Bybit Faces $1.46 Billion Theft As Hacker Exploits Safe Multisig Vulnerability

Bybit suffers a $1.46 billion crypto theft as hackers exploit Safe multisig vulnerability; investigations link attack to Lazarus Group.

Posted by by Wesley Munene
Bybit Secures Full License to Operate in Kazakhstan Market
  • Bybit lost over $1.46 billion after hackers tampered with its Safe multisig wallet using forged contracts.
  • The attacker dispersed 400,000 ETH across 40 addresses, with some funds swapped for BTC and cross-chained.
  • Investigations link the attack to the Lazarus Group, showing similarities with WazirX and Radiant Capital hacks.

An enormous security breach targeting Bybit has resulted in the theft of over $1.46 billion in digital assets. The attack, which occurred on February 21, 2025, involved tampering with the Safe multisig wallet system. Investigations by SlowMist and on-chain analyst ZachXBT reveal coordinated techniques linked to the Lazarus Group.

Timeline And Method Of Attack

The incident began when Bybit noticed significant outflows of assets from its platform. At 23:44 UTC on February 21, Bybit CEO Ben Zhou confirmed the breach through a post on X. SlowMist’s investigation identified that the attacker deployed a malicious contract on February 19.

By February 21, the Safe contract had been replaced with a forged version using signatures from three owner accounts. The attacker embedded malicious logic via DELEGATECALL into the contract’s storage slot. This manipulation allowed unauthorized fund transfers using sweepETH and sweepERC20 functions. 

A total of 401,347 ETH (approximately $1.068 billion) and various staked assets were stolen. Notably, 8,000 mETH and 90,375.5479 stETH were converted into 98,048 ETH through decentralized platforms before being distributed across multiple addresses.

Asset Movement And Recovery Efforts

Initial tracking revealed the attacker dispersed 400,000 ETH into 40 separate addresses. Among these transfers, 205 ETH was swapped for BTC and cross-chained to another wallet. The mETH Protocol responded quickly by halting cmETH withdrawals, recovering 15,000 cmETH from a hacker-controlled address.

Follow us on Google News Discover the latest trends in the crypto market

Further analysis shows links between the addresses used in this attack and previous incidents involving the BingX and Phemex platforms. Tracing the initial hacker address indicates that the funds originated from Binance. SlowMist’s MistTrack tool continues to monitor the movement of stolen assets, while 1,346 ETH remains in the initial hacker address.

Security Concerns And Investigation Focus

Central to the investigation is how the attacker gained access to Bybit’s internal financial operations. Questions remain about whether the attacker tricked signers through a compromised Safe interface or if internal systems were breached. Authorities are examining if the signers viewed correct information while unknowingly approving altered transactions.

Notably, similarities exist between this attack and previous incidents involving WazirX and Radiant Capital. All three exploited Safe multisig wallets through contract manipulation and social engineering tactics. Each case featured tampered front-end interfaces to deceive users into signing fraudulent transactions.

Tags:
Profile picture of Wesley Munene
Wesley Munene Posted by

crypto journalist

Wesley is a Crypto expert and a seasoned writer specialized in blockchain, market analysis, and digital asset management. My commitment lies in addressing market dynamics and promoting decentralized finance, let's enhance your investments and achieve your goals together