"Butterfly effect" triggered by 1.5 billion US dollars by Bybit: OTC group will usher in a wave of freezing

On February 21, 2025, cryptocurrency exchange Bybit encountered a large-scale security breach, resulting in the stolen $1.5 billion in assets in its Ethereum cold wallet. This incident is considered the largest single theft in cryptocurrency history, surpassing previous records such as Poly Network ($611 million in 2021) and Ronin Network ($620 million in 2022), causing an impact on the industry the effect of sexuality.

This article aims to introduce hacker incidents and their fund cleaning methods, and warns that there will be a wave of large-scale freezing against OTC groups and Crypto payment companies in the next few months.

Theft

According to Bybit Ben Zhou’s description and Bitrace’s preliminary investigation, the theft process is as follows:

Attack preparation: The hacker deployed a malicious smart contract at least three days before the incident (i.e. February 19) to lay the groundwork for subsequent attacks.

Invasion of multi-signature system: Bybit's Ethereum cold wallet adopts a multi-signature mechanism, which usually requires multiple authorized parties to sign to execute transactions. Hackers have invaded computers that manage multi-signing wallets through unknown means, possibly through disguised interfaces or malware.

Disguised Transactions: On February 21, Bybit plans to transfer ETH from cold wallets to hot wallets to meet daily trading needs. The hackers took advantage of this opportunity to disguise the transaction interface as normal operations, inducing the signer to confirm a seemingly legitimate transaction. However, what the signature actually executes is an instruction to change the logic of the cold wallet smart contract.

Fund transfer: After the instruction came into effect, the hacker quickly controlled the cold wallet and transferred the ETH and ETH pledge credentials worth about $1.5 billion at the time to an unknown address (preliminary tracking address: 0x47666Fab8bd0Ac7003bce3f5C3585383F09486E2). Subsequently, funds are spread to multiple wallets and the money laundering process begins.

Money laundering method

The cleaning of funds can be roughly divided into two stages:

The first stage is the early fund splitting stage. The attacker quickly exchanged the ETH staking credential tokens into ETH tokens, rather than the stablecoins that could freeze, and then strictly split the ETH to the subordinate address, ready to clean it.

It was at this stage that the attacker's attempt to convert 15,000 mETH to ETH was stopped, and the industry recovered this part of the loss.

The second stage is fund cleaning. The attacker will transfer the ETH that has been acquired through centralized or decentralized industry infrastructures, including Chainflip, Thorchain, Uniswap, eXch, etc. Some agreements are used for capital redemption, while some agreements are used for cross-chain transfer of funds.

Up to now, a large number of stolen funds have been exchanged for layer1 tokens such as BTC, DOGE, SOL, etc. for transfer, and even issued memecoin or transferred funds to the exchange address for funds to be confused.

Bitrace is monitoring and tracking the addresses related to stolen funds. This part of the threat information will be pushed simultaneously in BitracePro and Detrust to prevent users from accidentally collecting stolen funds.

Chronicles analysis

Analysis of 0x457 in the capital link found that the address was related to the BingX exchange stolen incident in October 2024 and the Phemex exchange stolen incident in January 2025, indicating that the mastermind behind these three attacks was Same entity.

Combining its highly industrialized fund cleaning techniques and attack methods, some blockchain security practitioners blamed the incident as the infamous hacker group Lazarus, who over the past few years, attacked institutions or infrastructure in the Crypto industry. It launched multiple cyber attacks and illegally seized billions of dollars in cryptocurrencies.

Freeze crisis

During the investigations over the past few years, Bitrace found that in addition to using unlicensed industry infrastructure to clean up funds, the organization also uses a large number of centralized platforms for dumping, which directly leads to a large number of exchange users who intentionally or unintentionally collect stolen money. The account is risk-controlled, and the business addresses of OTC merchants and payment institutions are frozen by TEDA.

In 2024, the Japanese cryptocurrency exchange DMM was attacked by Lazarus, and Bitcoin worth up to $600 million was illegally transferred. Among them, the attacker bridged the funds to HuionePay, a cryptocurrency payment agency in Southeast Asia, resulting in the latter's hot wallet address being frozen by TEDA, and the value of more than US$29 million was locked and unable to be transferred;

In 2023, Poloniex was attacked, and the attacker was suspected to be the Lazarus Group, and funds worth more than US$100 million were illegally transferred. Some of the funds are cleaned through over-the-counter trading, resulting in the business addresses of a large number of OTC vendors being frozen, or the exchange accounts used to store business funds being risk-controlled, which has a huge impact on business activities.

Summarize

Frequent hacking incidents have caused huge losses to our industry, and subsequent fund cleaning activities have also polluted more personal and institutional addresses. For these innocent people and potential victims, they should be more in business activities. Pay attention to these threatening funds to prevent yourself from being affected.