Bybit's $1.46 billion theft hacker case review
1. Incident trigger
On February 21, the chain detective ZachXBT detected an abnormal transfer of $1.46 billion in assets (mETH/stETH) from Bybit's cold wallet, which was converted into ETH through DEX, becoming the largest single theft in the history of encryption, with an amount exceeding 10 times the DAO incident in 2016.
2. Attack logic: social engineering + contract vulnerability double kill
1. Malicious contract usurpation: The attacker forged the signature interface, induced Bybit's multi-signature auditor to sign the transaction, used `delegatecall` to tamper with the Safe contract storage slot, hijacked the control of funds, and called the backdoor to clear the assets.
2. APT-level penetration: Hackers have long lurked in multi-signature administrator devices, and concealed the real transaction instructions by forging the official domain name interface. They only need to break through one signer to succeed, exposing the fatal flaws of the traditional multi-signature solution.
3. Emergency assistance from the industry
- Exchange transfusion: Binance, Bitget, etc. supported Bybit with more than 50,000 ETH (about 125 million US dollars). Bitget said that user assets were not affected and Bybit's annual profit could cover the losses.
- Market shock: The related stablecoin protocol USDe was once de-anchored to 0.96 US dollars, and the issuer Ethena urgently clarified that the assets were not stored in the exchange.
4. Security warning
1. Institutional-level defense is imminent: Security agencies call for the adoption of custody solutions with behavior monitoring. The traditional hardware wallet + multi-signature model is difficult to resist the targeted attacks of national hackers (such as the North Korean Lazarus organization).
2. Fork controversy re-emerged: The history of the DAO incident fork was re-mentioned, and the community heatedly discussed whether to roll back the transaction. Coinbase and BitMEX executives spoke out and debated the immutability of the chain.
5. Subsequent response
- Bybit suspended the wallet involved, activated the $20 billion asset management scale and bridge loan to cope with the pressure of withdrawal;
- The Safe team suspended the function to cooperate with the investigation, Binance CZ, SlowMist and others joined the on-chain tracking, and the flow of funds has been marked for monitoring.
Core reflection
This incident exposed the shortcomings of institutions in fighting APT attacks, and may promote the industry to establish new standards such as hardware isolation and real-time threat detection. As of now, Bybit has joined forces with global law enforcement agencies to track down funds, and the follow-up of the incident may affect regulatory policies and market confidence.
