On February 27, 2025, the cryptocurrency exchange Bybit released a forensic review report regarding last week's $1.5 billion hacking incident, revealing the complexity of the attack and its impact on the cryptocurrency industry. This report will analyze the details of the attack, the disputes over the responsibilities of the parties involved, the background of the hacker organization, and the current status of fund recovery.
Attack Details and Timeline
According to Bybit's official statement and reports from blockchain analysis companies, the attack occurred on February 21, 2025, involving Bybit's Ethereum cold wallet. Cold wallets are typically stored offline to provide higher security, but hackers successfully used social engineering techniques to trick Bybit employees into signing malicious transactions. A report from Chainalysis indicated that the attackers targeted the cold wallet signers through phishing attacks, replacing the Safe multi-signature wallet to execute the contract, resulting in approximately 401,000 ETH (worth nearly $1.5 billion) being transferred to addresses controlled by the hackers.
An official statement from Safe further clarified that the attack was executed by compromising the machines of Safe developers, presenting a disguised malicious transaction. Safe emphasized that no vulnerabilities were found in its smart contracts or front-end service source code, and external security researchers' forensic reviews supported this conclusion.
Responsibility Dispute Between Bybit and Safe
Bybit's forensic report concluded that "the credentials of Safe developers were compromised," which allowed the Lazarus hacker organization to gain unauthorized access to the Safe wallet and deceive Bybit employees into signing malicious transactions. However, Safe's position is that its infrastructure was not directly compromised, and the attack originated from the developers' machines being compromised. An insider from CoinDesk pointed out that although the wallet infrastructure was subjected to social engineering attacks, the hacker attack would not have occurred if Bybit had not engaged in "blind signing" transactions. Blind signing refers to approving smart contract transactions without fully understanding the transaction content, a mechanism considered a potential weakness in Bybit's internal processes.
This dispute is similar to the mutual accusations following the $230 million attack on WazirX and Liminal Custody in July 2024. WazirX claimed the attack stemmed from issues with Liminal's interface, while Liminal denied that its infrastructure was breached, blaming WazirX's device compromise. This pattern indicates that in the multi-party custodial systems of the cryptocurrency industry, the attribution of responsibility often becomes a focal point of contention.
Background and Activities of the Lazarus Group
The Lazarus Group is believed to be a hacker organization supported by the North Korean government, active in cybercrime since 2009. A report from Elliptic noted that the group is linked to several high-profile cryptocurrency thefts, including the 2014 Sony Pictures hack and the 2017 WannaCry ransomware attack. Chainalysis's 2025 cryptocurrency crime report showed that North Korean-related hackers stole $660.5 million in 2023, increasing to $1.34 billion in 2024, with the Bybit attack pushing their total losses beyond the sum of all North Korean thefts in 2024.
On-chain data analysis from ZachXBT indicates that Lazarus is attempting to launder the stolen funds, with 920 wallets already tainted by ill-gotten gains. These funds may inadvertently mix with those stolen in attacks against Phemex and Poloniex, further linking the Lazarus Group to these companies.
Bybit's Response and Fund Recovery
Bybit acted swiftly after the attack, replenishing nearly 447,000 ETH in reserves through emergency loans and deposits from companies such as Galaxy Digital, FalconX, and Wintermute. An audit of reserve proofs by Hacken confirmed that Bybit's main assets, including Bitcoin, Ethereum, Solana, Tether, and USDC, all exceeded a 100% collateralization rate, ensuring the safety of customer funds.
Additionally, Bybit launched a bounty program offering rewards of up to 10% of recovered funds, encouraging ethical hackers and blockchain experts to help trace and freeze stolen assets (Bounty Program Details). As of now, some of the stolen funds have been frozen, particularly those converted to Tether (USDT), but Elliptic's report indicates that approximately 14.5% of the stolen assets (about $195 million) have been transferred, suggesting a low recovery success rate.
Industry Impact and Future Outlook
This attack highlights the ongoing threats faced by the cryptocurrency industry, particularly from complex social engineering attacks by state-sponsored hackers. Bybit's rapid response and industry collaboration (such as partnerships with Chainalysis and Elliptic) demonstrate the potential for collective action in addressing such incidents. However, the disputes over responsibility and the potential risks of the blind signing mechanism remind the industry of the need for stronger security protocols and clearer delineation of responsibilities.
Conclusion
The $1.5 billion hacking incident at Bybit is not only one of the largest thefts in the history of the cryptocurrency industry but also reveals the vulnerabilities of multi-signature wallet systems and social engineering attacks. The industry needs to strengthen collaboration, improve security measures, and clarify responsibility to protect user assets from similar threats.
Disclaimer: The above content does not constitute investment advice.
AiCoin Official Website: www.aicoin.com
Telegram: t.me/aicoincn
Twitter: x.com/AiCoinzh
Email: support@aicoin.com
Group Chat: Customer Service Yingying、Customer Service KK
免责声明:本文章仅代表作者个人观点,不代表本平台的立场和观点。本文章仅供信息分享,不构成对任何人的任何投资建议。用户与作者之间的任何争议,与本平台无关。如网页中刊载的文章或图片涉及侵权,请提供相关的权利证明和身份证明发送邮件到support@aicoin.com,本平台相关工作人员将会进行核查。
