A Report by CYS Global Remit FinTech Development Unit
On February 21, 2025, a sophisticated cyberattack sent shockwaves through the cryptocurrency world as nearly $1.5 billion worth of Ethereum (ETH) was stolen from Bybit, marking it as the largest crypto hack in history. Detailed forensic reports issued by Bybit, alongside analyses from blockchain experts, have unveiled the intricate tactics employed in this attack, which exploited vulnerabilities in the Safe{Wallet} infrastructure and targeted Bybit’s Ethereum multisig cold wallet.
How the Hack Unfolded
The attack was initiated when unauthorized transactions were detected on one of Bybit’s Ethereum cold wallets. Forensic investigators revealed that malicious JavaScript code had been injected into Safe{Wallet}’s AWS S3 bucket, which altered transaction details during the signing process. This manipulation allowed the attacker to execute a transaction substitution attack using social engineering techniques. As funds were transferred from the cold wallet to a warm wallet, the attacker distorted the signing process so that the transaction appeared “musked”—a term describing when the user interface shows the correct address while the signing message is changed. The hacker then redirected the ETH and various wrapped tokens to multiple external addresses, effectively laundering the stolen funds across more than 40 different wallets.
Technical Breakdown and Forensic Findings
Forensic analysis indicated that the compromise did not originate from direct access to Bybit’s internal systems. Instead, the signing hosts had cached the malicious JavaScript from Safe{Wallet}, which had been altered just two days before the attack. Evidence from Chrome browser artifacts on all three signers’ machines corroborated the existence of the vulnerability. The malicious script was designed to activate only when transactions were initiated from specific contract addresses, including Bybit’s multisig contract, thereby circumventing standard security protocols typically expected in a cold wallet environment.
Blockchain records indicated that the attacker first transferred funds from the compromised cold wallet to a warm wallet, thereafter splitting the stolen assets into smaller amounts. According to reports from IBTimes, the stolen assets totaled 401,347 ETH, 90,376 stETH, 15,000 cmETH, and 8,000 mETH. The laundering process involved routing the funds through a series of wallet addresses, cross-chain bridges, mixers, and decentralized exchanges to obscure their origin.
The Lazarus Group Connection
Evidence from on-chain analytics and intelligence platforms, including insights from crypto researcher ZachXBT, strongly suggests the involvement of the Lazarus Group—a North Korean state-sponsored hacking organization. Renowned for sophisticated cybercrimes, the Lazarus Group has been linked to multi-billion-dollar thefts and has previously executed state-sponsored hacks and laundered stolen assets through decentralized finance channels. The methods utilized in the Bybit hack, notably transaction substitution and layering techniques, align closely with the Lazarus Group's known tactics, further reinforcing their connection to this incident.
Recovery Efforts and Industry Response
In the aftermath of the attack, Bybit rolled out a proactive recovery campaign, offering a 10% bounty on any recovered funds and collaborating with ethical cybersecurity experts for support. According to the blockchain analytics firm Lookonchain, Bybit has successfully “closed the ETH gap,” with recovery efforts relying on loans, whale deposits, and ETH purchases to restore the stolen assets. Additionally, Tether intervened by freezing 181,000 USDT associated with the hack, highlighting a collaborative effort across various sectors of the crypto ecosystem.
Decentralized exchanges, such as Chainflip, have also responded by implementing protocol upgrades to prevent suspicious funds from entering their platforms. This initiative, along with enhanced monitoring and rapid forensic investigations, underscores a broader industry shift toward tightening security measures and reassessing third-party integrations like Safe{Wallet}.
Looking Ahead
The Bybit hack serves as a stark reminder that even well-structured multisig and cold wallet systems are at risk when integrated with third-party services. It emphasizes the urgent need for continuous, real-time monitoring, thorough independent audits, and comprehensive security protocol reviews throughout the transaction process. As state-sponsored actors like the Lazarus Group evolve their tactics, the cryptocurrency industry must adapt by strengthening access controls, enhancing on-chain monitoring, and fostering collaboration with cybersecurity experts.
In the wake of this unprecedented breach, the insights gained from forensic analysis not only act as a wake-up call for exchanges like Bybit but also present an opportunity for the entire digital asset community to reinforce its defenses against future threats.
Source:
Comments