BitJungle: Uncovering the world’s largest hacker theft case at Bybit Exchange, involving nearly $1.5 billion

Case Overview: On February 21, 2025, Bybit exchange suffered an APT attack, resulting in a $1.5 billion theft from cold wallets via forged "blind signatures" bypassing multi-signature security. Stolen assets were distributed across 51 addresses by the next morning.
Hacker Attack Methods:
- Gained access through APT attacks on employee computers.
- Lurked to observe Bybit’s transfer processes.
- Deployed a malicious Safe contract (0xbdd077f651ebe7f7b3ce16fe5f2b025be2969516).
- Forged transaction prompts to deceive employees into multi-signing, replacing the legitimate contract with a malicious one.
- Transferred cold wallet assets via the malicious contract.
Fund Transfer & Attacker Profile:
- Stolen funds were mixed with those from Phemex’s earlier hack, traced to a North Korean-linked address active since November 2024.
- Funds underwent exchanges and cross-chain transactions.
Potential Secondary Risks:
- Market panic or a run on Bybit could strain its liquidity.
- ETH price volatility may amplify losses.
Preventive Measures:
- Employee training against phishing/social engineering.
- Network isolation and dedicated machines for critical operations.
- Distributed cold wallet storage.
- Collaboration with security firms like BitJungle and insurance coverage.
Safe Wallet’s Integrity:
- Safe’s multi-signature mechanism remained unbreached; hackers exploited phishing to gain signing permissions.
BitJungle’s Role:
- Traces intrusion paths and identifies hidden risks.
- Partners with exchanges to freeze stolen assets via its Zhong Kui system.
- Assists law enforcement in suspect apprehension.

Case Summary

On the evening of February 21, 2025 (Beijing time), Bybit exchange was attacked by APT, forging "blind signatures" to break through the multi-signature mechanism, resulting in the theft of nearly $1.5 billion in assets from cold wallets. As of 8 a.m. on the 22nd (Beijing time), the stolen assets were distributed in 51 addresses.

As a professional traceability company in the industry, BitJungle provides a panoramic view of hacker attacks through public data.

Secret 1: Hacker attack methods

1. Hackers gained access to Bybit employees’ computers through APT attacks

2. Hackers lurked for a long time and observed the Bybit currency transfer process

3. Hacker deploys malicious Safe contract: 0xbdd077f651ebe7f7b3ce16fe5f2b025be2969516

4. Forged Safe front-end transaction prompts, deceived Bybit employees to multi-sign, and replaced the safe implementation contract with a malicious contract

5. Transferring cold wallet assets through malicious contracts

Secret 2: Fund transfer and attacker portrait

As of 8:00 a.m. on the 22nd (Beijing time), the stolen assets were distributed in 51 addresses (the yellow addresses in the picture)

At the same time, according to the latest situation, the stolen funds from Bybit and the funds flowing out of the initial hacker address of Phemex have been mixed and transferred to the same address. This address has been used since November 2024 and has performed multiple exchanges and cross-chain transactions in history, confirming that the two were hacked by North Korean hackers.

Secret 3: Possible secondary financial risks

1. Hacker selling or market panic may trigger a run on the exchange, or cause Bybit to face a surge in withdrawals and pressure on its capital chain, requiring emergency response to stabilize confidence.

2. As a highly volatile asset, the price of ETH is significantly affected by market sentiment, supply and demand, and macroeconomic factors. This theft may cause ETH price fluctuations and lead to greater losses;

Secret 4: Preventive measures

1. Train employees to receive advanced phishing and social engineering defense training to reduce internal network security risks.

2. Isolate the network and equipment, use dedicated machines for dedicated purposes, and separate important machines or finance-related machines from ordinary office computers or daily computers to reduce the attack surface.

3. Distribute storage assets to multiple cold wallets to reduce the impact of single-point theft and improve overall security.

4. Establish your own professional security team and cooperate with Web3 security companies like BitJungle to fight against hackers together.

5. Reduce losses caused by security incidents by purchasing insurance.

Secret 5: Safe Wallet’s multi-signature security mechanism has not been breached

Safe (formerly Gnosis Safe) is a multi-signature solution widely used in the industry. Its security relies on multi-party signatures and the immutability of smart contract logic.

This attack shows that the hacker did not crack Safe’s multi-signature mechanism or exploit its code vulnerabilities, but instead obtained sufficient signing permissions through phishing.

Secret 6: What can BitJungle do?

1. Find out the truth, restore the hacker's complete intrusion path, and identify other hidden security risks.

2. BitJungle has currently established connections with more than a dozen large exchanges and organizations. Through the Zhong Kui system, stolen assets can be automatically frozen to help users recover losses as quickly as possible.

3. Use professional technology and rich experience to quickly locate and assist judicial authorities in arresting suspects.