GuShiio.com The theft is the largest hacking attack in the history of a crypto exchange.
Author: BitpushNews Mary Liu
While the encryption community was still hotly discussing the direction of the bull market, on February 21, a sudden black swan event “hit” the market. Bybit, a veteran crypto exchange, was hacked and nearly US$1.5 billion in assets were stolen, mainly ETH, approximately 401,347 pieces worth approximately US$1.12 billion.
After the news broke, Bitcoin fell immediately, once falling below the US$95,000 mark; the already weak Ethereum plunged 5% in the short term to US$2,615, and rose back to US$2,666 as of press time.
Bybit’s team responded quickly. CEO Ben Zhou started the live broadcast calmly in the face of crisis, promising users that the platform would never close the coin withdrawal channel. He said that even if the funds cannot be fully recovered, Bybit has the ability to fully compensate users for losses.
According to 10x Research statistics, the $1.46 billion stolen from the Bybit Exchange is the largest hacking attack in the history of a crypto exchange, and the second largest crypto theft is the $611 million from Poly Network in 2021. In addition, online detective ZachXBT has submitted conclusive evidence confirming that the North Korean hacker group Lazarus Group was behind the attack.
The movement of hacker addresses has become the focus of attention. On-chain data shows that Bybit hacker address has now become the 14th largest ETH holder in the world, holding approximately 0.42% of the total supply of Ethereum, exceeding the amount held by Fidelity, Vitalik Buterin, and even the Ethereum Foundation. More than twice the amount.
Industry support: Bybit is not FTX!
Coinbase executive Conor Grogan posted on social media in support of Bybit: “After Bybit was hacked, withdrawals seemed to be normal. They have more than $20 billion in assets on the platform, and their cold wallets are intact. Given the isolated nature of signature hacking attacks and Bybit’s capital strength, I don’t expect infection to occur.”
Grogan also emphasized: “One minute after the run occurred, it became clear to the FTX that they had no funds to withdraw. I know everyone has PTSD, but Bybit’s situation is different from FTX, and if it was, I would shout it out. They will be fine.”
Faced with this incident, many industry participants expressed their support for Bybit.
In the early morning of February 22, Beijing time, online data showed that addresses from Binance and Bitget were transferred to Bybit’s cold wallet. Among them, Bitget’s transfer volume accounts for a quarter of its total ETH, which has attracted attention. According to Conor Grogan, the transaction was coordinated directly by Bybit, skipping common deposit addresses.
Ben Zhou responded by saying: “Thank you to Bitget for extending a helping hand at this moment. We are communicating with binance and several other partners. This fund has nothing to do with Binance officials.”
Tron founder Sun Yuchen said on social media that the Tron Network is helping track funds. Haider Rafique, chief marketing officer of OKX, also said the exchange had deployed a security team to support Bybit’s investigation.
KuCoin emphasized that encryption “is a shared responsibility” and called for cross-exchange cooperation to combat cybercrime.
Safe safety raises questions
The core of the attack lies in a technique called “Blind Signing”. Blind signing means that users approve transactions without fully understanding the content of a smart contract. This technology is used by hackers to bypass security verification.
Bybit CEO Ben Zhou pointed out in the live broadcast that attackers used “Musked” technology (i.e., confusing or spoofing transaction loads) to forge the multi-signature wallet user interface (UI) provided by Safe, allowing the signer to authorize malicious transactions without knowing it. Specifically, the attacker displayed the correct address and URL through a forged UI interface, but in fact the transaction payload had been tampered with, causing the signer to unintentionally approve the transfer of funds.
Cryptocurrency security company Groom Lake further found that Safe multi-sign wallets deployed on Ethereum in 2019 and on Base Layer 2 in 2024 had the same transaction hashes, which was almost mathematically impossible.
Anonymous Groom Lake researcher Apollo said if the same transaction hash appears on Ethereum and Base, it suggests that an attacker may have found a way to make a single transaction valid on multiple networks, or may reuse cryptographic wallet signatures or transaction data between individual networks.
However, the Safe team denied that the attack was related to its smart contract vulnerability, saying the transaction in question was a transaction that deployed a single contract and that EIP-155, a security measure to prevent cross-chain transaction replay attacks, was not used to support cross-chain deployment. EIP-155 was launched in 2016 to ensure that transactions used for Ethereum cannot be valid on other chains such as Base by adding chain IDs to signed transactions. This means that even if the private key is compromised, an attacker cannot reuse old signed transactions on different chains. The Safe team said: “If it was a (smart contract vulnerability), the target wouldn’t be Bybit.” Note: Safe protects more than US$100 billion in digital assets in more than 7 million smart accounts.
Is hardware wallet not everything?
However, Safe’s explanation did not completely dispel the industry’s doubts. Ido Ben Natan, CEO of blockchain security company Blockaid, pointed out that “blind signing” technology is rapidly becoming a favorite form of attack for advanced threat actors such as North Korean hackers. This attack is the same type of attack used in the Radiant Capital breach in December 2023 and the WazirX incident in March 2024. Natan emphasized that even with the best key management solutions, the signing process still relies on the software interface that interacts with the dApp, which opens the door to malicious manipulation of the signing process.
Security expert Odysseus points out that if transactions are signed on a laptop or mobile phone connected to the Internet, the usefulness of a hardware wallet will be greatly reduced. “These are highly targeted attacks, and in general, if a device (computer or mobile phone) is hacked, there is little you can do except sign a transaction on a device that is not connected to the Internet and not hacked,” he said.
In bull market sentiment, safety issues are often easily ignored. It is never too late to make amends after the sheep has passed. What the community hopes to see is that Bybit can properly resolve this crisis and minimize losses. But this attack reminds us once again that in the encrypted world, security is always the first line of defense. From the vulnerability of multi-signature wallets to the risks of cross-chain transactions, from user education to industry collaboration, every link should be re-examined.
