GuShiio.com On the evening of February 21, 2025 Beijing time, Bybit Exchange suffered an APT attack, forging “blind signatures” to break through the multi-signature mechanism, resulting in the theft of nearly US$1.5 billion in Cold Wallet’s assets. As of 8 a.m. on the 22nd (Beijing time), the stolen assets were distributed across 51 addresses.
Case brief description
On the evening of February 21, 2025 Beijing time, Bybit Exchange suffered an APT attack, forging “blind signatures” to break through the multi-signature mechanism, resulting in the theft of nearly US$1.5 billion in Cold Wallet’s assets. As of 8 a.m. on the 22nd (Beijing time), the stolen assets were distributed across 51 addresses.
As a professional traceability company in the industry, BitJungle uses public data to reveal a panoramic view of hacking attacks.
Disclosure 1: Hacking attack methods
1. Hackers gain Bybit employee computer rights through APT attack
2. Hackers have been lurking for a long time to observe the Bybit currency transfer process
3. Hackers deploy malicious Safe contracts: 0xbdd077f651ebe7f7b3ce16fe5f2b025be2969516
4. Forge Safe front-end transaction tips, trick Bybit employees into signing more, and replace safe implementation contracts with malicious contracts
5. Transfer of cold wallet assets through malicious contracts
Disclosure 2. Fund transfer deposits and portraits of attackers
As of 8:00 a.m. on the 22nd (Beijing time), stolen assets were distributed at 51 addresses (yellow addresses in the picture)
At the same time, according to the latest situation, it is found that the stolen funds of bybit and the funds flowing out of the original hacker address of phemex have been mixed and transferred to the same address. This address has been used since November 2024. It has been repeatedly exchanged and cross-chain transactions in history, confirming that they are both North Korean hackers;
Disclosure 3: Possible secondary financial risks
1. Hacker selling or market panic may trigger a run on users, or cause Bybit to face a surge in withdrawals, putting pressure on the capital chain, and an urgent response is needed to stabilize confidence.
2. ETH is a highly volatile asset, and its price is significantly affected by market sentiment, supply and demand relationships and macroeconomic factors. This theft may cause ETH price fluctuations and cause increased losses;
Disclosure 4: Preventive measures
1. Train employees to improve advanced phishing and social engineering defense training to reduce the introduction of internal cybersecurity risks.
2. Isolate the network and equipment for special aircraft. Important machines or finance-related machines should be separated from ordinary office computers or daily computers to reduce the attack surface.
3. Disperse storage assets into multiple cold wallets, reduce the impact of single points of theft and improve overall security.
4. Form your own professional security team and cooperate with Web3 security companies like BitJungle to fight hackers together.
5. Reduce losses caused by security incidents by purchasing insurance.
Disclosure 5. Safe wallet security mechanism has not been breached
Safe (formerly Gnosis Safe) is a widely used multi-signature solution in the industry. Its security relies on multi-party signatures and the immutability of smart contract logic.
The attack showed that the hacker did not crack Safe’s multi-signature mechanism or exploit its code vulnerability, but instead obtained enough signature rights through phishing.
Disclosure 6: What Bitjungle can do
1. Find out the truth, restore the hacker’s complete intrusion path, and find out other hidden security risks.
2. BitJungle has established contact with more than a dozen large exchanges and organizations. Through the Zhongkui system, it can automatically freeze stolen assets to help users recover losses as quickly as possible.
3. Quickly locate and assist judicial authorities in arresting suspects through professional technology and rich experience.
