Bit Jungle: Revealing the world's largest hacker theft case on Bybit Exchange, with nearly $1.5 billion involved

Case brief description

On the evening of February 21, 2025, Beijing time, Bybit Exchange was attacked by APT, forging a "blind sign" to break through the multi-signature mechanism, resulting in the assets of the cold wallet being stolen by nearly US$1.5 billion. As of 8:00 a.m. on the 22nd (Beijing time), the stolen assets were distributed on 51 addresses.

As a professional traceability company in the industry, Bit Jungle reveals the panoramic secrets of hacking through public data.

Reveal one: Hacker attack method

1. Hackers obtain computer permissions for Bybit employees through APT attacks

2. Hackers lurk for a long time and observe the Bybit currency conversion process

3. Hacker deploys malicious Safe contract: 0xbdd077f651ebe7f7b3ce16fe5f2b025be2969516

4. Forge Safe front-end transaction prompts, deceive Bybit employees to sign multiple signs, and replace safe implementation contracts with malicious contracts

5. Transfer cold wallet assets through malicious contracts

Revealing the Secret II, Fund Transfer and Attacker Portraits

As of 8:00 a.m. on the 22nd (Beijing time) the stolen assets are distributed on 51 addresses (yellow addresses in the picture)

At the same time, according to the latest situation, it was found that bybit stolen funds and the outflow funds of the phemex initial hacker address have been mixed and transferred to the same address. The address has been used in November 24, and has performed multiple redemptions and cross-chain transactions in history, which has been confirmed. They are both North Korean hackers;

Revealing Three: Possible Secondary Financial Risks

1. Hacker selling or market panic may trigger a run for users, or cause Bybit to face a surge in withdrawals, and the capital chain is under pressure. Emergency response is needed to stabilize confidence.

2. As a high volatility asset, ETH's price is significantly affected by market sentiment, supply and demand relationship and macroeconomic factors. This theft incident may cause ETH price fluctuations and cause losses to expand;

Revealing the Four: Preventive Measures

1. Training employees to improve their acceptance of advanced phishing and social engineering defense training to reduce the risks of internally introduced network security.

2. Isolate the network and equipment, and use special planes for special purposes. Important machines or financial-related machines should be distinguished from office computers or daily computers to reduce the attack surface.

3. Distribute the assets to multiple cold wallets to reduce the impact of single points of theft and improve overall security.

4. Form your own professional security team and cooperate with Web3 security companies similar to Bitcoin Jungle to fight hackers.

5. By purchasing insurance, reduce losses caused by security incidents.

Revealing 5. The security mechanism of Safe wallet multiple signs has not

been broken

Safe (formerly Gnosis Safe) is a multi-signature solution widely used in the industry. Its security relies on the immutability of multi-party signatures and smart contract logic.

The attack shows that the hacker did not crack Safe's multi-signature mechanism or exploit its code vulnerabilities, but instead obtained sufficient signature permissions through phishing.

Revealing Six: What can Bit Jungle do

1. Ask out the truth, restore the complete hacker's intrusion path, and find out other hidden security risks.

2. Bit Jungle has established contacts with more than a dozen large exchanges and organizations. Through the Zhongkui system, the stolen assets can be automatically frozen to help users recover losses as quickly as possible.

3. Quickly locate and assist judicial organs in arresting suspects through professional technology and rich experience.