SlowMist: Hacker Techniques and Questions Behind Bybit’s Nearly $1.5 Billion Theft
Background
On February 21, 2025, on-chain investigator ZachXBT disclosed a large-scale fund outflow from the Bybit platform. This incident resulted in the theft of over $1.46 billion, making it the largest cryptocurrency theft in recent years.
On-Chain Tracking and Analysis
Following the incident, the SlowMist security team promptly issued a security alert and launched an investigation to track the stolen assets.
According to the SlowMist security team’s analysis, the stolen assets primarily include:
- 401,347 ETH (~$1.068 billion)
- 8,000 mETH (~$26 million)
- 90,375.5479 stETH (~$260 million)
- 15,000 cmETH (~$43 million)
We used the on-chain tracking and anti-money laundering tool MistTrack(https://misttrack.io/) to analyze the initial hacker address 0x47666Fab8bd0Ac7003bce3f5C3585383F09486E2 and obtained the following information:
The stolen ETH is being dispersed. The initial hacker address distributed 400,000 ETH across 40 addresses, each receiving 10,000 ETH, and the transfers are still ongoing.
Among them, 205 ETH was swapped for BTC via Chainflip and cross-chained to the address bc1qlu4a33zjspefa3tnq566xszcr0fvwz05ewhqfq.
cmETH Flow:
15,000 cmETH was transferred to the address 0x1542368a03ad1f03d96D51B414f4738961Cf4443. Notably, mETH Protocol posted on X, stating that in response to the Bybit security incident, the team promptly suspended cmETH withdrawals, preventing unauthorized transactions. As a result, mETH Protocol successfully recovered 15,000 cmETH from the hacker’s address.
mETH and stETH Transfers:
8,000 mETH and 90,375.5479 stETH were transferred to the address 0xA4B2Fd68593B6F34E51cB9eDB66E71c1B4Ab449e. They were then swapped for 98,048 ETH via Uniswap and ParaSwap before being moved to 0xdd90071d52f20e85c89802e5dc1ec0a7b6475f92.
The 0xdd9 address further dispersed the ETH into 9 addresses, each receiving 10,000 ETH, with no further transfers observed so far.
Additionally, tracing the initial attack address 0x0fa09C3A328792253f8dee7116848723b72a6d2e, as identified in the attack analysis section, revealed that its initial funds originated from Binance.
The initial hacker address 0x47666Fab8bd0Ac7003bce3f5C3585383F09486E2 currently holds a balance of 1,346 ETH. We will continue monitoring the associated addresses.
Following the incident, SlowMist promptly analyzed the attacker’s method of obtaining Safe multisig access and their money laundering techniques, leading to the hypothesis that the attacker is a North Korean hacker.
Possible Social Engineering Attack Method:
Using MistTrack for analysis, we also discovered links between the hacker addresses in this incident and those associated with the BingX Hacker and Phemex Hacker.
ZachXBT has also confirmed that this attack was performed by the Lazarus Group, which has long been involved in transnational cyberattacks and cryptocurrency theft.
According to reports, the evidence provided by ZachXBT — including test transactions, linked wallets, forensic charts, and timeline analysis — demonstrates that the attacker repeatedly employed techniques commonly used by Lazarus Group.
Meanwhile, Arkham stated that all relevant data has been shared with Bybit to assist the platform in further investigations.
Attack Method Analysis
At 23:44 on the night of the incident, Bybit CEO Ben Zhou issued a statement on X, providing a detailed explanation of the technical aspects of the attack:
Through on-chain signature analysis, we have identified several traces:
1.Deployment of Malicious Contract:
On UTC 2025–02–19 07:15:23, the attacker deployed a malicious implementation contract: 0xbDd077f651EBe7f7b3cE16fe5F2b025BE2969516.
2.Tampering with Safe Contract Logic:
On UTC 2025–02–21 14:13:35, the attacker replaced the Safe contract with a malicious version (0x46deef0f52e3a983b67abf4714448a41dd7ffd6d32d32da69d62081c68ad7882) by signing a transaction with three Owner accounts. This led to the identification of the initial attack address: 0x0fa09C3A328792253f8dee7116848723b72a6d2e.
3.Embedding Malicious Logic:
Using DELEGATECALL, the attacker injected the malicious logic contract into STORAGE slot 0 at 0x96221423681A6d52E184D440a8eFCEbB105C7242.
4. Executing Backdoor Functions to Transfer Funds:
The attacker utilized the sweepETH and sweepERC20 functions within the malicious contract to transfer 400,000 ETH and stETH (totaling approximately $1.5 billion) from the cold wallet to unknown addresses.
From a technical perspective, this attack shares similarities with the WazirX and Radiant Capital hacks, as all three incidents targeted Safe multisig wallets.
In the WazirX hack, the attacker also pre-deployed a malicious implementation contract, signed a transaction using three Owner accounts, and used DELEGATECALL to inject the malicious logic contract into STORAGE slot 0, replacing the Safe contract with a compromised version.
For the Radiant Capital hack, according to the official disclosure, the attacker used a sophisticated method that tricked the signature verifier into displaying seemingly legitimate transactions on the frontend. This approach is similar to the details revealed in Ben Zhou’s post.
Moreover, all three incidents involved the same permission-checking mechanism in the malicious contracts, where the owner addresses were hardcoded to verify contract callers. Additionally, the error messages thrown during permission checks in the Bybit and WazirX hacks were also similar.
In this incident, the issue stemmed from a manipulated frontend, which was altered to deceive users. This is not an isolated case. North Korean hackers have employed this method to attack multiple platforms over the past year, including:
- WazirX — $230M loss (Safe multisig)
- Radiant Capital — $50M loss (Safe multisig)
- DMM Bitcoin — $305M loss (Gonco multisig)
This attack method has been industrialized and refined, making it a significant threat that requires heightened vigilance.
According to Bybit’s official announcement:
Combined with Ben Zhou’s tweet:
Key Questions Raised:
- Routine ETH Transfers
- Did the attacker obtain internal financial operation data from Bybit in advance, allowing them to determine the timing of ETH multi-signature cold wallet transfers?
- Through the Safe system, did the attacker trick signers into approving malicious transactions via a spoofed interface? Was the Safe frontend system compromised and taken over?
2. Safe Contract UI Tampering
- Did signers see the correct address and URL on the Safe interface while unknowingly signing altered transaction data?
- The critical question: Who initiated the signing request first? How secure was their device?
With these uncertainties in mind, we look forward to the official disclosure of further investigation results.
Market Impact
Following the incident, Bybit promptly issued an announcement assuring users that all customer assets remain fully backed 1:1 and that the platform can cover the loss. User withdrawals remain unaffected.
On February 22, 2025, at 10:51 (UTC), Bybit CEO Ben Zhou confirmed on X that deposits and withdrawals are operating normally.
Conclusion
This incident once again highlights the severe security challenges faced by the cryptocurrency industry. As the space continues to evolve, hacker groups — especially state-backed actors like Lazarus Group — are constantly advancing their attack methods.
For cryptocurrency exchanges, this serves as a critical wake-up call to enhance security measures, adopt advanced defense mechanisms, and implement multi-factor authentication, secure wallet management, asset monitoring, and risk assessment to safeguard user funds.
For individual users, security awareness is equally crucial. It is highly recommended to prioritize hardware wallets for storage and avoid keeping large amounts of funds on exchanges for extended periods.
In this constantly evolving landscape, only through continuous upgrades in security defenses can the industry ensure digital asset safety and drive sustainable growth.
About SlowMist
SlowMist is a blockchain security firm established in January 2018. The firm was started by a team with over ten years of network security experience to become a global force. Our goal is to make the blockchain ecosystem as secure as possible for everyone. We are now a renowned international blockchain security firm that has worked on various well-known projects such as HashKey Exchange, OSL, MEEX, BGE, BTCBOX, Bitget, BHEX.SG, OKX, Binance, HTX, Amber Group, Crypto.com, etc.
SlowMist offers a variety of services that include but are not limited to security audits, threat information, defense deployment, security consultants, and other security-related services. We also offer AML (Anti-money laundering) software, MistEye (Security Monitoring) , SlowMist Hacked (Crypto hack archives), FireWall.x (Smart contract firewall) and other SaaS products. We have partnerships with domestic and international firms such as Akamai, BitDefender, RC², TianJi Partners, IPIP, etc. Our extensive work in cryptocurrency crime investigations has been cited by international organizations and government bodies, including the United Nations Security Council and the United Nations Office on Drugs and Crime.
By delivering a comprehensive security solution customized to individual projects, we can identify risks and prevent them from occurring. Our team was able to find and publish several high-risk blockchain security flaws. By doing so, we could spread awareness and raise the security standards in the blockchain ecosystem.
