APT attack chain and security reflections behind the theft of $1.5 billion
Background
On February 21, 2025, the cryptocurrency exchange Bybit suffered the largest hacker attack in history, with about $1.5 billion in assets (including ETH, stETH, etc.) stolen from its Ethereum cold wallet. This incident not only broke the record for the amount of money stolen in a single attack in the crypto industry, but also exposed deep loopholes in the security system of centralized exchanges. According to the forensic report released by Bybit (jointly provided by Sygnia and Verichains), the attacker broke through the multi-signature mechanism through sophisticated social engineering penetration and smart contract tampering, and finally completed the fund transfer.
Analysis of attack methods
1. Malicious code deployment and lurking
The hacker deployed a malicious contract targeting the Bybit Ethereum multi-signature cold wallet (address 0xbDd077f651EBe7f7b3cE16fe5F2b025BE2969516) at 15:29:25 UTC on February 19, disguising it as normal business logic code. The contract paved the way for subsequent fund transfers by modifying the storage slot parameters of the smart contract. The attacker used the hacked machine permissions of the Safe{Wallet} developer to tamper with the multi-signature transaction data and induce the authorized person to sign a malicious transaction disguised as a legitimate transfer, thereby taking over the control of the cold wallet.
2. Social Engineering and APT Attacks
The hacker group Lazarus Group (suspected to have a North Korean background) infiltrated insiders through phishing attacks, including forging the interface of the Safe wallet service provider to trick signers into authorizing transfers. The attacker took advantage of the low liquidity period in the market (after the release of the US PMI data) to launch the attack, when the exchange's defense system was under high pressure, further weakening the emergency response capability.
3. Fund transfer and money laundering routes
The stolen ETH was dispersed to 48 addresses and exchanged for BTC and other assets through cross-chain bridges (such as THORChain and Chainflip). As of February 23, the hacker had cleaned about 37,900 ETH (US$106 million), and the remaining 461,500 ETH (US$1.29 billion) had not yet been transferred. Some funds were intercepted during the transfer process, for example, the mETH Protocol official recovered 15,000 cmETH, and Tether froze 181,000 USDT involved in the case.
Bybit’s response
1. Technical repair and fund recovery
Bybit has teamed up with security agencies (such as SlowMist and Chainalysis) to mark malicious addresses and launch a blacklist API to track the flow of funds in real time. It has also launched a "bounty recovery program" and promised to provide a 10% reward (up to $140 million) to those who successfully recover funds.
2. Liquidity guarantee and user confidence restoration
By raising $3.2 billion through bridge loans, Bybit joined forces with exchanges such as Binance and Bitget to replenish reserves and ensure normal user withdrawals. As of February 26, Bybit's ETH reserves have recovered to 70% (308,000) of the pre-attack level, and the withdrawal system has fully returned to normal.
Industry reflections and future challenges
1. The fatality of technical vulnerabilities
This incident revealed the vulnerability of the multi-signature mechanism: even with cold wallets and multiple signatures, front-end interface tampering and back-end logic vulnerabilities can still be exploited. Experts call for upgrading the smart contract audit mechanism and introducing more secure signature schemes such as multi-party computing (MPC).
2. Human weaknesses and social engineering defense
Attackers break through defenses by disguising their identities and inducing malicious programs to run, highlighting the importance of security training and internal authority management. Institutions need to establish a zero-trust architecture to avoid single points of failure.
3. The urgency of regulation and industry collaboration
The lack of a unified regulatory framework for cryptocurrencies internationally has resulted in low costs for hackers to commit crimes and great difficulty in tracking them. After the Bybit incident, the industry alliance "Crypto's Defense Alliance" was established, and it joined forces with Chainalysis, Elliptic and other institutions to strengthen cross-chain monitoring.
Conclusion
Bybit’s $1.5 billion theft is not only a failure of technical attack and defense, but also a wake-up call for the industry’s security culture. In the future, crypto platforms need to find a balance between code security, personnel training, and regulatory collaboration. As security expert Yu Jianing said: “No matter how solid the code fortress is, it may collapse due to a credulous click.”
References: Bybit official report, Sygnia forensic analysis, and industry security agency tracking data.
Related topics: #加密货币安全 #区块链监管 #Bybit事件 #Bybit发布黑客取证报告
