On Friday, February 21, the well-known exchange Bybit was hacked by an unknown group of hackers who withdrew more than $1.4 billion in ETH in a single transaction. The media calls this incident the new largest hack in the history of cryptocurrencies.

‍

We have prepared the key points of this incident: 

‍

– According to Bybit CEO Ben Zhou, hackers gained control of the exchange's Ethereum multi-signature cold wallet by exploiting a vulnerability in the transaction signing mechanism. They tampered with the musked UI, causing signers to see the correct address but confirming the smart contract logic change. As a result, the entire amount of ETH was transferred to a third-party wallet controlled by the hackers.

‍

– SlowMist reported that hackers exploited a vulnerability related to the DELEGATECALL mechanism, bypassing the security system and gaining access to the transaction signing process. This is how hackers could inject malicious code and gain control over the transaction signing process.

‍

– Despite the hack, Bybit confirmed that the platform continues to operate fully, all other cold wallets are safe, and customer funds are secure. If the stolen assets cannot be recovered, the exchange will cover the losses at its own expense.

‍

– To maintain liquidity, the Bybit team enlisted the help of partners who secured the loan.

‍

– Arkham, in its X (Twitter) account, tracked the transactions and addresses of the attackers who attacked Bybit and actively supported the investigation into the Bybit hack.

‍

– The hackers divided the stolen assets into dozens of wallets, including 400,000 ETH, 90,000 stETH, 15,000 cmETH, and 8,000 cETH. The funds arrived at address 0x476, after which the hackers activated the sweep ETH feature, allowing them to transfer all available tokens in a single transaction.

‍

– Later, the assets were distributed to three key addresses 0xB4a, 0x23Ob, and 0x83Ef5, and later split into dozens of new wallets where exchanges via Uniswap, Paraswap, and KyberSwap began. The hackers also converted liquid staking tokens (stETH) into ETH to possibly avoid freezing them.

‍

– On Friday night, cryptoradiographer ZachXBT presented evidence that the LAZARUS GROUP, which has been linked to North Korea, was involved in the attack.

‍

– Following the attack, the price of Ethereum fell to $2,656, while Bitcoin fell 3.07% to $95,086.

‍

It is unclear how the hackers plan to launder the proceeds. Blockhound analysts consider the odds of them using services like Tornado Cash for this purpose are extremely low. Funds exceeding $1.4 million are too large for this platform's liquidity, so even if some funds are routed through this service, their movement will be quickly detected and frozen, as Tornado Cash is under OFAC sanctions.

‍

The Bybit hack is another reminder that security is never absolute in cryptocurrency. As technology continues to evolve, attacks will only become more sophisticated. Always be on your guard and protect your assets!

‍