Author: Spirit
Event Overview
On February 21, 2025, the cryptocurrency exchange Bybit disclosed that its Ethereum multi-signature cold wallet had been subjected to unauthorized activity, resulting in the theft of nearly $1.5 billion in ETH and stETH assets. Preliminary analysis pointed to the hackers' use of a carefully planned attack, through complex technical means such as disguising the trading interface and replacing smart contracts, to successfully control Bybit's ETH cold wallet and transfer funds. After the incident, Bybit quickly issued a statement, launched an investigation, and sought external financial support to cope with the wave of user withdrawals. This incident is the largest single theft in the history of cryptocurrency, triggering market shocks and concerns about the security of centralized exchanges.
Event Timeline (HKT, UTC+8)
The following timeline is based on public information and is based on Hong Kong Time (HKT, UTC+8):
February 19, 2025 15:15 HKT (UTC 07:15): The malicious contract was deployed (contract address: `0xbDd077f651EBe7f7b3cE16fe5F2b025BE2969516`). SlowMist team analysis shows that the malicious contract was a pre-deployment link for this attack.
February 21, 2025 14:13 HKT (UTC 06:13): The hacker used three Owner signatures to initiate a transaction (transaction hash: `0x46deef0f52e3a983b67abf4714448a41dd7ffd6d32d32da69d62081c68ad7882`) to replace the Safe implementation contract of the Bybit multi-signature cold wallet with the above malicious contract. This is considered to be a key step in the attack, paving the way for subsequent fund theft.
February 21, 2025 around 23:30 HKT: Abnormal fund transfer occurred in the Bybit Ethereum cold wallet, and about $1.5 billion in ETH and stETH were stolen. X (formerly Twitter) user @OrdzWorld was the first to detect abnormal transfers from Bybit cold wallets to warm wallets.
February 21, 2025 23:48 HKT:Bybit CEO Ben Zhou posted on social media, admitting that unauthorized ETH cold wallet transfers occurred, and initially determined it to be a "blocking UI spoofing attack", and emphasized that other cold wallets are safe and withdrawals are normal.
February 21, 2025 23:51 HKT:Bybit official account @Bybit\_Official issued an official statement on the X platform, confirming that unauthorized activities of ETH multi-signature cold wallets were detected, and stated that the attacker manipulated the transaction through a complex attack that disguised the signature interface. Bybit announced that it has launched an investigation and emphasized the safety of user funds.
February 22, 2025 00:11 HKT: Bybit CEO Ben Zhou posted again, emphasizing that Bybit has solvency and user assets are 1:1 guaranteed.
February 22, 2025 01:00 HKT: The SlowMist team @SlowMist\_Team disclosed more technical details on the X platform, pointing out that the malicious contract was deployed as early as February 19, and the attacker used the backdoor functions `sweepETH` and `sweepERC20` and the `DELEGATECALL` logic to carry out theft.
February 22, 2025 01:07 HKT: X user @web3golder reported that Bybit was facing a wave of user withdrawals, and some of the stolen assets had been exchanged for ETH on decentralized exchanges (DEX), exacerbating market concerns.
February 22, 2025 01:24 HKT:BitMart founder Sheldon posted on the X platform that BitMart has frozen the relevant addresses and will assist Bybit in recovering the assets.
February 22, 2025 01:39 HKT: Security team Beosin analyzed that the handling fee funds of the hacker's initial attack address came from the Binance exchange.
February 22, 2025 05:23 HKT: Chain detective ZachXBT (@ZachXBT) posted on the X platform and submitted an evidence report, preliminarily confirming that the attack was planned by the North Korean hacker organization Lazarus Group. Arkham Intelligence forwarded the information.
February 22, 2025 07:27 HKT: Bybit official X platform posted that it has reported the case to the relevant authorities and is working with on-chain analysis providers to identify and isolate the addresses involved and prevent hackers from selling ETH.
February 22, 2025 09:09 HKT: On-chain data analyst Ember (@EmberCN) monitored that Bitget supported Bybit with a loan of 40,000 ETH to ease the pressure of withdrawal.
February 22, 2025 09:14 HKT: Bitget CEO Gracy Chen posted a message on the X platform to support Bybit, saying that he believed that Bybit's customer funds were safe and there was no need to panic.
February 22, 2025 09:21 HKT: Web3 audit agency Hacken released a reserve proof update, saying that Bybit's reserves still exceeded liabilities and user funds were fully supported. Bybit CEO Ben Zhou responded that Hacken's audit proved that Bybit had the ability to compensate customers for losses.
February 22, 2025 09:28 HKT: KuCoin CEO BC Wong expressed support for Bybit and said that KuCoin has assisted in monitoring the flow of funds and freezing suspicious assets.
February 22, 2025 09:30 HKT:Binance founder Zhao Changpeng (CZ) responded on social media that Binance officials have not yet borrowed funds from Bybit, and the relevant fund transfer may be the personal behavior of a whale.
February 22, 2025 09:35 HKT: The multi-signature wallet protocol Safe officially issued a statement, saying that no code base leaks were found and the Safe function has been suspended for a thorough inspection.
February 22, 2025 09:38 HKT: On-chain monitoring shows that MEXC hot wallets transferred 12,600 stETH to Bybit cold wallets, providing further liquidity support.
February 22, 2025 09:55 HKT: Bybit CEO Ben Zhou said that Bybit is transferring 2.95 billion USDT from cold wallets to hot wallets, which is a planned strategy and not hacked again.
Support from all parties and liquidity response
Bybit took quick action after the incident and sought support from multiple parties to cope with the potential liquidity crisis and user trust crisis:
Bitget's ETH loan: Bitget urgently lent 40,000 ETH (about 105.9 million US dollars) to Bybit, which was directly transferred to Bybit's cold wallet address to alleviate the pressure on users to withdraw money. This loan reflects the spirit of mutual assistance between exchanges in the same industry.
Bridge Loan: Bybit CEO Ben Zhou revealed that a bridge loan agreement has been reached with partners, with an amount of about 80% of the value of the stolen ETH (about 1.12 billion US dollars). The specific source of the loan has not been made public, but it may include Bitget's borrowing. As a short-term financing tool, bridge loans are designed to quickly replenish liquidity and avoid Bybit's need to immediately purchase a large amount of ETH in the market, causing further market fluctuations.
KuCoin assists in monitoring and freezing: KuCoin CEO said that it has assisted Bybit in monitoring the flow of stolen funds and freezing suspicious assets to try to reduce losses.
Financial audit and proof of solvency: Hacken, the Web3 audit agency that Bybit cooperates with, released an update on the proof of reserves. Bybit's reserves still exceed its liabilities, and user funds can be fully supported. Bybit CEO Ben Zhou also said that Bybit is solvent and user assets are 1:1 guaranteed. Even if the losses in the hacking incident cannot be recovered, Bybit can compensate users for their losses.
User withdrawal processing: Bybit CEO said that the platform withdrawal function is operating normally, and emphasized that 99.994% of withdrawal requests have been completed, but admitted that there may be delays in processing a large number of withdrawal requests.
Event background and Revealing Industry trends
Bybit Exchange Overview: Bybit was founded in 2018 and is headquartered in Singapore. It is a cryptocurrency exchange mainly engaged in derivatives trading. It has more than 10 million users and has a certain influence in the industry.
Frequent cryptocurrency thefts: In recent years, centralized exchanges have become high-value targets for hacker attacks due to their concentrated funds. In 2024, the amount of cryptocurrency stolen worldwide reached $2.3 billion, and the amount stolen from Bybit in this incident exceeded 60% of the amount stolen in the industry last year, highlighting the severity of the industry's security situation. Previously, well-known projects such as Ronin Network have also suffered large-scale thefts, indicating that hacker attack techniques are constantly evolving and centralized platforms face continuous security challenges.
Early warning and long-term planning: Security agency SlowMist disclosed that the malicious contract was deployed as early as February 19, indicating that the attack was not a temporary act, but was carefully planned and prepared over a long period of time.
Analysis of the cause of the incident
Technical vulnerabilities and social engineering attacks:
Preliminary analysis shows that the attacker may have exploited the signature process vulnerability of the Bybit multi-signature cold wallet, and tricked the multi-signature Owner into signing malicious transactions by disguising the transaction interface and replacing the Safe implementation contract.
The attacker may have combined social engineering means (refer to the attack in October last year), such as invading the signer's computer or the intermediate communication link, replacing the normal transaction request with a malicious transaction, reducing the signer's vigilance.
The DELEGATECALL` instruction was used in the malicious contract, which may allow malicious code to be executed in the context of the multi-signature wallet, thereby modifying the contract logic and transferring funds.
Inherent risks of centralized exchanges:
As centralized custodians of user funds, centralized exchanges naturally have the risk of "single point failure" and are easily targeted by hackers. Bybit CEO Ben Zhou publicly acknowledged this inherent vulnerability of CEX as early as 2020.
External environmental factors:
The overall recovery of the cryptocurrency market in February 2025 and the rise in ETH prices may have stimulated hackers' motivation to steal.
Other crypto platforms (such as ZkLend) have also been attacked recently, reflecting that the overall security environment of the industry may be deteriorating.
Impact of the incident
Direct impact on Bybit:
Massive financial losses: $1.5 billion in assets were stolen, accounting for a large proportion of Bybit's ETH deposits (about 75%), causing direct economic losses to the exchange.
User trust crisis and withdrawal tide: Large-scale theft incidents may trigger a crisis of trust in the security of the Bybit platform, leading to concentrated withdrawals by users and putting huge pressure on the platform's liquidity.
Short-term fluctuations in ETH prices: After the incident, the ETH price fell by about 3% in the short term, reflecting the market's negative sentiment towards the incident.
Reputational damage: Although Bybit actively responded and emphasized solvency, this incident undoubtedly had a certain negative impact on Bybit's reputation.
Impact on the cryptocurrency industry:
Intensified CEX trust crisis: The Bybit incident further exacerbated users' concerns about the security of centralized exchanges, which may prompt some users to transfer funds to decentralized exchanges (DEX) or choose safer asset custody solutions.
Regulatory pressure may increase: Historically, large-scale exchange security incidents have often attracted the attention and intervention of regulators. The Bybit incident may prompt regulators in various countries to strengthen security audits and compliance supervision requirements for CEX.
Promote industry security upgrades: This incident may become an important turning point in the field of crypto security, prompting exchanges, security agencies and developer communities to jointly promote the comprehensive upgrade of technical security and governance mechanisms, and improve the overall security level of the industry.
Possible discussion on Ethereum forks: Coinbase director Conor Grogan and cryptocurrency industry figure Arthur Hayes publicly discussed whether this incident may trigger a discussion on Ethereum forks similar to the DAO incident. Although the call for forks may be more radical, it also reflects the severity of the incident and the potential consideration of extreme situations in the industry.
Responses from all parties in the industry
Bybit official: Bybit CEO Ben Zhou quickly disclosed the details of the incident after the incident, and communicated with users through social media, live broadcasts, etc., emphasizing the platform's solvency and normal operations, trying to regain user trust with transparency and active communication. Bybit officially stated that it has reported the case to the relevant authorities and is working with security agencies to investigate and track funds.
Audit security agencies: Blockchain security companies such as SlowMist and Beosin quickly intervened after the incident, analyzed the technical details of the attack, assisted Bybit in tracking the stolen funds, and issued a security warning to the industry.
Centralized exchange (CEX) peers: Bitget, KuCoin, MEXC and Jucoin Exchanges publicly expressed their support for Bybit and provided financial and technical assistance. BitMart promised to freeze suspicious addresses, and Binance founder Zhao Changpeng also said that Binance is willing to provide assistance if necessary. The collective solidarity and mutual assistance of the industry's leading exchanges show a posture to deal with industry security risks.
Community and analysts: The cryptocurrency community and industry analysts generally expressed concern and worry about this incident. Some users affirmed Bybit's transparent communication, but more users expressed general concerns about CEX security. Analysts pointed out that this incident may prompt CEX to re-examine and improve multi-signature mechanisms, smart contract security audits, and internal security processes.
Summary
The $1.5 billion theft suffered by Bybit Exchange is the largest single loss of funds in the history of the cryptocurrency industry, and once again sounded the alarm for the security risks of centralized exchanges. The hackers' carefully planned attacks, using technical vulnerabilities and social engineering methods, broke through the exchange's multiple security lines, causing huge economic losses and a crisis of trust.
Although Bybit encountered an unexpected security incident, its quick response and relatively open and transparent handling methods effectively alleviated market anxiety. Even more encouraging is that the assistance from peers and the active support of security agencies fully demonstrated the solidarity of the cryptocurrency community to help each other. While this incident reminds us of the risks in the industry, it also shows us the growing maturity and strong resilience of the crypto field.
In the future, the cryptocurrency industry may usher in a comprehensive upgrade in the security field due to this incident. Centralized exchanges need to continue to strengthen their investment in technical security and improve the security protection level of multi-signature wallets, smart contracts, internal risk control, etc. Regulators may also further strengthen compliance supervision of CEX to promote a healthier and more orderly development of the industry. For users, this incident once again reminds users that asset security is always the primary consideration for participating in the cryptocurrency market. It is becoming increasingly important to reasonably diversify risks and choose a safer asset custody solution.
Latest Developments (as of 09:55 HKT on February 22, 2025)
Bybit has cooperated with Web3 audit agency Hacken to issue a reserve certificate to prove the platform's solvency.
Bitget, MEXC and other exchanges continue to provide ETH and stETH loans to Bybit to ease liquidity pressure.
KuCoin assists Bybit in monitoring fund flows and freezing suspicious assets.
Safe officially suspends the Wallet function for a comprehensive security check.
Binance founder Zhao Changpeng clarified that Binance officials did not provide loans to Bybit, and the relevant fund transfers may be the personal behavior of the whale.
Chain detective ZachXBT confirmed that Lazarus Group was the planner of this attack.
Bybit hackers attempted to unstake cmETH and were returned by the contract.
Bybit CEO said that all withdrawals have been processed and a complete incident report will be released.
Weiliang
Weatherly
Alex
Miyuki
Catherine