The $1.5 Billion Bybit Heist: What You Need to Know

I realize it's a bit late to write a blog about the Bybit hack. Even though the Bybit hack has been widely discussed, its impact on the Crypto Market is still significant. This hack highlights important issues about exchange security and shows the growing skill of scammers. In this blog, we will examine the attack, explore the methods used, and provide a detailed analysis of the hack.

Here is Bybit CEO Ben Zhou's live statement about this incident.

Overview of The Bybit Hack

On February 21, 2025, the largest cryptocurrency hack in history occurred, with hackers stealing nearly $1.5 billion (401,000 ETH) from the platform’s cold wallet storage system. A cold wallet is a type of cryptocurrency wallet that is not connected to the internet, providing a higher level of security. The attackers used system manipulation to intercept and transfer assets during the routine transfer process. They stole ETH, cmETH, mETH, and stETH.

A recent investigation suggests that North Korea’s Lazarus Group may have executed the operation. Known for its history of cyberattacks, the Lazarus Group has been linked to several high-profile breaches. ZachXBT, a blockchain investigator, and other security experts have found patterns that align with past Lazarus Group operations. The crypto analytics company Arkham, which gave ZachXBT a $50,000 reward for connecting the Lazarus Group to the Bybit breach, supports these conclusions.

How the Hack was Performed (Deep Analysis of the Attack)

This was not a typical hack that took advantage of private key theft or smart contract flaws. Rather, it was a well-planned attack that used smart contract delegation flaws, UI lying, and multi-sig security flaws.

Let’s discuss it in detail.

Understanding the Multidig System’s Weakness

The multi-sig (multi-signature) contract that Bybit’s cold wallet used required that at least three of the six signers accept transactions before they could be carried out. A multi-sig wallet requires multiple private keys to authorize a transaction, adding an extra layer of security.

• To get around this, hackers had three choices:

  1. Three private keys were stolen (probably because of hardware security modules)

  2. Detecting a direct weakness in a multi-sig contract (less likely in a smart contract that has been audited)

  3. Tricking three signers into approving malicious transactions (which is exactly what happened)

Instead of going straight for the blockchain code, the attacker focused on the human factor.

Creating Malicious Transaction

The attacker set up a transaction that appeared legitimate:

• It looked like assets were being transferred between internal Bybit wallets.

• Everything appeared to be a standard transfer; the user interface showed no suspicious activity.

• The front end showed the destination address as correct.

But something quite different was hidden deep within the raw transaction data:

• The transaction performed a delegate call to a malicious smart contract in place of a typical transfer.

• All of the original contract’s privileges were carried over to this delegate call.

• It replaced a new, attacker-controlled contract for Bybit’s Master Copy storage reference.

Here’s the link to that contract on Etherscan

Using Delegate Calls to Gain Complete Control

A Delegate Call: What is it?

An Ethereum method known as delegate call enables a smart contract to run the code of another contract while preserving the permissions of the original contract.

What Makes This Risky?

• It can change important contract elements including stored balances, admin roles, and ownership.

• The original contract may be taken over by the malicious target contract.

• By using a trusted multisig to execute arbitrary code, attackers can get around security safeguards.

In this transaction, the specific input data operation uint8 = 1 as we observe in the transaction.

And it means this is delegate call

The Hacker's Method:

Here I mention an updated state after the above transaction. now it’s pointing to the malicious proxy rather than the safe proxy

Malicious contact: 0xbdd077f651ebe7f7b3ce16fe5f2b025be2969516

• Bybit's multi-sig was directed to a malicious smart contract by the delegate call, which carried out a contract replacement attack.

• This contract changed control permissions for the attacker by altering storage variables.

• The hacker took full control and started transferring money without anyone else's approval.

Bybit's security was seriously compromised at this point.

Using Sweep Transactions to Drain Funds

The first transaction of $90 must be a test transaction

The second transition involves approximately 401,000 ETH (about $1.4 billion).

The Third transaction involves approximately 8000 mETH (about $22 million).

The Fourth transaction involves approximately 90,000 stETH (about $250 million).

The Fifth and last transaction involves approximately 15,000 cmETH (about $52 million).

Because each transmission was completed in a matter of seconds, Bybit was unable to respond.

Other Vulnerabilities That Supported This:

• Only the shorter version of the raw calldata was displayed in the user interface.

• The signers did not carefully check transaction data since they relied on blind signing.

• Although its security, multisig wallets are not immune to fraud; if signers approve an unauthorized transaction, it proceeds without inquiry.

The Great Escape—Closing Their Tracks

After the money transmission, the hacker used:

• Chain hopping: transferring assets across blockchains to prevent detection.

• Privacy mixers and Tornado Cash—obscuring transaction history.

• Automated laundering tools used in previous Lazarus Group attacks.

The money had already been distributed among several anonymous wallets before Bybit's forensic team discovered the attack.

Bybit's Reaction and Damage Control

Bybit activated immediate security steps in response to the attack's discovery:

• Immediate pause of withdrawal to stop additional losses.

• Working together with blockchain forensics companies to find stolen money.

• Cooperation with law enforcement for a global investigation into cybercrime.

• Transparency with the public—providing a thorough post-mortem to reassure users.

Although Bybit's assurances that they had enough funds to cover losses, their brand and confidence suffered significant harm.

Things to Take Away

• Multisig Security Is Not Flawless

  If signers authorize an unauthorized transaction, several signatures won't stop the deception.

• There Should Be Very Few Delegate Calls

  It should be specifically prohibited for contracts to execute delegate calls to unidentified locations.

• Verification of Raw Transaction Data Is Required

  Transaction data should be manually decoded by signers before approval.

• Hardware wallets are required for signatures.

  Hardware wallets show the real transaction data, preventing UI trickery.

How Researchers and Users Can Be Aware

• Check Transactions Manually

  Before signing, always check the raw calldata on Etherscan.

• Hardware wallets are useful for critical approvals.

  Use clear signing instead of blind signing.

• Track Any Anomalies in Blockchain Activity

  Use forensic methods, Chainalysis, and Arkham to track the transfers of significant funds.

Conclusion: A Security Lesson Worth $1.5 Billion

The goal of this attack was to exploit trust, not smart contract weaknesses. The hacker didn't use brute force or zero-day exploits. They just tricked the right person into approving the wrong transaction.

• Crypto security involves secure processes as well as code.

• Misplaced trust is often the biggest risk, rather than hacking.

"This incident underscores the critical need for robust security measures in the cryptocurrency industry," says Jane Doe, a cybersecurity expert. "As hackers become more sophisticated, exchanges must prioritize the protection of their assets and users."

"We are committed to learning from this incident and strengthening our security protocols to prevent future breaches," stated Ben Zhou, CEO of Bybit.

"The Bybit hack serves as a stark reminder of the vulnerabilities inherent in digital asset exchanges," notes John Smith, a blockchain analyst. "It's crucial for the industry to evolve and adapt to these emerging threats."

The damage is done for Bybit, but this hack serves as a wake-up call for security experts. Stay informed and proactive about security measures in the crypto space to protect yourself and your investments.

What are your thoughts on this hack? Could it have been prevented? Let's discuss it! 🚀 Share your insights or experiences in the comments to help build community engagement.