Original|Odaily Planet Daily (@OdailyChina)
At 11:20 PM Beijing time on February 21, ZachXBT posted: “Suspicious fund outflows from Bybit have been detected, amounting to as much as $1.46 billion.” According to Beosin Trace monitoring, a total of 514,723 ETH and derivatives were stolen from Bybit. Subsequently, Bybit co-founder Ben Zhou confirmed that Bybit's official cold wallet had been hacked and began taking security measures.
Odaily Planet Daily will provide a brief follow-up on this matter for readers' reference.
Involved funds mainly consist of ETH, with a scale of $1.46 billion
At 11:20 PM, after ZachXBT released the warning message, Odaily Planet Daily quickly followed up after a brief verification.
At that time, it was confirmed that the hacker's related address was 0x47666Fab8bd0Ac7003bce3f5C3585383F09486E2; after stealing the funds, they quickly exchanged mETH & stETH for ETH on a DEX.
The hacker immediately conducted a Swap exchange
While the outside world was still speculating whether “the flow of such a large amount of funds was for Bybit's official wallet organization or for other purposes,” ZachXBT quickly provided a new hint: “My sources confirm that the fund outflow from Bybit is a security incident.”
In addition, ZachXBT reminded major exchanges and service providers: “It is recommended to blacklist the following EVM addresses—
0x47666fab8bd0ac7003bce3f5c3585383f09486e2;
0xa4b2fd68593b6f34e51cb9edb66e71c1b4ab449e;
0x36ed3c0213565530c35115d93a80f9c04d94e4cb;
0x1542368a03ad1f03d96D51B414f4738961Cf4443;
0xdD90071D52F20e85c89802e5Dc1eC0A7B6475f92.”
This move aims to immediately cut off the hacker's CEX channels for laundering funds, preventing further loss of the stolen funds from Bybit.
According to Beosin Trace monitoring statistics, the stolen assets include:
401,347 ETH, valued at $1.12 billion;
90,376 stETH, valued at $253.16 million;
15,000 cmETH, valued at $44.13 million;
8,000 mETH, valued at $23 million.
Currently, the funds are divided into groups of 10,000 ETH and are deposited in over 40 Ethereum addresses. All hacker addresses have been added to the Beosin KYT label database, and Beosin KYT will issue alerts for all fund transfers involving hacker addresses. The Beosin security team analyzed that the attack method in this incident is similar to that of WazirX, both using front-end UI deception to have the multi-signature wallet sign malicious content, altering the logic of the multi-signature wallet's implementation contract, resulting in the transfer of funds from the multi-signature wallet.
Bybit Official Response: Multi-signature Wallet Transaction Attacked and Altered, Other Cold Wallet Assets Are Safe, Withdrawals from the Exchange Are Normal
Bybit co-founder Ben Zhou spoke out on X platform: “About an hour ago, Bybit's ETH multi-signature cold wallet made a transfer to Bybit's hot wallet. This specific transaction may have been altered, and all multi-signature wallet signers saw the altered UI displaying the correct transfer address, with the website link coming from @safe. However, the signature information was meant to change the smart contract logic of our ETH cold wallet. This allowed the hacker to control a specific ETH cold wallet signed by us and transfer all ETH from the cold wallet to an unknown address. Rest assured, all other cold wallets of Bybit are safe, and all withdrawals within the CEX are operating normally.”
Additionally, Ben Zhou also quickly issued a call for help: “We will keep everyone updated on the latest developments of this incident. We would greatly appreciate any team that can help us track the stolen funds.”
On-chain Fund Movements: The Hacker Is Rapidly Dumping ETH, Having Transferred 10,000 ETH to 39 Addresses
At 11:35 PM, Arkham detected that the $1.4 billion worth of ETH and stETH flowing out of Bybit had already been transferred to new addresses for sale. By that time, the hacker had sold $200 million worth of stETH. The on-chain tracking address is https://intel.arkm.com/explorer/address/0x47666Fab8bd0Ac7003bce3f5C3585383F09486E2.
At midnight, ZachXBT updated the latest on-chain fund movements, indicating that 10,000 ETH had been dispersed by the hacker into 39 addresses, and the hacker also transferred another 10,000 ETH to 9 additional addresses.
At 12:18 AM, according to Arkham monitoring, approximately $100 million worth of ETH (about 400,000 ETH) has now been transferred from the hacker's original address to a new wallet.
On-chain fund movements
As of the time of writing, the hacker's original address only has $3.669 million in assets remaining, with the ETH holdings plummeting to 1,346 ETH.
On-chain information
According to a small-scale investigation by the founder of the security company Slow Mist, Yu Xian, after posting, combining the methods of Safe multi-signature and the current money laundering techniques, it is initially suspected that this incident may be the work of North Korean hackers, with specific information still pending further tracking.
Subsequently, Slow Mist released details of the Bybit attacker's operations:
A malicious implementation contract was deployed at UTC 2025-02-19 7:15:23: https://etherscan.io/address/0xbdd077f651ebe7f7b3ce16fe5f2b025be2969516
At UTC 2025-02-21 14:13:35, the attacker used three owners to sign the transaction, replacing the Safe implementation contract with the malicious contract: https://etherscan.io/tx/0x46deef0f52e3a983b67abf4714448a41dd7ffd6d32d32da69d62081c68ad7882
The attacker then used the backdoor functions “sweepETH” and “sweepERC20” in the malicious contract to steal from the hot wallet.
The Aftermath of the Bybit Theft Incident: Currently Under Control
The theft of ETH-related assets amounting to $1.46 billion marks the largest security incident since 2025 and even 2023, further intensifying market concerns regarding ETH price performance and Bybit's asset security. Regarding the former, there is indeed a certain risk in the short term.
However, in the medium to long term, market concerns should be alleviated. Some believe this is because ETH is the most decentralized asset after BTC, and the hacker is likely to hold the majority of ETH rather than directly dumping it at a low price.
As for the latter, Bybit's official response came swiftly. At 12:07 AM on the 22nd, Bybit co-founder Ben Zhou posted a response: “Even if the losses from this hacker attack cannot be recovered, Bybit's assets are still guaranteed 1:1, and we can bear the losses.” This reflects the confidence and stability of a well-established exchange.
In this regard, in addition to the common on-chain proof of reserves using Merkle trees, information previously mentioned by Bybit co-founder and CEO Ben Zhou in an interview can also serve as evidence. He noted that “about 80% of Bybit's company assets are stablecoins, with the remaining portion held in fiat. The core goal of this configuration is to ensure the financial stability of the exchange, rather than pursuing asset appreciation.”
Assistance and Statements from Multiple Parties
After the incident, CZ replied to Ben Zhou's tweet, stating: “This is not an easy situation to handle. It is recommended to temporarily stop all withdrawals as a standard safety precaution. We will provide any assistance if needed.” Binance co-founder He Yi responded to Bybit CEO Ben Zhou, saying, “We will provide support if needed.”
TRON founder Justin Sun stated, “I am closely monitoring the Bybit security incident and will do my utmost to assist partners in tracking the relevant funds and provide all possible support.”
Additionally, on-chain analyst @ai_9684xtpa analyzed: “Ethena has 21% of USDe executing a delta-neutral hedging strategy on Bybit, with the ETH portion valued at $227 million, uncertain if it will be affected. After Bybit confirmed the theft, ENA has dropped 11.5% and has retraced today’s gains.”
Ethena Labs subsequently stated that they have noted the Bybit incident, and all spot assets supporting USDe are held through over-the-counter custody solutions, with no spot value reserve funds stored on any exchange (including Bybit). Currently, the unrealized profit and loss of Bybit's hedging positions total less than $30 million, which is less than half of the reserve fund, and USDe has sufficient collateral balance, with more information to be provided promptly upon receiving updates.
In the latest news, Bybit CEO Ben Zhou has announced on the X platform that he will conduct a live stream to answer all questions.
Odaily Planet Daily will continue to track the latest news on the Bybit asset theft incident, hoping for a satisfactory resolution to this matter.
免责声明:本文章仅代表作者个人观点,不代表本平台的立场和观点。本文章仅供信息分享,不构成对任何人的任何投资建议。用户与作者之间的任何争议,与本平台无关。如网页中刊载的文章或图片涉及侵权,请提供相关的权利证明和身份证明发送邮件到support@aicoin.com,本平台相关工作人员将会进行核查。
