Bybit Hack: $1.4 Billion, Investigations, and Forensic Findings

Incident Overview

On February 21, 2025, Bybit experienced a devastating security breach, resulting in the theft of over $1.4 billion worth of cryptocurrencies, including 401,347 ETH, along with significant amounts of mETH, stETH, and cmETH. The attacker successfully infiltrated Bybit’s Ether multisignature cold wallet and transferred the funds to an unknown address before dispersing them across multiple wallets.

Following the breach, Bybit engaged cybersecurity firms, including Sygnia and Verichains, to conduct forensic investigations and determine the attack's root cause. A bounty page has been set up by Bybit to incentivize information leading to the recovery of the stolen assets (Lazarus Bounty).

How the Hack Happened

The forensic investigation revealed that the attack was executed through a sophisticated JavaScript injection into Bybit’s transaction signing process via the Safe{Wallet} infrastructure. The primary findings indicate:

  • Malicious JavaScript was injected into Safe{Wallet}’s AWS S3 bucket, compromising its integrity.
  • This code was designed to modify transactions, redirecting them to an attacker-controlled wallet.
  • The injected JavaScript specifically targeted Bybit’s contract address and another unknown contract, likely used for testing.
  • The modifications to Safe{Wallet}’s AWS S3 bucket occurred on February 19, 2025, and the JavaScript was altered again minutes after the malicious transaction was executed, likely to cover the attacker’s tracks.
  • No direct compromise of Bybit’s infrastructure was identified.

Forensic Findings and Attack Vector

Verichains' preliminary forensic report provided a deeper technical analysis of how the attacker operated:

  1. Deployment of Malicious Contracts:
    • The hacker deployed malicious contracts on February 18, 2025, that contained hidden transfer and withdrawal logic.
    • One of these contracts was later used to upgrade Bybit’s multi-signature cold wallet contract, giving the attacker control over the assets.
  2. Manipulation of Safe{Wallet} Transactions:
    • The attacker injected JavaScript into Safe{Wallet}'s infrastructure via a compromised AWS S3 bucket.
    • This allowed them to alter transaction details during the signing process, effectively rerouting funds.
  3. Execution of the Attack:
    • On February 21, 2025, at 14:13:35 UTC, the attacker executed a multi-signature transaction that upgraded Bybit’s wallet contract to point to their malicious contract.
    • The attacker used backdoor functions (sweepETH and sweepERC20) embedded in the malicious contract to drain the funds.
    • Within minutes, new versions of the compromised JavaScript were uploaded to Safe{Wallet}’s AWS S3 bucket, removing the malicious code and reducing the chances of detection.
  4. Tracking the Stolen Funds:
    • The stolen assets were quickly moved across multiple wallets to obscure the trail.
    • Several initial addresses linked to the attacker have been identified, including:
      • 0xdd90071d52f20e85c89802e5dc1ec0a7b6475f92
      • 0x0fa09c3a328792253f8dee7116848723b72a6d2e
    • These funds have been partially mixed across different blockchain addresses, making recovery difficult.

Ongoing Investigation and Recovery Efforts

Bybit, along with security firms and blockchain analytics companies, is actively investigating the incident and working to recover the stolen funds. The exchange has also offered a substantial bounty for information leading to the identification of the attackers.

Additionally, security experts are focusing on:

  • Determining how Safe{Wallet}’s AWS credentials were compromised.
  • Identifying the full extent of the exploit and ensuring similar attack vectors cannot be used again.
  • Collaborating with law enforcement agencies and blockchain tracking firms to trace the stolen funds.

Lessons from the Attack

This attack highlights significant security concerns for exchanges and custodial services that rely on third-party wallet infrastructures. The key takeaways from the Bybit hack include:

  • Enhanced Security for Signing Processes: Ensuring that transaction signing processes are isolated from potentially compromised infrastructure.
  • Monitoring Third-Party Integrations: More rigorous security audits for wallet providers like Safe{Wallet} to detect unauthorized modifications.
  • Strengthening Cloud Security Measures: Secure handling of cloud buckets to prevent unauthorized access and injection attacks.

While the full extent of the attack is still being analyzed, the Bybit hack serves as a stark reminder of the evolving threats in the cryptocurrency space and the need for heightened security measures across the industry.

Thanks for reading. Discover Arrel by contacting us or with this short video on who we are:

Get in touch today