Slow Fog: Analyzing the hacking techniques and questions behind the stolen $1.5 billion by Bybit

Author: Slow Fog Safety Team

background

On the evening of February 21, 2025, Beijing time, according to the detective ZachXBT on the chain, a large-scale capital outflow occurred on the Bybit platform. The incident led to theft of more than US$1.46 billion, becoming the largest cryptocurrency theft in recent years.

On-chain tracking analysis

After the incident, the Slow Fog Security Team immediately issued a security reminder and conducted a tracking and analysis of the stolen assets:

According to the analysis of the Slow Fog Security Team, the stolen assets mainly include:

• 401,347 ETH (valued at approximately US$1.068 billion)
• 8,000 mETH (valued at approximately US$26 million)
• 90,375.5479 stETH (valued at approximately US$260 million)
• 15,000 cmETH (valued at approximately US$43 million)

We used on-chain tracking and anti-money laundering tool MistTrack to analyze the initial hacker address 0x47666Fab8bd0Ac7003bce3f5C3585383F09486E2 to obtain the following information:

ETH is transferred decentralizedly, and the initial hacker address disperses 400,000 ETH to 40 addresses in a format of 10,000 ETH, and is continuing to transfer.

Among them, 205 ETH is replaced by Chainflip to BTC and cross-chain to the address bc1qlu4a33zjspefa3tnq566xszcr0fvwz05ewhqfq.

cmETH flow direction: 15,000 cmETH is transferred to address 0x1542368a03ad1f03d96D51B414f4738961Cf4443. It is worth noting that mETH Protocol posted on X that in response to the Bybit security incident, the team suspended cmETH withdrawals in a timely manner, preventing unauthorized withdrawals. mETH Protocol successfully recycled 15,000 cmETH from the hacker address.

mETH and stETH transfer: 8,000 mETH and 90,375.5479 stETH are transferred to address 0xA4B2Fd68593B6F34E51cB9eDB66E71c1B4Ab449e, and then exchanged to 98,048 ETH through Uniswap and ParaSwap, and then transferred to 0xdd90071d52f20e85c89802e5dc1ec0a7b6475f92. Address 0xdd9 distributes ETH to 9 addresses in the format of 10,000 ETH, and has not yet Transfer out.

In addition, the address 0x0fa09C3A328792253f8dee7116848723b72a6d2e of the initial attack was traced to the address 0x0fa09C3A328792253f8dee7116848723b72a6d2e of the hacker launched in the attack method analysis section, and found that the initial fund of the address was from Binance.

Currently, the initial hacker address is 0x47666Fab8bd0Ac7003bce3f5C3585383F09486E2 balance is 1,346 ETH, we will continue to monitor the relevant addresses.

After the incident, Slow Fog speculated that the attacker was a North Korean hacker through the attacker's method of obtaining Safe multiple signs and coin washing techniques:

Possible social engineering attack methods:

Using MistTrack analysis, we also found that the hacker address of this event was associated with the BingX Hacker and Phemex Hacker addresses:

ZachXBT also confirmed that the attack was related to the North Korean hacker group Lazarus Group, which has been one of its main activities to carry out transnational cyber attacks and theft of cryptocurrencies. It is understood that the evidence provided by ZachXBT, including test transactions, associated wallets, evidence forensic charts and time analysis, shows that the attacker used common technical means of Lazarus Group in multiple operations. At the same time, Arkham said that all relevant data has been shared with Bybit to help the platform conduct further investigations.

Attack method analysis

At 23:44 that night after the incident, Bybit CEO Ben Zhou issued a statement on X, explaining the technical details of the attack in detail:

Through on-chain signature analysis, we found some traces:

1. The attacker deploys a malicious contract: UTC 2025-02-19 07:15:23, deploys the malicious implementation contract 0xbDd077f651EBe7f7b3cE16fe5F2b025BE2969516.

2. Tamper with the logic of Safe contract: UTC 2025-02-21 14:13:35, sign the transaction through three Owners, and replace the Safe contract with a malicious version: 0x46deef0f52e3a983b67abf4714448a41dd7ffd6d32d32da69d62081c68ad7882. This introduces the address 0x0fa09C3A328792253f8dee7116848723b72a6d2e, which initiates the initial attack on the hacker.

3. Embed malicious logic: Write malicious logic contracts to STORAGE 0 through DELEGATECALL Storage: 0x96221423681A6d52E184D440a8eFCEbB105C7242.

4. Call the backdoor function to transfer funds: The attacker uses the sweepETH and sweepERC20 functions in the contract to transfer all 400,000 ETH and stETH in the cold wallet (total value of approximately US$1.5 billion) to an unknown address.

From the perspective of attack methods, the hacked incident of WazirX and the hacked incident of Radiant Capital are similar to this attack. The target of these three incidents is Safe's multiple signing wallets. For the hacked incident of WazirX, the attacker also deployed a malicious implementation contract in advance, signed the transaction through three Owners, and wrote the malicious logical contract to STORAGE 0 storage through DELEGATECALL to replace the Safe contract as a malicious implementation contract.

(https://etherscan.io/tx/0x48164d3adbab78c2cb9876f6e17f88e321097fcd14cadd57556866e4ef3e185d)

Regarding the hacked incident of Radiant Capital, according to official disclosure, the attacker used a complex approach that allowed signature verifiers to see seemingly legitimate transactions on the front end, similar to the information disclosed in Ben Zhou's tweet.

(https://medium.com/@RadiantCapital/radiant-post-mortem-fecd6cd38081)

Moreover, the permission checking methods for malicious contracts involved in these three events are the same, and the owner address is hardcoded in the contract to check the contract caller. Among them, the Bybit hacked event is similar to the error message thrown by the permission check of WazirX hacked event.

In this incident, there was no problem with the Safe contract. The problem was in the non-contract part, and the front end was tampered with forged to achieve the deceptive effect. This is not an isolated case. North Korean hackers attacked several platforms in this way last year, such as: WazirX lost $230M and signed multiple signs for Safe; Radiant Capital lost $50M and signed multiple signs for Safe; DMM Bitcoin lost $305M and signed multiple signs for Gonco. This attack method is engineered and mature, so more attention is needed.

According to the official announcement released by Bybit:

(https://announcements.bybit.com/zh-MY/article/incident-update---eth-cold-wallet-incident-blt292c0454d26e9140)

Combined with Ben Zhou's tweets:

The following questions arise:

1. Routine ETH transfer

• The attacker may have obtained the operation information of Bybit's internal financial team in advance and mastered the time point for transferring ETH multiple-sign cold wallets?
• Through the Safe system, induce signers to sign malicious transactions on the forged interface? Was Safe's front-end system broken and taken over?

2. The Safe contract UI has been tampered with

• What the signer sees on the Safe interface is the correct address and URL, but the actual signed transaction data has been tampered with?
• The key question is: Who initiated the signature request first? How safe is its equipment?

With these questions in mind, we look forward to the official disclosure of more investigation results as soon as possible.

Market Influence

Bybit quickly issued an announcement after the incident, promising that all customer assets will be reserved 1:1 and the platform can bear the losses. User withdrawals will not be affected.

At 10:51 on February 22, 2025, Bybit CEO Ben Zhou posted X that it is normal to withdraw money:

Written at the end

The theft once again highlights the severe security challenges facing the cryptocurrency industry. With the rapid development of the crypto industry, hacker organizations, especially national hackers such as Lazarus Group, are continuing to upgrade their attack methods. This incident sounded the alarm for cryptocurrency exchanges. The platform needs to further strengthen security protection and adopt more advanced defense mechanisms, such as multi-factor authentication, crypto wallet management, asset monitoring and risk assessment, to ensure the security of user assets. For individual users, it is also crucial to improve security awareness. It is recommended to prioritize safer storage methods such as hardware wallets to avoid storing large amounts of funds on exchanges for a long time. In this evolving field, only by continuously upgrading the technical defense line can we ensure the security of digital assets and promote the healthy development of the industry.