+0
Claim
Friends
Bring pal, earn more!
For each new friend, you'll receive 0xp plus 0% of all their XP earnings
Invite friends to get bonus
For you
0
For your friend
0
Invite a Friend
Friends List (0)
Claim all
Total amount:
0
No data available
Home
Friends
Bring pal, earn more!
For each new friend, you'll receive 0xp plus 0% of all their XP earnings
Invite friends to get bonus
For you
0
For your friend
0
Invite a Friend
Copy
Friends List (0)
Total amount:
0
Claim all
No data available
bee.com

SlowMist: The hacker methods and questions behind the theft of nearly $1.5 billion from Bybit

विश्लेषण1 महीने पहलेहाँ व्याट
3,038 0

मूल लेखक: SlowMist Security Team

पृष्ठभूमि

On the evening of February 21, 2025, Beijing time, according to the on-chain detective ZachXBT, a large-scale capital outflow occurred on the Bybit platform. This incident resulted in the theft of more than 1.46 billion US dollars, becoming the largest क्रिप्टोcurrency theft in recent years.

SlowMist: The hacker methods and questions behind the theft of nearly  .5 billion from Bybit

On-chain tracking analysis

After the incident, the SlowMist security team immediately issued a security alert and started tracking and analyzing the stolen assets:

SlowMist: The hacker methods and questions behind the theft of nearly  .5 billion from Bybit

According to the analysis of the SlowMist security team, the stolen assets mainly include:

  • 401,347 ETH (worth about $1.068 billion)

  • 8,000 mETH (worth about $26 million)

  • 90,375.5479 stETH (worth about $260 million)

  • 15,000 cmETH (worth approximately $43 million)

SlowMist: The hacker methods and questions behind the theft of nearly  .5 billion from Bybit

SlowMist: The hacker methods and questions behind the theft of nearly  .5 billion from Bybit

We use the on-chain tracking and anti-money laundering tool MistTrack to identify the initial hacker address.

0x47666Fab8bd0Ac7003bce3f5C3585383F09486E2

After analysis, the following information was obtained:

ETH is being dispersed and transferred, with the initial hacker address dispersing 400,000 ETH to 40 addresses in the format of 1,000 ETH each, and the transfer is continuing.

SlowMist: The hacker methods and questions behind the theft of nearly  .5 billion from Bybit

Among them, 205 ETH was converted to BTC through Chainflip and transferred to the address:

bc1qlu4a33zjspefa3tnq566xszcr0fvwz05ewhqfq.

SlowMist: The hacker methods and questions behind the theft of nearly  .5 billion from Bybit

cmETH Flows: 15,000 cmETH transferred to:

0x1542368a03ad1f03d96D51B414f4738961Cf4443

It is worth noting that mETH Protocol posted on X that in response to the Bybit security incident, the team promptly suspended cmETH withdrawals and prevented unauthorized withdrawals. mETH Protocol successfully recovered 15,000 cmETH from the hackers address.

SlowMist: The hacker methods and questions behind the theft of nearly  .5 billion from Bybit

mETH and stETH transfers: 8,000 mETH and 90,375.5479 stETH were transferred to the following addresses:

0xA4B2Fd68593B6F34E51cB9eDB66E71c1B4Ab449e

Then it was converted to 98,048 ETH through Uniswap and ParaSwap, and then transferred to:

0xdd90071d52f20e85c89802e5dc1ec0a7b6475f92

Address 0x dd 9 dispersed ETH to 9 addresses in the format of 1,000 ETH each, and has not been transferred out yet.

SlowMist: The hacker methods and questions behind the theft of nearly  .5 billion from Bybit

In addition, the address from which the hacker launched the initial attack as introduced in the attack method analysis section is:

0x0fa09C3A328792253f8dee7116848723b72a6d2e

After tracing back, it was found that the initial funds of this address came from Binance.

SlowMist: The hacker methods and questions behind the theft of nearly  .5 billion from Bybit

Current initial hacker address:

0x47666Fab8bd0Ac7003bce3f5C3585383F09486E2

The balance is 1,346 ETH. We will continue to monitor the relevant addresses.

SlowMist: The hacker methods and questions behind the theft of nearly  .5 billion from Bybit

After the incident, SlowMist immediately speculated that the attacker was a North Korean hacker based on the attacker鈥檚 method of obtaining Safe multi-signatures and money laundering:

SlowMist: The hacker methods and questions behind the theft of nearly  .5 billion from Bybit

Possible social engineering attack methods:

SlowMist: The hacker methods and questions behind the theft of nearly  .5 billion from Bybit

Using MistTrack analysis, we also found that the hacker address of this incident is associated with the BingX Hacker and Phemex Hacker addresses:

SlowMist: The hacker methods and questions behind the theft of nearly  .5 billion from Bybit

SlowMist: The hacker methods and questions behind the theft of nearly  .5 billion from Bybit

ZachXBT also confirmed that the attack was related to the North Korean hacker group Lazarus Group, which has been conducting transnational cyber attacks and stealing cryptocurrencies as one of its main activities. It is understood that the evidence provided by ZachXBT, including test transactions, associated wallets, forensic charts and time analysis, all show that the attacker used common technical means of the Lazarus Group in multiple operations. At the same time, Arkham stated that all relevant data has been shared with Bybit to help the platform further investigate.

SlowMist: The hacker methods and questions behind the theft of nearly  .5 billion from Bybit

Attack Method Analysis

At 23:44 that night, Bybit CEO Ben Zhou released a statement on X, explaining the technical details of the attack in detail:

SlowMist: The hacker methods and questions behind the theft of nearly  .5 billion from Bybit

Through on-chain signature analysis, we found some traces:

SlowMist: The hacker methods and questions behind the theft of nearly  .5 billion from Bybit

1. The attacker deploys a malicious contract: UTC 2025-02-19 07:15:23, deploys a malicious implementation contract:

0xbDd077f651EBe7f7b3cE16fe5F2b025BE2969516

2. Tampering with the Safe contract logic: UTC 2025-02-21 14: 13: 35, through three Owners signing the transaction, replacing the Safe contract with a malicious version:

0x46deef0f52e3a983b67abf4714448a41dd7ffd6d32d32da69d62081c68ad7882

This leads to the address from which the initial attack on the hacker was launched:

0x0fa09C3A328792253f8dee7116848723b72a6d2e.

3. Embed malicious logic: Write the malicious logic contract to STORAGE 0 via DELEGATECALL:

0x96221423681A6d52E184D440a8eFCEbB105C7242

SlowMist: The hacker methods and questions behind the theft of nearly  .5 billion from Bybit

SlowMist: The hacker methods and questions behind the theft of nearly  .5 billion from Bybit

4. Calling backdoor functions to transfer funds: The attacker used the sweepETH and sweepERC 20 functions in the contract to transfer all 400,000 ETH and stETH (with a total value of approximately US$1.5 billion) in the cold wallet to an unknown address.

From the perspective of attack methods, the WazirX hacking incident and the Radiant Capital hacking incident are similar to this attack. The targets of these three incidents are all Safe multi-signature wallets. In the WazirX hacking incident, the attacker also deployed a malicious implementation contract in advance, signed transactions through three owners, and wrote the malicious logic contract to STORAGE 0 through DELEGATECALL to replace the Safe contract with the malicious implementation contract.

SlowMist: The hacker methods and questions behind the theft of nearly  .5 billion from Bybit

SlowMist: The hacker methods and questions behind the theft of nearly  .5 billion from Bybit

(https://etherscan.io/tx/0x48164d3adbab78c2cb9876f6e17f88e321097fcd14cadd57556866e4ef3e185d)

Regarding the Radiant Capital hack, according to official disclosures, the attacker used a complex method to make the signature verifier see seemingly legitimate transactions on the front end, which is similar to the information disclosed in Ben Zhous tweet.

SlowMist: The hacker methods and questions behind the theft of nearly  .5 billion from Bybit

(https://medium.com/@RadiantCapital/radiant-post-mortem-fecd 6 c d3 8081)

The permission check methods of the malicious contracts involved in these three incidents are the same, and the owner address is hard-coded in the contract to check the contract caller. The error messages thrown by the permission check in the Bybit hacking incident and the WazirX hacking incident are also similar.

SlowMist: The hacker methods and questions behind the theft of nearly  .5 billion from Bybit

In this incident, the Safe contract was fine, but the problem was in the non-contract part, where the front end was tampered with and forged to achieve a deceptive effect. This is not an isolated case. North Korean hackers attacked several platforms in this way last year, such as: WazirX lost $230 M due to Safe multi-signature; Radiant Capital lost $50 M due to Safe multi-signature; DMM Bitcoin lost $305 M due to Gonco multi-signature. This attack method is mature and needs more attention.

According to the official announcement released by Bybit:

SlowMist: The hacker methods and questions behind the theft of nearly  .5 billion from Bybit

(https://announcements.bybit.com/zh-MY/article/incident-update—eth-cold-wallet-incident-blt292c0454d26e9140)

Combined with Ben Zhou鈥檚 tweet:

SlowMist: The hacker methods and questions behind the theft of nearly  .5 billion from Bybit

The following questions arise:

1. Routine ETH transfer

  • The attacker may have obtained the operational information of Bybit鈥檚 internal financial team in advance and mastered the timing of the ETH multi-signature cold wallet transfer?

  • Through the Safe system, the signer was induced to sign a malicious transaction on a forged interface? Was the front-end system of Safe hacked and taken over?

2. Safe contract UI was tampered with

  • The signer sees the correct address and URL on the Safe interface, but the actual signed transaction data has been tampered with?

  • The key question is: who initiated the signature request in the first place? How secure is their device?

With these questions in mind, we look forward to the authorities disclosing more investigation results as soon as possible.

बाज़ार Impact

Bybit quickly released an announcement after the incident, promising that all customer assets have a 1:1 reserve and the platform can bear the loss. User withdrawals will not be affected.

At 10:51 on February 22, 2025, Bybit CEO Ben Zhou sent a message saying that deposits and withdrawals are now normal:

SlowMist: The hacker methods and questions behind the theft of nearly  .5 billion from Bybit

अंतिम शब्द

This theft once again highlights the severe security challenges facing the cryptocurrency industry. With the rapid development of the crypto industry, hacker groups, especially state-level hackers such as the Lazarus Group, are continuously upgrading their attack methods. This incident has sounded the alarm for cryptocurrency exchanges. The platforms need to further strengthen security protection and adopt more advanced defense mechanisms, such as multi-factor authentication, crypto wallet management, asset monitoring and risk assessment, to ensure the safety of user assets. For individual users, it is also crucial to enhance security awareness. It is recommended to give priority to safer storage methods such as hardware wallets to avoid long-term storage of large amounts of funds in exchanges. In this evolving field, only by continuously upgrading the technical defense line can we ensure the security of digital assets and promote the healthy development of the industry.

This article is sourced from the internet: SlowMist: The hacker methods and questions behind the theft of nearly $1.5 billion from Bybit

Related: Web3 lawyers interpret the Hong Kong SFC roadmap, and the virtual asset market may usher in new changes

On the afternoon of February 19, 2025, the Securities and Futures Commission (SFC) of Hong Kong officially released the Virtual Asset Roadmap to address various problems encountered in the development of the current Hong Kong virtual asset trading market. This roadmap, also known as ASPI-Re, proposes 12 major measures based on the five pillars required for the development of Hong Kongs virtual asset market, namely access, safeguards, products, infrastructure and relationships, conveying to investors and institutions the overall development and regulatory direction of Hong Kong in the next few years. As a professional lawyer team that continuously tracks the latest developments in the global Web3 and cryptocurrency fields, Crypto Salad has been personally involved in the practice of Hong Kongs virtual asset trading market. This time, we will take the…

© 版权声明

相关文章

Bee Score
tbd
Rated 0 stars out of 5
0%
0%
0%
0%
0%
Comments (0)
All
New
Comments:
Rated 0 stars out of 5
Post
No comments