The recent cyberattack on the centralized cryptocurrency exchange Bybit, resulting in the theft of over $1.4 billion USD worth of ETH, perpetrated by a known hacking group, has become the largest recorded cryptocurrency heist in history.
Details of the Cyberattack
On February 21st, the cryptocurrency market was once again destabilized by news of a security breach at the Bybit exchange.
The perpetrators have been identified by on-chain analyst ZachXBT, in conjunction with investigations from various entities including Arkham Intelligence, as the North Korean state-sponsored hacking group, Lazarus Group.
BREAKING: BYBIT $1 BILLION HACK BOUNTY SOLVED BY ZACHXBT
At 19:09 UTC today, @zachxbt submitted definitive proof that this attack on Bybit was performed by the LAZARUS GROUP.
His submission included a detailed analysis of test transactions and connected wallets used ahead of… pic.twitter.com/jtQPtXl0C5
— Arkham (@arkham) February 21, 2025
The initial detection of the incident stemmed from the on-chain analysis conducted by ZachXBT, who identified suspicious outflows of $ETH and $STETH from the Bybit exchange. Someone then subsequently transferred these funds to a Safe wallet. The perpetrators proceeded to swap the entirety of these tokens for ETH.
The Safe wallet address used for the swap to ETH, prior to the distribution of funds across multiple other wallets, is: 0xa4b2fd68593b6f34e51cb9edb66e71c1b4ab449e
After tracing these transactions, Bybit, alongside other centralized exchanges and various protocols, flagged and blacklisted the implicated addresses to prevent the liquidation of the illicit assets on the open market.
Source: DeBank
The developments then gradually developed as the wallet addresses of the criminals began to find ways to launder those assets according to the announcement of ZachXBT on Telegram. Specifically, the hacker group Lazarus Group began to launder money through eXch and Bridge assets to Bitcoin via Chainflip.
Bybit response
Ben Zhou, CEO of Bybit, recently issued a statement reassuring the community that the exchange’s hot wallets remain secure, while attackers compromised only the cold wallets. The explanation for this incident lies in the manipulation of signature messages, which altered the smart contract logic of the ETH wallets. Consequently, the attackers gained control of the ETH cold wallets and transferred all ETH holdings to external addresses. Zhou further emphasized that all other wallets, excluding the affected ETH cold wallets, remain secure.
Bybit ETH multisig cold wallet just made a transfer to our warm wallet about 1 hr ago. It appears that this specific transaction was musked, all the signers saw the musked UI which showed the correct address and the URL was from @safe . However the signing message was to change…
— Ben Zhou (@benbybit) February 21, 2025
Bybit gradually brought everything under control, and Ben Zhou himself announced that withdrawal transactions at Bybit had reopened as normal.
