$ETH

Plain language explanation of the bybit fund theft process

1. The thief laid the mine in advance (deployed malicious contracts)

The hacker built a fake key factory (malicious contract) in advance on February 19, 2025, the address is 0xbDd077f651EBe7f7b3cE16fe5F2b025BE2969516, but it has not been done yet.

2. Forged keys deceived multi-signature review (tampering with upgrade contracts)

Key point: Bybit's wallet is a multi-signature safe (requires the consent of multiple bosses to unlock).

Attack time: On February 21, the hacker used the signatures of 3 bosses (possibly stolen or forged) to replace the original safe lock cylinder (normal contract) with a fake lock cylinder (malicious contract) made by himself.