US$1.5 billion at that time to an unknown address (preliminary tracking address: 0x47666Fab 8bd 0Ac7003 bce3f5C3585383F09486E2). Subsequently, the funds are dispersed into multiple wallets and the money laundering process begins.
money laundering techniques
The cleansing of funds can be roughly divided into two stages:
The first stage is the early fund splitting stage. The attacker quickly converts the ETH pledge certificate token into ETH token instead of the stablecoin that may be frozen, and then strictly splits the ETH and transfers it to a lower-level address in preparation for cleaning.
It was at this stage that the attacker’s attempt to convert 15000 mETH into ETH was stopped, and the industry recovered part of the loss.
The second stage is fund laundering. Attackers will transfer the ETH they have obtained through centralized or decentralized industry infrastructure, including Chainflip, Thorchain, Uniswap, eXch, etc. Some agreements are used for fund exchange, and some agreements are used for cross-chain transfer of funds.
As of now, a large number of stolen funds have been exchanged for layer1 tokens such as BTC, DOGE, and SOL for transfer, and even memecoin has been issued or funds have been transferred to exchange addresses for fund confusion.
Bitrace is monitoring and tracking addresses related to stolen funds. This part of threat information will be simultaneously pushed in BitracePro and Detrust to prevent users from accidentally collecting stolen funds.
Analysis of criminal records
Analysis of 0x457 in the fund link found that the address was related to the theft of the BingX exchange in October 2024 and the theft of the Phemex exchange in January 2025, indicating that the mastermind behind the three attacks was the same entity.
Combined with its highly industrialized fund laundering methods and attack methods, some blockchain security practitioners blame the incident on the notorious hacker organization Lazarus, which has launched multiple cyber attacks on institutions or infrastructure in the Crypto industry in the past few years and illegally seized billions of dollars worth of cryptocurrency.
Freeze crises
During its investigations in the past few years, Bitrace found that in addition to using unlicensed industry infrastructure for fund laundering, it also used a large number of centralized platforms for dumping, which directly led to a large number of exchange user accounts who deliberately or unintentionally collected stolen money. Risk control, and the business addresses of OTC merchants and payment institutions were frozen by TEDA.
In 2024, Japan’s cryptocurrency exchange DMM was attacked by Lazarus, and bitcoins worth up to US$600 million were illegally transferred. Among them, the attacker bridged funds to HuionePay, a cryptocurrency payment institution in Southeast Asia, causing the latter’s hot wallet address to be frozen by TEDA, and a value of more than US$29 million was locked and unable to be transferred;
In 2023, Poloniex was attacked. The attacker was suspected of being the Lazarus Group, and funds worth more than $100 million were illegally transferred. Some of these funds were laundered through over-the-counter transactions, resulting in the freezing of the business addresses of a large number of OTC merchants, or the risk control of exchange accounts used to store business funds, which had a huge impact on business activities.
summary
Frequent hacking incidents have caused huge losses to our industry, and subsequent fund laundering activities have also polluted the addresses of more individuals and institutions. For these innocent people and potential victims, they should pay attention to these threatening funds in business activities to prevent themselves from being affected.
