How the Bybit Hack Happened
Step 1: The Hacker Set a Trap in Advance
On February 19, 2025, the hacker created a fake security system (a malicious contract) at address 0xbDd077f651EBe7f7b3cE16fe5F2b025BE2969516. This contract was not used immediately, but it was a setup for the real attack.
Step 2: Tricking the Multi-Signature Approval
Bybit's wallet uses a multi-signature system, meaning multiple high-level approvals are needed for any major change. However, on February 21, the hacker somehow got three key signatures (either stolen or forged). With these, they replaced the original security contract with their malicious one.
This change is recorded in the transaction hash:
0x46deef0f52e3a983b67abf4714448a41dd7ffd6d32d32da69d62081c68ad7882
Analogy: It's like a thief walking into a bank with a fake key and saying, "I'm the owner, I want to change the locks," and the bank approving it without noticing anything wrong.
Step 3: Planting a Hidden Backdoor
The hacker used a DELEGATECALL trick, which works like an invisible authorization letter. This allowed them to insert a hidden backdoor deep inside Bybit’s wallet system at STORAGE[0x0].
The backdoor’s controller address: 0x96221423681A6d52E184D440a8eFCEbB105C7242
It contained two secret functions:
sweepETH → Steals Ethereum
sweepERC20 → Steals tokens
Analogy: The hacker built a hidden compartment inside the bank's safe, which only they could access.
Step 4: Draining the Funds
With the backdoor in place, the hacker activated the hidden functions and emptied the wallet in one click, just like remotely opening a safe and taking everything inside.
End result: All the assets in Bybit’s hot wallet were drained before anyone noticed.
