This issue's editor | Wu Blockchain
On the morning of February 22, Bybit CEO Ben Zhou tweeted that since the hacking incident (10 hours ago), Bybit has experienced the most withdrawal requests we've ever seen, with a total of over 350,000 withdrawal requests, and about 2,100 withdrawal requests are still pending. Overall, 99.994% of the withdrawals have been completed. The entire team has been awake all night, handling and responding to customer questions and concerns.
Bybit CEO BEN said that the fortunate thing is that they can still withstand it, as the company's assets are greater than $1.5 billion; they also have a cold wallet with nearly $3 billion USDT in safe, but fortunately it was not stolen; if more than $10 billion was stolen, they might have to consider selling the company; they have never had a major security incident before, which may have made the company let its guard down, and there are still many security measures that need to be upgraded.
Coinbase executive Conor Grogan disclosed data showing that the Bybit hacker (likely from North Korea) has become the 14th largest ETH holder globally, currently holding about 0.42% of the total Ethereum token supply, exceeding the ETH holdings of Fidelity and Ethereum co-founder Vitalik Buterin, and more than double the ETH holdings of the Ethereum Foundation.
According to monitoring by @EmberCN, the Bybit hacker attempted to unstake 15,000 cmETH 1 hour ago, but was rejected by the cmETH withdrawal contract. The hacker then authorized a cmETH transaction on the DODO platform, but was unable to complete the transaction due to lack of liquidity. It is analyzed that this part of the assets is likely to be intercepted. In addition to these 15,000 cmETH, the amount of ETH stolen from Bybit is 499,000 (worth about $1.37 billion), which the hacker has dispersed across 51 addresses.
Lookonchain tweeted that according to CoinMarketCap data, Bybit had $16.2 billion in reserve assets before the hacking attack, and the $140 million in stolen assets accounted for about 8.64% of that.
According to monitoring by @EmberCN, the MEXC hot wallet transferred 12,652 stETH (about $33.75 million) to the Bybit cold wallet. Bybit should have now received a loan of 64,452 ETH (about $170 million) in support. This comes from Bitget, an institution that withdrew from Binance, and MEXC. A whale or institution transferred 11,800 ETH (worth $31 million) from Binance to the Bybit cold wallet to support Bybit customer withdrawals.
Bitget CEO Gracy said that he actively communicated with Bybit CEO BEN and actively provided assistance, without requiring any collateral, interest, time limit, or any commitment, and Bybit can return it whenever they no longer need it. The current understanding is that Bybit's liquidity has been improved and no longer needs more support. Bybit CEO BEN said that Bitget was the first to lend a hand, without any requirements, and there were also Matcha and Dapp.net.
OKX President Hong Fang said that the addresses related to the Bybit hacker have been added to OKX's blacklist, and the engineering team is closely monitoring these addresses, and will take immediate action if there is any movement of funds. Our team is also in contact with the Bybit team, providing them with any assistance in IT security and liquidity support.
According to analysis by Taproot Wizards co-founder Eric Wall, the Bybit theft has been basically confirmed to be the work of the North Korean hacker group Lazarus Group. According to Chainalysis' 2022 report, the organization usually follows a fixed pattern in disposing of stolen funds, and the entire process may last for years. The 2022 data shows that the organization still holds $55 million in funds from the 2016 attack, indicating that they are not in a hurry to cash out quickly.
Regarding the disposal process of the stolen funds: the first step is to convert all ERC20 tokens (including stETH and other liquidity derivatives) into ETH; the second step is to convert all the obtained ETH into BTC; the third step is to gradually convert the BTC into RMB through Asian exchanges.
The analysis points out that Bybit has currently supplemented the ETH gap of about $1.5 billion through borrowing, which may be based on the expectation of recovering the stolen funds. But given that it has been confirmed to be the work of the Lazarus Group, the possibility of recovery is extremely low, and Bybit will have to buy ETH to repay the loans. In the long run, Bybit's purchase of ETH and Lazarus Group's sale of ETH to convert to BTC may offset each other, and the BTC obtained by Lazarus Group will be gradually converted into selling pressure over the next few years.
Safe responded on social media regarding the issue of "Bybit displayed seemingly correct transaction information, but executed a malicious transaction with all valid signatures on-chain": No code repository leakage was found: a thorough check of the Safe code repository found no evidence of leakage or modification. No malicious dependencies were found: there are no signs that malicious dependencies in the Safe code repository will affect the transaction flow (i.e., supply chain attacks); unauthorized access to the infrastructure was not detected in the logs; no other Safe addresses were affected.
Safe said that it has temporarily suspended the Safe{Wallet} function for the time being to ensure that users have absolute confidence in the security of the Safe platform. Although the investigation shows no evidence that the Safe{Wallet} front-end itself has been compromised, we are conducting a more thorough review.
Slow Mist Cosine said that the Safe contract is not the problem, the problem is in the non-contract part, the front-end has been tampered with and forged to achieve a deceptive effect. This is not an isolated case. North Korean hackers have already dealt with several companies last year, such as: WazirX $230M Safe multi-signature, Radiant Capital $50M Safe multi-signature, DMM $305M Gonco multi-signature. This attack method has been industrialized and mature. Other companies also need to pay more attention, and multi-signature may not only exist in Safe.
Ethena Labs founder @leptokurtic_ said that Ethena handled the largest single-day redemption, and closed out all unrealized risk exposures within the first moments of the news breaking. Although Bybit, as the world's second-largest derivatives exchange, represents over 20% of the hedging exposure, USDe has never experienced an undercollateralized situation. It is hoped that this incident will validate some of the design decisions made to reduce user risk in using OES custodial solutions.
Qi Zhou said that the Bybit hacking incident has led to a deep reflection on the security of multi-signature wallets. In multi-signature transactions, when the first transaction is submitted, the subsequent signers may blindly trust the transaction data of the first person and sign directly, ignoring the importance of independent cross-checking. This practice actually violates the original design intent of the multi-signature mechanism, leading to security vulnerabilities. The impact of this incident is far-reaching. Currently, most of the on-chain total locked value (TVL) assets are managed by multi-signature contracts, including cross-chain bridges, DeFi protocols and other core infrastructure. If there is a lack of strict review and operational norms in the contract management process, similar security incidents are likely to occur again. Therefore, the industry needs to re-examine the security of the multi-signature process, ensuring that each step is independently verified to avoid risks caused by blind trust.
Hardware wallet developer Keystone said that for a long time, for multi-signature solutions like Safe, hardware wallet users have often had to "blindly" sign transactions without being able to truly verify what they are confirming. In the case of front-end attacks, the hardware wallet is the user's last line of defense. Now, Keystone is working with SlowMist, BlockSec, and Offside Labs, hoping to collaborate with Safe to promote the security visualization of hardware wallets in Safe transactions, completely solving the historical problem of blind signing, and allowing users to truly see what they are signing. At the same time, it also hopes to work with exchanges like Binance, OKX, Bitget, and Bybit to build more complete security solutions for cold wallet multi-signature workflows, ensuring that assets are always strictly protected in more complex asset management scenarios.
According to statistics from SoSoValue and the latest monitoring data from the on-chain security team TenArmor, the trading platform has received over $4 billion in inflows in the past 12 hours (as of 2:00 pm Beijing time on February 22), including 63,168.08 ETH, $3.15 billion in (), $173 million in , and $525 million in . Based on the comparison of inflow data, this inflow has fully covered the losses caused by the hacker attack yesterday. At the same time, all services of the exchange, including the withdrawal function, have resumed normal operation.
CEO BEN stated that they received help from these companies at the critical moment when they were hacked: Antalpha under coin, , , , Mirana, , Foundation, Foundation, Blockchain Center Dubai, Ghaf Capital, , , and Galaxy.
partner Andrei Grachev stated on that the hacking incident is very serious and must be thoroughly investigated. Currently, has not made any withdrawal requests from and stated that they are willing to provide support if needed. He also mentioned that he is very curious to see how will handle this matter, recalling that 10 years ago, had pushed for the Ethereum rollback of transactions after the hacking incident.
President Hong Fang stated that the addresses related to the hacker have been added to the OKX blacklist, and the engineering team is closely monitoring these addresses. If there is any movement of funds, they will take immediate action. Their team is also in contact with the team, offering any assistance in IT security and liquidity support.
On the afternoon of February 22, Beijing time, ZachXBT stated that the involved in the incident transferred 5,000 to a new address and laundered the funds through (a centralized mixer) and then bridged the funds to through . CEO Ben Zhou stated that they have detected that the hacker is trying to transfer through . They hope that the cross-chain bridge projects will help stop and prevent further transfer of assets to other chains. will soon release a bounty program to reward anyone who helps them stop or track down and recover the stolen funds.
On the afternoon of February 22, according to @EmberCN, 5 institutions/individuals have provided a total of 120,000 (about $321 million) in loan support to . : 40,000 (about $106 million); an institution/whale that withdrew from : 11,800 (about $31.02 million); : 12,652 (about $33.75 million); or another institution/whale that withdrew from : 36,000 (about $96.54 million); address 0x327...45b: 20,000 (about $53.7 million).
According to the Etherscan browser, the supported by has rescued 15,000 , worth about $42.76 million, from the . Earlier, the had stated that the withdrawal had been resumed (mistakenly thought to have been destroyed by the hacker).
The responded on , stating that they have taken multiple emergency measures to mitigate the impact of the security incident. First, the protocol's built-in 8-hour withdrawal delay mechanism successfully bought the team valuable response time, temporarily suspending withdrawals and preventing unauthorized withdrawals. Second, the has blacklisted the hacker's wallet addresses, effectively preventing further transfers and operations within the protocol. In addition, the protocol has also reduced the liquidity on the network L2. Ultimately, the successfully recovered 15,000 from the hacker's address, restoring the integrity of the supply.
posted that some people questioned his suggestion of suspending all withdrawals as a standard security precaution measure. His intention was to share a practical approach based on his experience and observations, but both methods do not have absolute right or wrong. His guiding principle is always to lean towards the safer side. After any security incident, he suggests pausing everything, ensuring a full understanding of what happened, how the hacker infiltrated the system, and which devices were compromised, thoroughly checking everything for safety, and then resuming operations. Of course, suspending withdrawals may cause more panic. His tweet was to share what might be effective, and his intention was to express support in a timely manner. He believes Ben made the best decision based on the information he had.
CEO BEN posted on that "I agree with CZ's view. If this hacker attack was through the penetration of our internal system or hot wallet, we would immediately suspend all withdrawals until we find the root cause. But yesterday, the attacked wallet was our cold wallet, which is unrelated to any of our internal systems. Therefore, I can decisively decide to allow all withdrawals and system functions of to operate normally." BEN also emphasized, "During last night's crisis, and , as well as many partners and industry leaders, actively offered help, and we are deeply grateful for that."
According to , despite the $150 million theft incident at , the overall market sentiment remains cautiously optimistic. The market believes the impact of the hacking incident is manageable, with key support levels concentrated in the $95,000-$96,000 range. and have provided emergency liquidity support, and traders are actively selling low-volatility options (29% volatility), indicating limited concerns about further downside. The market is expected to recover quickly and return to the mean.
CEO Paolo Ardoino stated on that they have frozen 181,000 related to the hacker incident. Although the amount is not large, this is a legitimate action, and will continue to monitor the situation.
has officially launched a "Bounty Recovery Program", calling on global cybersecurity and crypto analysis experts to jointly investigate the perpetrator of the largest crypto theft in history. Contributors who successfully recover the funds will receive a 10% reward, with the total bounty amount calculated based on the verifiable recovered amount of the stolen valued at over $140 million at the time of the incident. If all funds are recovered, the total bounty could reach $14 million. CEO Ben Zhou stated, "We hope to formally reward those community members who have provided us with professional expertise, experience, and support through the 'Bounty Recovery Program', and we will not stop there."
article: In this incident, the Safe contract was not the problem, the issue was in the non-contract part, where the front-end was tampered with to achieve a deceptive effect. This is not an isolated case. North Korean hackers have attacked several platforms in this way last year. But the questions include: Did the attacker possibly obtain the operation information of 's internal finance team in advance, mastering the timing of the multi-signature cold wallet transfer? Through the Safe system, did they induce the signers to sign malicious transactions on the forged interface? Was the Safe front-end system compromised and taken over? The signers saw the correct address and URL on the Safe interface, but the transaction data they signed had been tampered with. The key question is: Who initiated the signing request first? How secure was their device?
On the evening of February 22, Beijing time, on-chain records show that a suspected address (0x2E...1b77) received 100 million from 0xEC...B5E76 10 hours ago, and transferred $50 million each to the OTC addresses of and 7 hours ago, buying a total of 36,900 , and deposited them into 1 hour ago (10:32 pm Beijing time).
Cobo article points out that the Bybit incident not only exposed specific operational vulnerabilities, but also revealed the architectural defects in the current digital asset custody system. The Bybit incident exposed the fundamental flaw of traditional multi-signature security - the lack of an independent transaction verification layer, allowing attackers to manipulate the interface, contract logic and transaction data to deceive the signers. Cobo is promoting in-depth cooperation with major hardware wallet manufacturers, and on the basis of retaining their original security solutions, it is building an independent third-party signature review channel.
