The Bybit hack was a carefully orchestrated attack that involved planting a fake security system, bypassing multi-signature approvals, inserting a backdoor, and draining funds. Here’s a step-by-step breakdown of how it unfolded:
🔍 Step 1: The Hacker Set a Trap
📅 Date: February 19, 2025
🔹 The attacker deployed a malicious contract at 0xbDd077f651EBe7f7b3cE16fe5F2b025BE2969516.
🔹 This contract wasn’t used immediately—it was a setup for the actual attack.
---
🔑 Step 2: Exploiting Multi-Signature Approval
📅 Date: February 21, 2025
🔹 Bybit’s wallet operates with a multi-signature system, requiring multiple approvals for major changes.
🔹 The hacker somehow obtained three key signatures (either stolen or forged).
🔹 Using these, they replaced Bybit’s original security contract with their malicious one.
🔹 This change was recorded in the transaction hash:
0x46deef0f52e3a983b67abf4714448a41dd7ffd6d32d32da69d62081c68ad7882
🔎 Analogy: It’s like a thief walking into a bank with fake credentials, requesting to change the locks, and getting approval without suspicion.
🚪 Step 3: Planting a Hidden Backdoor
🔹 The hacker used a DELEGATECALL trick, a method that allowed them to insert a hidden backdoor deep inside Bybit’s wallet system at STORAGE[0x0].
🔹 The backdoor’s controller address was 0x96221423681A6d52E184D440a8eFCEbB105C7242.
🔹 It contained two hidden functions:
sweepETH → Stole Ethereum
sweepERC20 → Stole other tokens
🔎 Analogy: The hacker installed a secret compartment inside the bank’s vault, which only they could access.
💰 Step 4: Draining the Funds
🔹 With the backdoor in place, the hacker activated the hidden functions and emptied Bybit’s wallet in a single transaction.
🔹 This was like remotely opening a vault and taking everything inside.
💥 End Result: All assets in Bybit’s hot wallet were drained before anyone noticed.
📈 Market Prices After the Hack
💰 BTC: $96,554.49 (+1.53%)
💰 ETH: $2,765.33 (+5.36%)
💰 SOL: $172.82 (+2.9%)
This hack highlights the importance of rigorous security audits, stricter multi-signature verification, and continuous monitoring to prevent similar a
ttacks in the future.