Ben Zhou, co-founder and CEO of Bybit, announced the weirdest hacking in the history of digital assets that cost the Dubai-based exchange approximately $1.46 billion, on February 21.
How Did It Happen?
The exchange made a transfer from one of their ETH cold wallets (i.e., a wallet with a private key stored offline) to a warm wallet (i.e., a wallet with a private key stored online), and the hacker took control of the signed cold wallet and transferred the ETH to an unidentified address.
What did Bybit do Afterwards?
A statement was released assuring the safety of other wallets and funds of the users. They also sought help from any person or organization that could help track the unidentified hacker’s address.
Bybit has been receiving overwhelming support from various angles, including other exchanges, like Binance.
The first report that the CEO shared was done by Elliptic.
Elliptic Report
Four days after the hacking, Elliptic released a document containing 10,446 addresses linked to the stolen fund. The data can be accessed on Elliptic’s website via API or CSV.
Elliptic attributed the theft to North Korea’s Lazarus group, a group known for the illegal possession of billions of crypto assets through theft.
The CEO of Bybit also acknowledged the report of Elliptic on his X (formerly Twitter) account with a thank-you message.
The CEO wrote: “Thx to the @elliptic team for putting up a real time bybit exploit data, really appreciate the effort and work put into helping us.”
The CEO also shared separate preliminary reports conducted by Sygnia and Verichain on his X account.
Sygnia Report
Sygnia, a company that provides cybersecurity services, released a document detailing its findings. They mentioned that the investigation is still ongoing to further confirm the findings.
Sygnia forensics investigation highlighted the following key findings:
• Forensic investigation of all hosts used to initiate and sign the transaction revealed malicious JavaScript code injected to a resource served from Safe{Wallet}’s AWS S3 bucket.
- Resource modification time and publicly available web history archives suggest the injection of the malicious code was performed directly to Safe{Wallet}’s AWS S3 bucket.
- Initial analysis of the injected JavaScript code suggests its primary objective is to manipulate transactions, effectively changing the content of the transaction during the signing process.
- Additionally, the analysis of the injected JavaScript code identified an activation condition designed to execute only when the transaction source matches one of two contract addresses: Bybit’s contract address and a currently unidentified contract address, likely associated with a test contract controlled by the threat actor.
- Two minutes after the malicious transaction was executed and published, new versions of the JavaScript resources were uploaded to Safe{Wallet}’s AWS S3 bucket. These updated versions had the malicious code removed.
- The highlighted initial findings suggest the attack originated from Safe{Wallet}’s AWS infrastructure.
- Thus far, the forensics investigation did not identify any compromise of Bybit’s infrastructure.
Verichain Report
The conclusions of their report with the need for further investigation stated that:
The benign JavaScript file of app.safe.global appears to have been replaced with malicious code on February 19, 2025, at 15:29:25 UTC, specifically targeting Ethereum Multisig Cold Wallet of Bybit (0x1Db92e2EeBC8E0c075a02BeA49a2935BcD2dFCF4). The attack was designed to activate during the next Bybit transaction, which occurred on February 21, 2025, at 14:13:35 UTC.
Based on the investigation results from the machines of Bybit’s Signers and the cached malicious JavaScript payload found on the Wayback Archive, we strongly conclude that AWS S3 or CloudFront account/API Key of Safe. Global was likely leaked or compromised.
More to follow on the investigation as Bybit is committed to recovering their stolen assets.
