Bybit Exploit Highlights the Critical Need for Blockchain Intelligence

Bybit suffered the largest crypto hack in history, losing $1.5 billion in Ethereum. The attack exploited vulnerabilities in wallet infrastructure, prompting urgent discussions on security, risk management, and fund recovery. Amberdata’s blockchain intelligence is key in forensic investigations, helping track stolen assets and mitigate future threats. Learn all about the larget crypto hack in history:

Introduction

On February 21st, 2025, Bybit, a cryptocurrency exchange based in Dubai, experienced a significant security breach resulting in the theft of approximately $1.5 billion in virtual assets, primarily Ethereum. This incident is considered the largest cryptocurrency theft to date.

The hack sent shockwaves across the crypto industry, raising urgent concerns about security, risk management, and fund recovery. As blockchain crimes grow increasingly sophisticated, the ability to track, analyze, and mitigate the impact of such attacks is crucial.

Amberdata provides institutional-grade blockchain intelligence to help uncover critical details and assist in forensic investigations. Its comprehensive on-chain data solution is designed for institutions, developers, and enterprises looking to access real-time and historical blockchain data, analytics, and insights. Our platform supports a wide range of use cases, including DeFi analytics, trading strategies, risk management, and compliance.

Details of the Hack

The attackers gained control of an Ethereum wallet used by Bybit and transferred around 401,000 Ether to unidentified addresses.

The Federal Bureau of Investigation (FBI) has attributed this theft to North Korea-linked hacking groups, specifically the Lazarus Group, also known as TraderTraitor. These groups have a history of targeting cryptocurrency platforms to fund North Korea's nuclear weapons program.

Immediate Aftermath and Response

Following the breach, Bybit's CEO, Ben Zhou, assured users that the exchange remained solvent and that all client assets were backed 1:1. The company secured emergency funding, obtaining approximately 447,000 Ether from firms such as Galaxy Digital, FalconX, and Wintermute, to replenish its reserves within 72 hours.

Industry Impact

This unprecedented hack has raised concerns about security within the cryptocurrency industry. The incident led to a decline in the prices of major cryptocurrencies, including Bitcoin and Ethereum, and prompted increased regulatory scrutiny. The FBI has urged the private sector to assist in blocking transactions associated with the stolen assets to prevent further laundering efforts by the perpetrators.

Technical Deep Dive

The hack involved a sophisticated supply chain attack targeting the Safe{Wallet} infrastructure. Here's a detailed breakdown of the exploit:

Technical Details of the Exploit

• Supply Chain Compromise: The attackers infiltrated the Safe{Wallet} infrastructure by compromising a developer's machine. This breach allowed them to inject malicious code into the wallet's interface, which Bybit utilized for managing its cold storage.
• Phishing and Social Engineering: Leveraging the compromised interface, the attackers executed a phishing campaign that deceived Bybit's wallet signers. The malicious interface presented seemingly legitimate transactions, leading signers to authorize them without detecting the embedded malicious code.
• Unauthorized Contract Upgrade: With the obtained signatures, the attackers replaced Bybit's multi-signature wallet implementation contract with a malicious version. This unauthorized upgrade granted them full control over the wallet, enabling the transfer of approximately $1.5 billion in Ethereum and other assets to addresses under their control.

Impacted Wallet Addresses

This incident underscores the critical importance of securing the entire supply chain in cryptocurrency operations. Even with robust on-chain security measures, vulnerabilities in third-party tools and interfaces can be exploited, leading to significant breaches.

Initial Attack - Draining the funds

The exploit was executed by the following transaction, where 401,346 ETH were drained out of the Bybit cold wallet during regular maintenance operations:

0xb61413c495fdad6114a7aa863a00b2e3c28945979a10885b12b30316ea9f072c

Source: Etherscan

This transaction resulted in the theft of approximately $1.5 billion in virtual assets, primarily Ethereum (ETH - $1.1 Billion) and a few other digital assets like stETH, cmETH and mETH (~ $324 Million):

Source: Amberdata

Source: Amberdata

Post Hack - Fund Laundering

Here are a few of the Money Laundering Techniques employed:

• Initial Transfer: Upon gaining control of Bybit's Ethereum multisignature cold wallet, the attackers swiftly transferred the stolen assets to an unidentified address.
• Conversion to Other Cryptocurrencies: The hackers began converting portions of the stolen Ethereum into Bitcoin and other virtual currencies. This strategy aimed to obfuscate the origin of the funds and facilitate their movement across different blockchain networks.
• Utilization of Mixing Services: To further obscure the transaction trail, over 5,000 ETH were routed through the eXch mixer—a service designed to mask wallet addresses. This process complicates the tracking of funds by blending them with other transactions.
• Cross-Chain Swaps: The laundered funds were then moved to cross-chain bridge protocols, such as ChainFlip, where they were converted into Bitcoin. This cross-chain activity makes it more challenging to trace the assets as they traverse multiple blockchain platforms.
• Dispersal Across Multiple Addresses: The converted assets were distributed across numerous blockchain addresses, a tactic intended to further complicate tracking efforts and hinder recovery attempts.

This laundering process has been very methodical and most likely executed in an automated fashion:

• The initial funds were transferred out of the attacker’s original wallet in tranches of exactly 10k Ether
• In about 1 hour, all the funds had been transferred out through 40 different transactions, leaving the original wallet with just ~1,346 Ether or $3,072,635 at today’s current price

Source: Amberdata

Source: Amberdata

The ramifications of the laundering process are far reaching, and a lot of wallets have been tainted by this attack. As previously mentioned, the original attackers’ wallet address was syphoned to 41 different secondary wallets, which in turn have been emptied to different degrees into new wallets, and this process is repeated multiple times.

Extensive graph analysis yield the following results (only the first 7 levels are shown):

Source: Amberdata

Level here means the level of interaction from the attacker’s original wallet:

• Level 1 refers to the wallets which received funds from the original wallet
• Level 2 refers to the wallets which received funds from the level 1 wallets
• Etc

In just 7 levels, over 150k wallets have been implicated in the dissemination of the funds.

While this attack is one of the biggest in the industry, the attacker has not been able to launder all the funds yet. The wallets and flows of funds are being very carefully monitored and investigated, making it more difficult for them to be laundered, while some entities like Gate.io, Kucoin or Bridgers have stepped up and frozen some of the stolen assets.

Out of the original ~400k Ether, about a third are still sitting in the level 1 wallets.

Source: Amberdata

Source: Amberdata

In response to the Bybit hack, the exchange has launched a bounty program offering a 10% reward for any successfully frozen or recovered assets. This initiative is designed to engage blockchain investigators and independent analysts, enhancing efforts to track laundering networks. It reflects a growing industry trend where exchanges and security firms use financial incentives to crowdsource investigations and improve real-time tracking of illicit activities.

Conclusion

The Bybit hack highlights the critical need for robust blockchain intelligence to combat cyber threats. Amberdata provides the on-chain visibility, forensic tools, and risk management solutions required to track, analyze, and mitigate the impact of such attacks.

By leveraging real-time blockchain monitoring, historical analytics, and compliance intelligence, Amberdata empowers exchanges, regulators, and security teams to take swift action, recover stolen assets, and enhance future security measures.

For organizations looking to fortify their defenses against crypto exploits, Amberdata’s institutional-grade blockchain data solutions are an essential tool in the fight against digital asset crime.

Interested in learning more about how Amberdata can assist in crypto investigations? Contact us today.