Trend
More

文章详情

BSC

$--
$0
download dymatic logo
image source head

Black Swan Arrives: Bybit's nearly 1.5 billion US dollars in ETH stolen event tracks detailed

trendx logo

Reprinted from jinse

02/22/2025·2M

Author: Spirit

Event Overview

On February 21, 2025, cryptocurrency exchange Bybit disclosed that its Ethereum multiple cold wallets encountered unauthorized activities, resulting in nearly $1.5 billion in ETH and stETH assets being stolen. Preliminary analysis points to hackers using carefully planned attacks to successfully control Bybit's ETH cold wallet and transfer funds through complex technical means such as disguising the transaction interface and replacing smart contracts. After the incident, Bybit quickly issued a statement, initiated an investigation, and sought external financial support to deal with the user withdrawal wave. This incident is the largest single stolen incident in cryptocurrency history, triggering market volatility and concerns about the security of centralized exchanges.

Event timeline (HKT, UTC+8)

The following timeline is based on public information and is based on Hong Kong time (HKT, UTC+8):

February 19, 2025 15:15 HKT (UTC 07:15): The malicious contract was deployed (contract address: 0xbDd077f651EBe7f7b3cE16fe5F2b025BE2969516). Analysis by the Slow Fog Team shows that the malicious contract is the pre- deployment link of this attack.

February 21, 2025 14:13 HKT (UTC 06:13): The hacker used three Owner signatures to initiate a transaction (transaction hash: 0x46deef0f52e3a983b67abf4714448a41dd7ffd6d32d32da69d62081c68ad7882), replacing the Safe implementation contract of Bybit multi-signature cold wallet with the above malicious intention contract. This is considered a critical step in the attack and paves the way for subsequent fund theft.

February 21, 2025 around 23:30 HKT: Bybit Ethereum hot wallet abnormal funds transfer, and about US$1.5 billion of ETH and stETH were stolen. X (formerly Twitter) user @OrdzWorld was the first to monitor the abnormal transfer of Bybit cold wallet to warm wallet.

February 21, 2025 23:48 HKT: Bybit CEO Ben Zhou posted on social media, acknowledging that an unauthorized ETH cold wallet transfer occurred. It was initially judged as "blocking UI fraud attacks", and emphasized the security of other cold wallets, The model is normal.

February 21, 2025 23:51 HKT: Bybit official account @Bybit\_Official issued an official statement on the X platform, confirming that the unauthorized activity of the ETH multi-signature cold wallet was detected, and stated that the attacker manipulated the complex attack through the disguised signature interface The transaction was made. Bybit has declared an investigation started and stressed the security of user funds.

00:11 HKT: Bybit CEO Ben Zhou once again posted a message emphasizing that Bybit is solvency and that user assets are guaranteed 1:1.

February 22, 2025 01:00 HKT: Slow Mist Team @SlowMist\_Team disclosed more technical details on the X platform, pointing out that the malicious contract was deployed as early as February 19, and the attacker used the backdoor functions sweepETH and sweepERC20 and DELEGATECALL logic implements theft.

February 22, 2025 01:07 HKT: X user @web3golder reported Bybit is facing a wave of user withdrawals, and some stolen assets have been exchanged for ETH on decentralized exchanges (DEX), aggravating market concerns.

February 22, 2025 01:24 HKT: BitMart founder Sheldon posted on the X platform that BitMart has frozen the relevant addresses and will assist Bybit in recovering assets.

February 22, 2025 01:39 HKT: Security team Beosin analyzed that the handling fee for the initial attack address of the hacker comes from Binance Exchange.

February 22, 2025 05:23 HKT: On-chain detective ZachXBT (@ZachXBT) posted a document on the X platform to submit an evidence report, initially confirming that the attack was planned by the North Korean hacker group Lazarus Group. Arkham Intelligence forwarded the message.

February 22, 2025 07:27 HKT: Bybit's official X platform issued a statement saying that it has reported the case to the relevant departments and is working with on-chain analysis providers to identify and isolate the address involved and prevent hackers from selling ETH.

February 22, 2025 09:09 HKT: On-chain data analyst Ember (@EmberCN) monitored that Bitget has supported 40,000 ETH loans to Bybit to alleviate the pressure on withdrawals.

February 22, 2025 09:14 HKT: Bitget CEO Gracy Chen posted a message on X platform to support Bybit, expressing his belief that Bybit's customers' funds are safe and there is no need to panic.

February 22, 2025 09:21 HKT: Web3 audit agency Hacken released a certificate of reserve update, saying that Bybit's reserves still exceed liabilities and user funds are fully supported. Bybit CEO Ben Zhou replied that Hacken's audit proved Bybit's ability to compensate for customer losses.

February 22, 2025 09:28 HKT: KuCoin CEO BC Wong expressed support for Bybit and said that KuCoin has assisted in monitoring the flow of funds and freezing suspicious assets.

February 22, 2025 09:30 HKT: Binance founder Zhao Changpeng (CZ) responded on social media that Binance has not yet borrowed funds from Bybit, and the transfer of related funds may be a personal behavior of Giant Whale.

February 22, 2025 09:35 HKT: Sign multiple wallet agreement Safe officially issued a statement saying that no code base leak was found and that the Safe function has been suspended for a thorough inspection.

09:38 HKT: On-chain monitoring shows that MEXC hot wallet has transferred 12,600 stETH to Bybit cold wallet, further providing liquidity support.

February 22, 2025 09:55 HKT: Bybit CEO Ben Zhou said that Bybit is transferring USDT from cold wallets to hot wallets, which is a planned strategy and is not hacked again.

Support and liquidity response from all parties

Bybit acted quickly after the incident, seeking support from multiple parties to address potential liquidity crises and user trust crises:

  • Bitget's ETH loan: Bitget urgently lent 40,000 ETH (about US$105.9 million) to Bybit and directly transferred it to Bybit's cold wallet address to alleviate the pressure on users to withdraw coins. This loan reflects the spirit of mutual assistance between exchanges in the same industry.

  • Bridge Loan: Bybit CEO Ben Zhou revealed that he has reached a bridge loan agreement with his partners for approximately 80% of the value of the stolen ETH (about $1.12 billion). The specific source of the loan has not been made public, but may include Bitget's loan. As a short-term financing tool, bridged loans are designed to quickly supplement liquidity and avoid Bybit’s need to buy ETH in the market immediately, causing further market volatility.

  • KuCoin assists in monitoring and freezing: KuCoin CEO said it has assisted Bybit to monitor the flow of stolen funds and freeze suspicious assets in an attempt to reduce losses.

  • Financial Audit and Solvency Proof: Hacken, a Web3 auditing agency that Bybit cooperates with, has released a certificate of reserve update. Bybit's reserves still exceed liabilities, and user funds can be fully supported. Bybit CEO Ben Zhou also said that Bybit is solvency and user assets are guaranteed 1:1. Even if the losses of hacker incidents cannot be recovered, Bybit can make up for user losses.

User Withdrawal Processing: Bybit CEO stated that the platform withdrawal function was functioning normally and emphasized that 99.994% of withdrawal requests have been completed, but admitted that there may be delays in handling large amounts of withdrawal requests.

Event background and revealing industry trends

Bybit Exchange Overview: Founded in 2018, Bybit is headquartered in Singapore. It is a cryptocurrency exchange mainly engaged in derivatives trading. It has more than 10 million users and has a certain influence in the industry.

Cryptocurrency theft incidents occur frequently: In recent years, centralized exchanges have become high-value targets for hackers due to their concentrated funds. In 2024, the amount of stolen cryptocurrencies worldwide reached US$2.3 billion, and Bybit's stolen amount exceeded 60% of the industry's stolen amount last year, highlighting the severity of the industry's security situation. Previously, well-known projects such as Ronin Network have also suffered large-scale thefts, indicating that hacker attack technology is constantly evolving and centralized platforms are facing continuous security challenges.

Early warning and long-term planning: The security agency disclosed that the malicious contract was deployed as early as February 19, indicating that the attack was not a temporary intention, but after a long period of careful planning and careful preparation.

Analysis of the cause of events

Technical vulnerabilities and social engineering attacks:

Preliminary analysis shows that the attacker may have taken advantage of the signature process loophole of Bybit's multi-sign cold wallet, and tricked the multiple signing Owner into signing malicious transactions by pretending to disguise the transaction interface and replacing Safe to implement contracts.

The attacker may have combined social engineering methods (refer to the attack incident in October last year), such as invading the signature's computer or intermediate communications link, replacing normal transaction requests with malicious transactions, reducing the signer's vigilance.

The DELEGATECALL` directive is exploited in a malicious contract and may allow malicious code to be executed in the context of a multi-sign wallet, thereby modifying the contract logic and transferring funds.

The inherent risks of centralized exchanges:

As the centralized custodian of user funds, centralized exchanges naturally have the risk of "single point of failure" and are easily targeted by hackers. Bybit CEO Ben Zhou publicly acknowledged this inherent vulnerability of CEX as early as 2020.

External environmental factors:

The overall cryptocurrency market rebounded in February 2025, and the price of ETH rose, which may have stimulated hackers' motives for theft.

Other encryption platforms (such as ZkLend) have also been attacked recently, reflecting that the overall security environment of the industry may deteriorate.

Event impact

Direct impact on Bybit:

Huge capital losses: US$1.5 billion of assets were stolen, accounting for a large proportion of Bybit ETH deposits (about 75%), causing direct economic losses to the exchange.

User trust crisis and currency withdrawal wave: Large-scale theft incidents may trigger users' trust crisis in the security of Bybit platform, resulting in users' centralized withdrawals, and put huge pressure on platform liquidity.

Short-term fluctuations in ETH price: After the event, the ETH price fell by about 3%, reflecting the market's negative sentiment towards the event.

Reputation damage: Although Bybit actively responded and emphasized solvency, this incident undoubtedly had a certain negative impact on Bybit's reputation.

Impact on the cryptocurrency industry:

Intensify the CEX trust crisis: The Bybit incident further exacerbates user concerns about the security of centralized exchanges, which may prompt some users to transfer funds to decentralized exchanges (DEXs) or choose a safer asset custody solution.

Regulatory pressure may increase: Historically, large-scale exchange security incidents have often attracted the attention and intervention of regulators. The Bybit incident may prompt regulators in various countries to strengthen security audit and compliance regulatory requirements for CEX.

Promote industry security upgrade: This incident may become an important turning point in the field of crypto security, prompting exchanges, security agencies and developer communities to jointly promote the comprehensive upgrade of technical security and governance mechanisms, and improve the overall security level of the industry.

Possible discussion about the Ethereum fork: Coinbase director Conor Grogan and cryptocurrency industry figure Arthur Hayes, among others, publicly discussed whether the incident could trigger discussions on the Ethereum fork similar to those of the DAO event, although the call for the fork may be more radical , but it also reflects the severity of the incident and the potential considerations of extreme situations within the industry.

Reactions from all parties in the industry

Bybit official: Bybit CEO Ben Zhou quickly disclosed the details of the incident after the incident and communicated with users through social media, live broadcasts, etc., emphasizing the normal solvency and operation of the platform, and trying to restore user trust through transparency and active communication. Bybit's official statement has reported the case to the relevant departments and cooperated with security agencies to conduct investigations and funding tracking.

Audit security agencies: Blockchain security companies such as SlowMist and Beosin quickly intervened after the incident, analyzed the technical details of the attack, assisted Bybit to track stolen funds, and issued security warnings to the industry.

Centralized Exchanges (CEX) peers: Bitget, KuCoin, MEXC and Jucoin have publicly expressed their support for Bybit and provided financial and technical assistance. BitMart promised to freeze suspicious addresses, and Binance founder Zhao Changpeng also said that Binance is willing to provide help if necessary. The collective support and mutual assistance of leading industry exchanges shows a attitude of responding to industry security risks.

Community and Analysts: Cryptocurrency community and industry analysts generally expressed concern and concern about this incident. Some users affirm Bybit's transparent communication, but more users expressed general concerns about the security of CEX. Analysts pointed out that the incident may prompt CEX to revisit and improve the multi-signature mechanism, smart contract security audit, and internal security processes.

summary

The $1.5 billion theft incident suffered by Bybit exchange is the largest single capital loss in the history of the cryptocurrency industry, and once again sounds the alarm for the security risks of centralized exchanges. The hackers carefully planned attacks, using technical vulnerabilities and social engineering methods, broke through the exchange's multiple security lines, causing huge economic losses and trust crises.

Although Bybit encountered emergencies of security incidents, its rapid response and relatively open and transparent handling methods have effectively alleviated market anxiety. What is even more encouraging is that the assistance from peers and the active support of security agencies fully demonstrates the solidarity spirit of the cryptocurrency community to watch out for each other. While this incident reminds us of the risks in the industry, it also allows us to see the increasingly mature and strong resilience of the crypto field.

In the future, the cryptocurrency industry may usher in a comprehensive upgrade in the security field as a result of the incident. Centralized exchanges need to continue to strengthen investment in technology security and improve the level of security protection in multiple signing wallets, smart contracts, internal risk control, etc. Regulators may also further strengthen compliance supervision of CEX to promote healthier and orderly development of the industry. For users, this incident once again reminds users that asset security has always been the primary consideration for participating in the cryptocurrency market. It is becoming increasingly important to reasonably diversify risks and choose a safer asset custody solution.

Latest progress (as of 09:55 HKT on February 22, 2025)

Bybit cooperates with Web3 auditing agency Hacken to release reserve certificates to prove the platform's solvency.

Exchanges such as Bitget and MEXC continue to provide ETH and stETH loans to Bybit to alleviate liquidity pressure.

KuCoin assists Bybit to monitor fund flows and freeze suspicious assets.

Safe officially suspends Wallet function for comprehensive security checks.

Binance founder Zhao Changpeng clarified that Binance has not provided loans to Bybit, and the transfer of related funds may be a personal behavior of giant whale.

On-chain Detective ZachXBT confirmed that Lazarus Group was the mastermind of the attack.

Bybit hacker tried to unstake cmETH and was returned by the contract.
Bybit CEO said all withdrawals have been processed and a full incident report will be released.

more

Kanye: The current market is full of counterfeit coins, and will launch its own coins next week feature image

trendx logopanewslab2M

Kanye: The current market is full of counterfeit coins, and will launch its own coins next week

Bybit was stolen nearly $1.5 billion. Is it North Korean hackers who stepped on the brakes in the bull market? feature image

trendx logopanewslab2M

Bybit was stolen nearly $1.5 billion. Is it North Korean hackers who stepped on the brakes in the bull market?

Bybit CEO: All withdrawals have been processed, and a complete incident report and security measures will be released in the next few days feature image

trendx logopanewslab2M

Bybit CEO: All withdrawals have been processed, and a complete incident report and security measures will be released in the next few days

Bybit attackers are open to North Korea's Putin's cooperation with Musk feature image

trendx logojinse2M

Bybit attackers are open to North Korea's Putin's cooperation with Musk