Bybit Breach Uncover : Tracing a $1.5 Billion Crypto Heist

Summary

On February 21, 2025, Bybit, one of the leading cryptocurrency exchanges, suffered a massive security breach resulting in the loss of nearly $1.5 billion in Ethereum and various ERC20 tokens—including stETH, mETH, and cmETH—marking the largest digital heist in the crypto history. This unprecedented incident sent shockwaves throughout the digital asset landscape, raising concerns about the vulnerability of even the most established platforms.

Early investigations revealed that the exploit was initiated through sophisticated social engineering tactics. Cybercriminals launched targeted phishing attacks against cold wallet signers, deceiving them into approving malicious transactions that replaced the secure multi-signature wallet contract with a compromised version. This critical lapse enabled the unauthorized transfer of 401,346.7688 ETH, 8,000 mETH, 90,375.5479 stETH, and 15,000 cmETH tokens during what appeared to be a routine transaction, with these assets collectively valued at approximately $1.5 billion.

Bybit's lost Assets

Further analysis indicated potential state-sponsored involvement, with clear links to tactics commonly associated with DPRK-affiliated cybercriminals. Post attack investigations pointed to a targeted social engineering attack rather than a direct breach of Bybit’s systems. The exploit originated from a compromised developer machine at Safe {Wallet}, which was used to manipulate the wallet’s UI and deceive signers into approving unauthorized transactions.

Evidence shows that the addresses used in the Bybit hack are also common with those from previous incidents targeting other major exchanges such as Phemex, Poloniex, and BingX. These recurring connections underscore a coordinated pattern of cyber exploitation and sophisticated laundering methods that point toward a broader, state-linked operation.

In the aftermath of the breach, CEO Ben Zhou went live to address the incident, outlining the immediate measures taken and reassuring the community of a robust recovery plan. The entire Bybit team demonstrated exceptional resilience and swift coordination in mitigating the damage, while the broader crypto industry united in support. Thanks to these collective efforts, Bybit is now on track to achieve a 1:1 asset ratio, reflecting both the strength of its internal response and the solidarity of the global digital asset community.

Key Addresses

Bybit Cold Wallet: 0x1db92e2eebc8e0c075a02bea49a2935bcd2dfcf4

Bybit Main Exploiter: 0x47666fab8bd0ac7003bce3f5c3585383f09486e2

Decoding the Exploit

Preliminary forensic analysis indicates that the breach exploited a critical vulnerability in the transaction signing workflow of Bybit’s Ethereum multisig cold wallet. According to Bybit's official communications, the compromise occurred during what was expected to be a routine transfer from cold to warm storage. The signing interface was "musked"—displaying seemingly legitimate transaction details while the underlying signing payload was surreptitiously altered. This manipulation enabled an unauthorized reconfiguration of the wallet’s smart contract logic, allowing the attacker to redirect funds to an external, unidentified address.

Flow chart showing the initiation of exploit

Despite these initial insights, the definitive technical root cause remains undetermined. Bybit’s security team, in collaboration with leading blockchain forensic experts, is investigating whether the vulnerability arose from compromised signing devices, a server-side breach, or a combination of both. Notably, all signers observed an interface with a URL that appeared to originate from Safe {Wallet}, suggesting that the attacker exploited a subtle decoupling between the displayed UI and the actual transaction data—a critical flaw that compromises the integrity of multisig protocols.

In a separate update, Safe{Wallet} confirmed via social media that its codebase remains unmodified, with no evidence of malicious dependencies or unauthorized infrastructure access, and that no additional Safe addresses have been affected. Similar exploit techniques have been observed in recent breaches at other major exchanges such as Phemex, Poloniex, and BingX, indicating a potential pattern linked to state-sponsored threat actors like the Lazarus Group, which are known for employing sophisticated front-end manipulation methods.

Tweet from Safe{Wallet} on 21 Feb

In response to the breach, CEO Ben Zhou and the Bybit team have maintained transparent communication and executed rapid containment measures. While confirming that the compromised cold wallet was the sole affected asset, Bybit has continued normal withdrawal operations—processing over 350,000 withdrawal requests—to ensure customer fund security.

Forensic analysis suggests that the stolen ETH is being laundered into Bitcoin via platforms such as Chainflip, eXch, and THORChain; Chainflip has pledged to assist, whereas eXch and THORChain have only echoed Bybit’s request for support. This laundering technique mirrors known state-sponsored strategies, wherein illicit funds are converted to ETH, bridged to BTC through mixers and cross-chain solutions like Tornado Cash, eXch, and routed through Asian exchanges.

Further forensic analysis by investigation firms and on-chain researchers identified the actual cause of the breach: a malicious JavaScript injection into a resource served from Safe {Wallet}'s AWS S3 bucket. This exploit manipulated the UI, deceiving signers into authorizing altered transactions. Safe later acknowledged the issue, confirming the compromise and releasing an update on X detailing their findings and implemented security measures. However, their report leaves several critical questions unanswered, particularly regarding how the attacker gained access to the S3 bucket and whether similar vulnerabilities persist.

Safe{Wallet}'s tweet on 26 Feb

Bybit has launched a $150M bounty to aid fund recovery, with $2.17M USDT already paid to 11 contributors, including Mantle, Paraswap, and ZachXBT. As of March 4, nearly 500K ETH has been laundered to Bitcoin, where 77% of the stolen $1.4B remains traceable, 20% has gone dark, and 3% is frozen. The hacker converted 83% (~$1B) to BTC via THORChain (72% traceable), while 16% (~$180M) disappeared through eXch and 8% (~$100M) moved through OKX Web3 Proxy, with $65M still untraceable.

Onchain Activity

Using Blockscope's Tracer tool, our analysis has uncovered a complex network of intermediary wallets designed to obscure the movement of the stolen funds. Initially, the exploiter partitioned the compromised assets by splitting the stolen ETH into multiple distinct wallets while consolidating all stolen ERC20 tokens—namely stETH, cmETH, and mETH—into just two primary addresses.

Bybit Cold Wallet getting drained by Exploiter

Subsequent on-chain tracking reveals that approximately 401,000 ETH was distributed among 40 intermediary wallets.

Cluster of Intermediary Wallets holding 10k ETH each

The attacker then leveraged multiple DeFi protocols, including Paraswap, Uniswap, DODO, and Lido, to swap all the ERC20 tokens into ETH.

Stolen ERC20 tokens getting converted to ETH

Currently, the exploiters are executing multi-layered laundering which not only complicates asset tracing but also highlights the sophisticated techniques employed to disguise the fund flow and impede recovery efforts. Cross-chain bridges like Chainflip and protocols like eXch and Thorchain are being used to convert the stolen ETH to BTC.

Web of Intermediatry wallets to launder funds
Chainflip and eXch are being leveraged to launder Ethereum funds by bridging them into Bitcoin.

Breakdown and Timeline

February 21, 2025, 14:16 UTC

The exploit began with the attacker’s primary wallet, 0x0fa09c3a328792253f8dee7116848723b72a6d2e, which initiated a transaction by calling Bybit's cold wallet at 0x1db92e2eebc8e0c075a02bea49a2935bcd2dfcf4 and transferring 401,346.7688 ETH. This transaction confirms that the attacker had already breached the cold wallet’s security, gaining unauthorized access and executing a direct fund transfer.

Tx. hash:0xb61413c495fdad6114a7aa863a00b2e3c28945979a10885b12b30316ea9f072c

ETh getting drained from the cold wallet to the exploiter wallet

February 21, 2025; 14:41 - 15:12 UTC

In a few minutes, the exploiter drains 10000, 50000, and 30375.5479 stETH in three separate transactions, transferring them to its intermediary wallet 0xa4b2fd68593b6f34e51cb9edb66e71c1b4ab449e. Meanwhile, at 15:10 UTC, the exploiter also transferred 8000 mETH to the same wallet.

Exploiter draining stETH

February 21, 2025; 15:23 UTC

The exploit escalated when the attacker drained 15,000 cmETH—valued at approximately $43 million—and transferred it to the intermediary wallet 0x1542368a03ad1f03d96d51b414f4738961cf4443.

15000 cmETH being transferred

February 21, 2025; 14: 56 - 15:54 UTC

Following the breach, the attacker distributed the stolen ETH across approximately 40 distinct wallets, with roughly 10,000 ETH allocated to each.

Exploiter transferring ETH from main wallet to side wallets

February 21, 2025; 14:29 UTC

The attacker then converted all stolen stETH, mETH, and cmETH into ETH using various DeFi protocols—including Uniswap, Paraswap, DODO, and Lido—ultimately acquiring approximately 98,048.7948 ETH. This amount was subsequently distributed among multiple wallets, each receiving roughly 10,000 ETH.

Exploiter burning cmETH to eventually convert it into ETH
stETH and mETH getting converted into ETH

Obfuscation and Laundering

At present, our on-chain analysis and watchtower indicate that the exploiters are actively laundering funds through eXch and THORChain, following a laundering pattern consistent with tactics historically associated with North Korean threat actors.

Intermediary wallets holding approximately 10,000 ETH are systematically distributing funds to multiple addresses, while wallets with balances under 100 ETH are funneled through eXch and converted into Bitcoin, effectively obfuscating the illicit asset trail.

Split Stage1
Split Stage 2
Split Stage 3 and launder

As of February 26, all the stolen ETH is being laundered using THORChain, which has successfully processed over $260 million in illicit ETH transactions.

Exploiters are laundering funds through various intermediary wallets
Thorchain has till now laundered more than $260M worth of assets

In this critical period of industry consolidation, THORChain stands as a key enabler of illicit activity, profiting significantly as its fee volume surges due to the heavy laundering operations linked to North Korean exploiters. With the platform facilitating the movement of stolen assets, continuous monitoring and enhanced oversight remain imperative to mitigate further exploitation.

Thorchain fees volume are sky rocketing as it generate more than $2 M in last few days.

Between the day of hack and now, THORChain saw an unprecedented $5.5+ billion in trading volume, generating millions in fees, with nearly all activity tied to Bybit’s laundered funds. Since the exploit, North Korean attackers have successfully bridged and laundered most of the stolen assets, nearly 500,000 ETH to Bitcoin using THORChain and eXch. Now entering the second phase of laundering, they are obfuscating BTC origins through mixers like Wasabi and TornadoCash—a tactic they have historically relied on to erase financial trails. Initial tranches of stolen BTC have already begun flowing into these services, marking a critical moment in the laundering process.

Monitoring

Since the day of the exploit, the Blockscope team has been actively monitoring the evolving situation on Bybit. By deploying our watchtower on key wallet addresses, we have identified several hundred addresses directly linked to the exploiter. To date, nearly half of these wallets have begun moving their funds, while the remaining half continues to hold approximately 10,000 ETH. Our ongoing surveillance remains crucial in tracking and mitigating further illicit activity. Link to the Bybit Watchtower: https://www.blockscope.co/community/watchtowers/67b93f6aeaef17d752e70587

Bybit Community Watchtower

Tracing the North Korean Exploit Network

Our monitoring efforts have uncovered compelling evidence linking the current breach to broader state-sponsored activities. Notably, on-chain sleuth ZackXBT highlighted similar exploit patterns and common addresses involved in major exchange exploits like Phemex, BingX, and Poloniex.

Using our advanced Blockscope tools, we verified these claims and confirmed the presence of common intermediary wallets across these platforms. This convergence of wallet activity suggests a coordinated network of exploits that aligns with tactics historically attributed to North Korean threat actors, further underscoring the sophisticated nature of these operations.

Common addresses found between the exploits:

BingX & Bybit- 0xd555789b146256253cd4540da28dcff6e44f6e50

Phemex & Bybit- 0x33d057af74779925c4b2e720a820387cb89f8f65

Poloniex & Bybit- 0x15ec300a4895a86322f1a27dd9ba0b9f8297e65d

Tracing Bybit, Phemex, and BingX exploits revealed common addresses, indicating that the same actors are behind these exploi
TA common address was identified linking Bybit and Poloniex, suggesting the same actors are involved.

Conclusion

The Bybit breach stands as the largest crypto heist to date, with clear evidence linking the exploit to North Korean state-sponsored operations. The sophisticated attack exploited vulnerabilities in Bybit’s multi-sig cold wallet signing process, triggering an intricate laundering scheme that dispersed stolen funds across numerous intermediary wallets. The FBI has further reinforced these findings in a public announcement, officially attributing the exploit to North Korean actors.

FBI Public Service Announcement

While Bybit has since stabilized its operations, this incident serves as a stark reminder of the inherent vulnerabilities in the digital asset ecosystem and the evolving threats that challenge even the most robust security measures. Stay updated on Lazarusbounty.com—Bybit’s dedicated bounty site—where new findings on hacker addresses, cross-chain asset tracking, and ranked wallet balances are posted.

Blockscope has been at the forefront of this investigation from the very first alarm. By deploying the tracer tool and establishing a dedicated watchtower on key wallet addresses, our team has identified hundreds of addresses directly linked to the exploiter. The transparency of blockchain technology—where every transaction is publicly recorded—enables cybersecurity professionals and authorities to trace illicit activities in real-time.

The swift response from Bybit and robust collaboration across the crypto community underscores our collective commitment to fortifying defenses against sophisticated cyber threats.

Investigation by: Tushar Tiwari, Analyst @ Blockscope

For more information, please reach out to us at [email protected]

Disclaimer: Best Effort Investigation

This investigation and its findings represent our best effort based on the information available at the time. However, please be aware of the following limitations:

  • The data used in this investigation may contain inaccuracies, omissions, or errors.

  • Information sources may be incomplete or subject to change.

  • New evidence may emerge that could alter the conclusions.

  • Analysis and interpretations are based on current understanding and may evolve.

We have made every reasonable attempt to ensure accuracy, but cannot guarantee that all information is entirely correct or complete. This report should be considered a snapshot of our current knowledge and understanding, subject to revision as new information becomes available.

Last updated