Bybit Incident In-Depth Investigation Report: A Full Process Analysis of the $1.5 Billion Theft

I. Core Event Data Overview

  • Timeline:
    From February 19 to 23, 2025, hackers successfully completed the entire attack process from infiltration to fund transfer.
  • Attack Scale:
    • Total ETH stolen: 401,000 ETH (approximately $1.5 billion)
    • This attack surpassed the 2022 Mt. Gox theft of $450 million, making it one of the largest cryptocurrency thefts in history.
  • Market Impact:
    • BTC dropped over 4,500 points in one day, and ETH price plummeted by 6.7%.
    • USDe stablecoin briefly lost its peg.
  • Perpetrators:
    The North Korean hacking group Lazarus Group has been confirmed as the mastermind behind the attack. They have been involved in several high-profile cryptocurrency thefts, including those targeting KuCoin and Ronin.

II. Three-Stage Attack Breakdown

Stage 1: Infiltration and Penetration (February 19-21)

  1. Malicious Contract Deployment
    • Deployment address: 0xbDd077f651EBe7f7b3cE16fe5F2b025BE2969516
    • Malicious functions: Contained sweepETH and sweepERC20 backdoor functions that could directly empty target accounts.
  2. Spear Phishing Attack
    • Attack method: The hackers disguised themselves as trusted entities (e.g., colleagues or partners) and sent documents or links containing malware to Bybit employees.
    • Technical breakthrough: They used a forged financial analysis tool (e.g., StockInvestSimulator) to trick targets into executing malicious code.

Stage 2: System Breach (February 21, 14:16 UTC)

  1. Interface Deception and Privilege Escalation
    • Attack methods:
      • Altered the Safe multi-signature wallet frontend to display a fake transfer interface.
      • Exploited a DELEGATECALL vulnerability to modify contract storage slots, bypassing the transaction validation mechanism.
      • Tricked hardware wallet users into blindly signing complex transactions.
  2. Lateral Penetration
    • The attackers used compromised devices to scan the internal network, stole SSH keys, and exploited server trust relationships, eventually taking control of the wallet server.

Stage 3: Asset Transfer and Market Manipulation

  1. Fund Splitting and Laundering
    • Splitting strategy: The 401,000 ETH was divided into over 40 addresses, with each address holding about 10,000 ETH, making tracking more difficult.
    • Cross-chain operations: 40,000 ETH was converted into BTC via Thorchain, and mixed anonymously across chains using LiFi.
  2. Market Impact
    • The large-scale sell-off caused ETH to drop by 6.7%, and USDe stablecoin briefly detached from its peg due to liquidity shortages.

III. Attacker Profile and Attribution

Lazarus Group’s Core Attack Tactics

Based on open intelligence and historical cases, Lazarus Group’s attack strategies show the following characteristics:

  1. Social Engineering Infiltration
    • Job infiltration: Members of the group fabricate backgrounds and qualifications to infiltrate target companies and steal sensitive information.
    • Phishing attacks: Hackers disguise themselves as trusted entities (e.g., colleagues, partners) to induce targets to download malware.
  2. Supply Chain Attacks
    • They infiltrate third-party service providers to launch attacks on target companies, such as implanting backdoors by modifying open-source project dependencies.
  3. Zero-Day Exploits
    • Chrome zero-day attack: Lazarus Group has strong vulnerability exploitation capabilities, using undisclosed Chrome browser vulnerabilities to remotely control user devices.

Key Infrastructure Exposed in the Attack

  1. Remote Code Execution (RCE)
    • The attackers used a pyyaml vulnerability in Python project files to bypass antivirus software and silently implant control programs.
  2. Privilege Escalation Strategy
    • The attackers tricked employees into enabling Docker containers in privileged mode, granting root access to servers.
  3. Evidence Erasure
    • The attackers used internal tools to clean logs and fabricate legitimate business processes to obscure the attack path.

Key Technical Analysis Reference:
https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecationhow-to-disable-the-warning

IV. Lazarus Group: North Korea’s Elite Cyber Warfare Unit

Organization Structure and Capabilities

  • Talent Training System:
    • Core base: The North Korean Automation University (formerly Mirim University), which admits only 100 top students per year.
    • Training intensity: A 9-year high-intensity curriculum focusing on reverse engineering, virus development, and breaching enemy systems.
  • Operational Mode:
    • National grouping: The group trains hackers with specific language skills to infiltrate targeted countries (e.g., the United States, Japan).
    • Incentives: Top hackers are paid over $2,000 a month and enjoy special privileges.

Attack Motivation and Economic Logic

  • Strategic Alternative: Due to international sanctions, cyberattacks have become an important way for North Korea to acquire foreign currency.
  • Cost Advantage: The cost of training hackers is much lower than that of traditional military operations.

V. Industry Security Ecosystem Restructuring Suggestions

Exchange Defense System Construction

  1. Supply Chain Security
    • Establish third-party smart contract auditing mechanisms to ensure code safety.
    • Implement multi-signature wallet whitelist management, prohibiting unconventional transaction types.
  2. Technical Defense Upgrades
    • Deploy zero-trust architecture to ensure fine-grained access control at the network layer.
    • Introduce redundant hardware wallet signature verification mechanisms, such as two-factor authentication.

Regulation and Industry Collaboration

  1. Cross-Chain Monitoring
    • Deploy transaction interception systems at mainstream bridge protocols like Thorchain to reduce theft pathways.
  2. Global Collaborative Defense
    • Build a global cryptocurrency crime information-sharing platform to track the flow of stolen assets.
  3. Employee Security Training
    • Regularly conduct phishing email simulation drills and establish immediate reporting mechanisms for abnormal behavior.

VI. Long-Term Impact Predictions of the Incident

  1. Geopolitical Escalation
    North Korea’s cyber warfare capabilities may inspire other nations to follow suit, intensifying global cybersecurity concerns.
  2. Cold Wallet Security Challenges
    Institutions will be forced to adopt distributed multi-signature or quantum encryption technologies to counter increasing security threats.
  3. Compliance Costs Surge
    Exchanges will need to invest more resources to meet KYC/AML and cybersecurity audit requirements, enhancing compliance.

VII. JuCoin Exchange’s Security System Construction

Core Security Principles:

  1. Deep Defense: Multi-layered security barriers ensure that even if one layer is breached, others will still defend the attack.
  2. Least Privilege Principle: Strictly control user and process permissions, granting only the minimum required privileges to reduce risks.
  3. Continuous Monitoring and Rapid Response: 24/7 monitoring for abnormal behavior and a rapid response mechanism to minimize losses.
  4. Security Audits and Penetration Testing: Regular internal and external security audits to proactively discover and fix vulnerabilities.

Multi-Dimensional Security Measures:

  1. Advanced Threat Detection Systems
    • Use AI-driven systems for real-time monitoring, behavioral analysis, and threat intelligence integration to improve response capabilities.
  2. Smart Contract Security Audits
    • Rigorously audit all smart contracts, using automated vulnerability scanning tools and implementing formal verification techniques to ensure code safety.
  3. Multi-Signature Wallet Operations and Management
    • Use multi-signature wallets, decentralize private key storage, and combine strict key management and operation procedures to ensure asset security.

Ongoing Security System Enhancements:

  1. Deeply integrate AI and machine learning to enhance threat detection capabilities.
  2. Strengthen smart contract audit standards and innovate a “multi-party audit + cross-audit” mechanism, establishing a bug bounty program.
  3. Establish a “smart contract security vulnerability rapid response and hot-fix” mechanism.

Conclusion

The Bybit incident highlights the systemic vulnerabilities in the cryptocurrency industry’s security defenses. Hackers, through carefully designed supply chain attacks, social engineering, and zero-day exploits, have precisely targeted top exchanges. Moving forward, the industry needs to build a composite defense system by advancing technical iterations (e.g., formal contract verification), improving regulations (e.g., mandatory security audits), and raising personnel awareness (e.g., phishing simulation training). Only by doing so can the industry safeguard assets in this ever-escalating “digital war.” JuCoin, through its enhanced penetration testing and security protection mechanisms, has achieved a 13-year record of no major incidents in exchange operations.

 

Ray Red

Share