A Report by CYS Global Remit FinTech Development Team
On February 21, 2025, the cryptocurrency world was shaken by a sophisticated breach that resulted in the theft of nearly $1.5 billion worth of Ethereum (ETH) from Bybit, marking it as the largest crypto hack in history. Forensic reports from Bybit, along with analyses by blockchain experts, have illuminated the complex nature of this attack, which targeted vulnerabilities within the Safe{Wallet} infrastructure and Bybit's Ethereum multisig cold wallet.
How the Hack Unfolded
The attack was first detected when unauthorized transactions appeared in one of Bybit's Ethereum cold wallets. Forensic investigations revealed that malicious JavaScript code was injected into Safe{Wallet}’s Amazon Web Services (AWS) S3 bucket, altering transaction details during the signing process. This manipulation allowed the attacker to carry out a transaction substitution attack, employing social engineering tactics. While transferring funds from the cold wallet to a warm wallet, the attacker "musked" the transaction—disguising the actual signing message—so that it appeared legitimate on the user interface. Consequently, the stolen ETH and various wrapped tokens were redirected to multiple external addresses, effectively laundering the funds through over 40 different wallets.
Technical Breakdown and Forensic Findings
Investigators determined that the breach did not stem from a direct infiltration of Bybit's internal systems. Instead, all signing hosts had cached the malicious JavaScript from Safe{Wallet}, which had been tampered with just two days before the incident. Evidence collected from the Chrome browsers used by the signers confirmed the presence of this code, illustrating a significant vulnerability. The script was specifically designed to activate when transactions originated from particular contract addresses, including Bybit's multisig contract, thereby bypassing standard cold wallet security measures.
Blockchain analysis revealed that the attacker initially transferred funds from the compromised cold wallet to a warm wallet before proceeding to split and send the assets. Reports indicate that the stolen assets included 401,347 ETH, 90,376 stETH, 15,000 cmETH, and 8,000 mETH. To obscure the origin of the funds, the attacker utilized a layering process involving multiple wallet addresses, cross-chain bridges, mixers, and decentralized exchanges.
The Lazarus Group Connection
On-chain analytics and insights from crypto researcher ZachXBT strongly suggest involvement by the Lazarus Group—a North Korean state-sponsored hacking organization known for its sophisticated cyber exploits and ties to massive thefts in the past. The techniques employed in this attack, including transaction substitution and layering strategies, align with the group's known methods, reinforcing the connection to the Bybit breach.
Recovery Efforts and Industry Response
In the aftermath of the attack, Bybit launched an extensive recovery campaign, offering a 10% bounty for recovered funds and enlisting support from ethical cybersecurity experts. Blockchain analytics firm Lookonchain confirmed that Bybit successfully “closed the ETH gap,” with recovery efforts involving loans, whale deposits, and ETH purchases to replenish the stolen assets. Additionally, Tether took action by freezing 181,000 USDT linked to the hack, demonstrating a collaborative response from various sectors within the crypto ecosystem.
Decentralized exchanges, such as Chainflip, have also implemented protocol upgrades to prevent suspicious funds from entering their platforms. These actions, coupled with improved monitoring and rapid forensic investigations, represent a significant industry shift towards enhancing security measures and re-evaluating third-party integrations like Safe{Wallet}.
Looking Forward
The Bybit hack serves as a stark reminder that even robust multisig and cold wallet systems can be vulnerable when integrated with third-party services. It highlights the urgent need for continuous, real-time monitoring, rigorous independent audits, and comprehensive reviews of security protocols throughout the entire transaction process. As state-sponsored actors like the Lazarus Group continue to evolve their tactics, the crypto industry must strengthen access controls, enhance on-chain monitoring, and foster collaboration with cybersecurity experts.
In the wake of this unprecedented breach, the lessons learned from the forensic analysis provide an opportunity for exchanges and the broader digital asset community to bolster their defences against future exploits.
Source:
Comments