$1.5 Billion Stolen, Largest Hack in Crypto History, Was Multi-Sig Also Compromised?

Bybit Hacked for $1.5 Billion, Potentially the Largest Crypto Hack in History, Surpassing 2022's Axie Hack Record. The recent hack has caused significant panic in the market, with ETH experiencing a short but sharp price fluctuation, although not to the extent of the FTX run on bank in the past.

Ironically, many investors had just recovered partial compensation from FTX's bankruptcy settlement. "After 2.5 years, finally received compensation from FTX and deposited it into Bybit, only to have Bybit's hot wallet hacked the next day," became the most widely circulated dark joke overnight, casting a shadow over the crypto industry once again.

Late Night Hack

On February 21 at 23:00, crypto influencer Finish posted that according to on-chain data, a multi-sig address belonging to Bybit transferred $1.5 billion worth of ETH to a new address.

The funds landed at the new address 0x47666fab8bd0ac7003bce3f5c3585383f09486e2, then moved to 0xa4b2fd68593b6f34e51cb9edb66e71c1b4ab449e, where 0xa4 is currently selling stETH and mETH for ETH.

"The address is currently using 4 different DEXs. If they just convert sETH back to native ETH, the slippage would be massive. This scale of conversion is typically done OTC, so this is very unusual."

Half an hour later, Bybit CEO Ben Zhou stated that the ETH multi-sig cold wallet faced a sophisticated attack, with the smart contract logic tampered with, allowing the hacker to control a specific wallet and move all ETH. He mentioned that other cold wallets are secure, withdrawals are functioning normally, and efforts are being made to track the stolen funds. He also said, "We will go live very soon to address all questions! Stay tuned."

Related Article: "Timeline: Bybit Hacked for Over 500,000 ETH, Losing $1.5 Billion"

The Largest Hack in History?

According to EmberCN monitoring, Bybit's ETH multisig cold wallet was hacked, with 514,000 ETH stolen, valued at 1.429 billion USD. The hacker has already dispersed 490,000 ETH to 49 addresses (10,000 ETH per address). "Additionally, 15,000 cmETH is currently being unstaked by the hacker (with an 8-hour unbonding period, it's unknown whether this can be intercepted)."

Based on CoinMarketCap data, Bybit had $16.2 billion in reserves before the hack, with the stolen $1.4 billion assets accounting for 8.64%. This may be the largest amount ever stolen in crypto history, accounting for 16% of all previous crypto hacks. The previous largest cryptocurrency theft in history was the Ronin Network (Axie Infinity) hack on March 29, 2022. The hacker stole approximately $620 to $625 million in cryptocurrency, including 173,600 ETH and $25.5 million USDC.

Following the news of the Bybit hack, ETH plummeted to the $2600 range.

Only the ETH cold wallet was targeted by the hacker; Bybit's hot wallet, warm wallet, and all other cold wallets were unaffected. According to community feedback, all withdrawals are processing normally within 20 minutes.

Some community members also inquired ChatGPT and Grok about Bybit's annual revenue and profit estimates. Both came up with similar calculations: annual revenue around $20 billion and annual profit around $6 billion.

"Bybit still has the ability to pay, and even if the losses from this hack cannot be recovered, all customer assets remain 1:1 backed, and we can cover this loss." These words from Bybit's co-founder added a sense of credibility.

Was the Hack Due to the Multisig Wallet Being Safe?

On February 22, SlowMist founder Cao Yun published a post stating that the Bybit hacking technique is similar to that of North Korean hackers, "Although there is no clear evidence at the moment, from the Safe multi-signature technique and the current money laundering technique, it looks like North Korean hackers."

At the same time, the founder of DefiLlama pointed out that the attack method is similar to the WazirX hack related to North Korea. Stay vigilant.

At 23:44, in an announcement by Bybit's co-founder and CEO Ben Zhou, it was revealed: "Bybit's ETH multi-signature cold wallet was transferred to our hot wallet about 1 hour ago. It appears that this transaction was disguised, all signers saw a fake interface showing the correct address and the URL was from Safe."

However, the signature information was to change the logic of their ETH cold wallet's smart contract. This allowed the hacker to control their signed specific ETH cold wallet and transfer all the ETH in the wallet to this unconfirmed address.

Further investigation by SlowMist revealed more details of the vulnerability:

1) A malicious implementation contract was deployed on UTC 2025-02-19 7:15:23:
https://etherscan.io/address/0xbdd077f651ebe7f7b3ce16fe5f2b025be2969516…
2) On UTC 2025-02-21 14:13:35, the attacker utilized a three-owner signature transaction to replace Safe's implementation contract with a malicious contract:
https://etherscan.io/tx/0x46deef0f52e3a983b67abf4714448a41dd7ffd6d32d32da69d62081c68ad7882…
3) The attacker then used the backdoor functions "sweepETH" and "sweepERC20" in the malicious contract to steal from the hot wallet.

This technique bears some similarities to the Radiant Capital hack in October 2024:

At that time, a security vulnerability at Radiant Capital resulted in the theft of around $50 million. The attackers used malware to infect at least three core developers' devices, all long-trusted DAO contributors who used hardware wallets for transactions. The hackers manipulated the front end interface of Safe{Wallet} (i.e., Gnosis Safe), causing the victims to mistakenly believe they were signing off on legitimate transactions when, in fact, malicious transactions were being executed in the background.

The attack involved implanting highly sophisticated malware on the developers' devices, inadvertently leading them to approve the hackers' malicious operations when signing transactions. The Safe{Wallet} front end did not display any anomalies, making the victims unaware of the transaction tampering. The hackers exploited common transaction failures (such as gas fee fluctuations, sync delays, etc.) to induce developers to resign multiple times, thereby obtaining multiple valid malicious signatures. Despite simulations and audits of the transactions using tools like Tenderly, the malware's manipulation of the developers' devices caused all checks to return normal results, delaying the timely detection of the attack.

Related Reading: "Radiant Capital Post-Mortem"

All fingers seem to point to the Safe multisig wallet.

Safe is the most widely used multisignature wallet in the Ethereum ecosystem, primarily used by large holders. During Safe's token distribution earlier this year, almost all of the top 100 airdrop addresses belonged to project teams or institutions, including OP, Polymarket, Drukula, Worldcoin, Lido, and more. Related Reading: "A Comprehensive Overview of Safe's Trading, Tokenomics, and Ecosystem"

Initially, Safe's audience consisted more of DAOs and cryptocurrency projects. However, as the crypto industry entered the next stage, traditional finance, institutions, family funds, and old money began to enter the market. An increasing number of traditional institutions, such as the Dung Wang family, are also starting to use the multisig wallet Safe.

The design of Safe has greatly improved the security of fund management. Through a multi-signature mechanism, funds are stored in a smart contract address, and a transaction can only be executed when the preset number of signatures is met (e.g., 3/10). This mechanism effectively reduces the risk of a single point of failure; even if a signature address's private key is leaked, an attacker would find it challenging to obtain enough signatures to complete a transaction.

Currently, the Safe security team has stated, "There is no evidence of the official Safe frontend being compromised. However, as a precautionary measure, Safe{Wallet} has temporarily suspended certain functions." They are closely collaborating with Bybit for an ongoing investigation.

Some community members have initiated mockery of Safe: multi-signature is just a decoration for "closing the eyes and stealing the bell." At the same time, many industry practitioners have expressed reflection and concerns about the industry: "If even multi-signature wallets are not secure, then who will take this industry seriously?"｜

The investigation into the current event is still ongoing, and the rhythm BlockBeats will continue to follow up.