Last night, the world's top exchange #bybit was hacked, losing nearly $1.5 billion in $ETH and stETH assets!
This is the largest single theft of coins in the crypto market in recent years. As an old investor who has experienced many "black swan" incidents, the author sorted out the incident reports and official statements overnight to restore the full picture of this "crypto 911" incident. This article will deeply analyze the ins and outs of this incident from multiple dimensions and provide you with practical security protection suggestions (there is a protection guide for similar incidents at the end of the article, please be sure to read it!)
1. Hacker’s “perfect crime”: How was Bybit emptied overnight?
1. Attack method: a meticulously planned 'visual magic'.
Bybit's ETH multi-signature cold wallet originally required multiple executives to authorize transfers (similar to 'multiple keys to open a safe'), but hackers accomplished the theft through the following combination of tactics:
Malicious contract ambush.
On February 19, malicious contracts were deployed in advance (address: 0xbDd077f...), using the DELEGATECALL instruction to tamper with the multi-signature wallet logic, paving the way for subsequent attacks.
Forged signature interface.
On February 21, when initiating the transaction, the executives saw the correct address on their interface, but the actual backend was replaced with the hacker's address.
Lightning money laundering.
The stolen 401,347 ETH ($1.12 billion) was split into over 40 addresses and quickly exchanged through DEX to launder the money.
> Key details:
The Slow Mist team analyzed that the attackers might have monitored internal communications for a long time by controlling the signers' computers (e.g., macOS/Windows being hacked), accurately timing the transfer.
Beosin pointed out that the attack method is similar to the WazirX incident, both deceiving the signing of malicious content through front-end UI.
North Korean hackers confirmed: On-chain detective ZachXBT submitted a complete evidence chain (including test transactions and timeline analysis), confirming that this attack was planned by the Lazarus Group.
2. Industry mutual assistance: How does Bybit stabilize the situation?
The incident triggered a panic withdrawal by users, causing the ETH price to drop 3.43% temporarily. Bybit took emergency measures in response:
Peer support:
Bitget lent 40,000 ETH ($105.9 million) to inject into Bybit's cold wallet.
MEXC transferred 12,600 stETH to provide liquidity.
KuCoin freezes suspicious assets to assist in tracking funds.
2. CEX security crisis: history repeats itself.
1. Exchanges that have been hacked over the years.
Bybit is not the first, and certainly not the last:
In 2014, Mt. Gox: 850,000 bitcoins stolen, exchange went bankrupt, the first collapse in the crypto space, with lasting effects to this day.
In 2022, Axie Infinity: $625 million hacked, multi-signature system breached.
In 2023, Atomic Wallet: $100 million disappeared, user assets 'evaporated.'
2. Why are CEXs always targeted?
Concentration of funds: users prefer convenience, making it more 'efficient' for hackers to execute their attacks; technical vulnerabilities: tiny flaws in multi-signature systems and smart contracts become breakthrough points; internal risks: employee devices compromised, lax permission management (as seen in this incident where the signer's computer was hacked).
3. Impact of the incident: shake and reflection.
1. Impact on Bybit.
Direct loss: $1.5 billion stolen, accounting for 75% of its ETH deposits.
Trust crisis: user withdrawal wave caused processing delays, with some assets already exchanged and sold off.
Reputation damage: despite the CEO's active response, the platform's security was widely questioned.
2. Industry chain reaction.
4. How ordinary people can protect themselves: core solutions.
1. Diversify asset storage.
Disperse large assets across different cold wallets, leaving only a small amount in exchanges for trading. Cold wallets (hardware wallets) are the best option as they store private keys offline, providing higher security. 'Don't put all your eggs in one basket'; diversifying storage can minimize risks.
2. Use multi-signature + cold wallet.
For important assets, enable multi-signature features to ensure that multiple private keys are needed to complete a transaction. The combination of cold wallets and multi-signatures acts like 'double insurance' for assets, greatly enhancing security. For example, store private keys on different devices or entrust them to trusted individuals for joint management.
3. Stay vigilant against phishing attacks.
Do not click on unfamiliar links or download suspicious software, to avoid entering counterfeit websites. When logging in or trading, carefully verify the platform's URL and prompt messages. Think of it like a 'firewall'; staying vigilant is the first line of defense against hacker intrusions.
4. Regular backups + updates.
Regularly back up private keys and store the backups in a secure place (e.g., paper backups). Update wallet and exchange-related software in a timely manner to fix potential security vulnerabilities. This is equivalent to providing 'insurance' for assets, ensuring quick recovery even in unexpected situations.
Current latest developments (as of February 22, 2025).
Fund tracking: stolen ETH has not been sold off on a large scale, hackers attempted to unstake cmETH but were intercepted by contracts.
Audit proof: Hacken confirmed that Bybit's reserves are sufficient, and the CEO promised full compensation for user losses.
Industry collaboration: Safe protocol fully suspended for inspection, multiple exchanges joined asset freezing and recovery actions.
Finally, here’s a saying for everyone:
Even if you make a lot during a bull market, if security is lacking, it can all vanish overnight. Protect your wallet, and we can smile our way into the next bull market!
Follow Qidian Research Society to track the latest market hotspots and major events.
