Bybit 1.5 Billion USD ETH Theft Incident — Full Timeline Analysis

⭐ SuperExMedia · Monday at 11:21 AM

#Bybit #ETH #Crypto

In our article on the 22nd, we were the first to outline the general process of Bybit’s 1.5 billion USD ETH theft incident, condemning and voicing support for the situation. With Bybit receiving 4 billion USD in funds, they officially announced covering the funding gap. It seems that Bybit has weathered the “black swan” event.

Although the crisis has come to an end, with the remaining focus on accountability and follow-up work, this incident exposed numerous issues in the industry’s security mechanisms and crisis response. It has caused significant market turbulence. In this article, we will provide a detailed analysis of the full timeline and key events of the incident.

February 19

07:15: The attacker deploys a malicious smart contract (address: 0xbDd077f651EBe7f7b3cE16fe5F2b025BE2969516) in preparation for the subsequent attack.

February 21

14:13: The attacker uses a fake Safe multi-signature wallet user interface (UI) to deceive signers into signing malicious transactions. The Safe contract is replaced with a malicious version, embedding backdoor functions such as sweepETH and sweepERC20.

21:20: The attacker uses the malicious contract to transfer cold wallet assets, totaling 401,347 ETH and equivalent stETH, cmETH, mETH, valued at approximately 1.5 billion USD.

23:27: Blockchain detective ZachXBT issues a warning via Telegram, reporting abnormal fund outflows from Bybit’s Ethereum cold wallet, amounting to 1.46 billion USD.

23:37: Crypto KOL Finish confirms via a post that one of Bybit’s multi-signature addresses transferred 1.5 billion USD worth of ETH to a new address and exchanged LSD assets for native ETH via four different DEXs.

23:44: Bybit CEO Ben Zhou confirms the incident on social media, stating that hackers controlled a specific ETH cold wallet, but other cold wallets remained secure with withdrawals operating normally.

23:50 to 08:00 on the 22nd: The hacker disperses 401,347 ETH across 40 addresses and exchanges it for native ETH via DEXs. Some funds are cross-chain transferred to a BTC address via Chainflip.

February 22

Early Morning: Bybit CEO Ben Zhou begins a live stream, promising that the platform will keep withdrawal channels open and fully compensate users for their losses. He reveals that Bybit’s asset management exceeds 20 billion USD and that other assets in cold wallets remain unaffected.

03:09: ZachXBT provides conclusive evidence, confirming that the attack was carried out by the North Korean hacker group Lazarus Group. Blockchain data shows the attacker’s test transaction patterns, wallet associations, and timeline align with previous incidents.

08:00: Security firm Blockaid points out that Lazarus Group used “blind signing” technology to bypass security verification and conducted social engineering attacks to gain signature permissions, successfully transferring funds.

09:00: Bybit announces that 99.994% of withdrawals have been completed and platform services have returned to normal. Blockchain data shows that Bybit received over 4 billion USD in the past 12 hours, covering the stolen fund gap.

10:00: Platforms like Tether, THORChain, and ChangeNOW assist in freezing 42.89 million USD worth of stolen funds. However, the hacker still holds 448,600 ETH (approximately 1.26 billion USD) and is laundering the funds via mixers.

Early Morning to Morning: Multiple exchanges and institutions provide support to Bybit. Bitget transfers 40,000 ETH to Bybit’s cold wallet, MEXC transfers 12,600 stETH, and ABCDE’s co-founder Du Jun personally transfers 10,000 ETH.

February 21–22

The incident causes ETH to briefly drop 8%, with over 400 million USD in liquidations across the market. Bybit’s rapid response and industry support helped stabilize market sentiment, and ETH prices recovered to over 2,700 USD.

February 23

Security experts urge the industry to strengthen security mechanisms, including the introduction of secondary semantic validation, hardware wallet confirmation, and the development of exchange insurance services.

Conclusion: A Battle with No Winners

The Bybit incident once again proves that the crypto industry thrives alongside inherent risks. While the industry’s swift mobilization demonstrated unity, the 1.5 billion USD loss is a fait accompli. As the founder of Slow Mist, Yu Xian, put it: “Security is not a single-point defense but an ecological global game.” When the hacker’s technical sophistication surpasses traditional defenses, only a triple effort of technological upgrades, regulatory collaboration, and user vigilance can find a way out of this battle.