ByBit Heist: Behind the Scenes
The ByBit cryptocurrency exchange experienced a significant security breach on February 21, 2025, resulting in the theft of approximately 401,347 ETH, valued at over $1.4 billion at that time. The hackers exploited vulnerabilities during a routine transfer from ByBit’s cold wallet to its warm wallet, redirecting the funds to unauthorized addresses.
Key Transaction Details
- Transaction Hash: 0xb61413c495fdad6114a7aa863a00b2e3c28945979a10885b12b30316ea9f072c
- Status: Success (confirmed on the blockchain)
- Block Number: 21895251
- Timestamp: February 21, 2025, at 02:16:11 PM UTC
- Sender Address (ByBit Exploiter): 0x0fa09C3A328792253f8dee7116848723b72a6d2e
- Recipient Address (ByBit Cold Wallet 1): 0x1Db92e2EeBC8E0c075a02BeA49a2935BcD2dFCF4
- ETH Transfer Details:
- Amount Moved: 401,346.768858404671846374 ETH
- Estimated Value at Transfer: ~$1.4 billion
- Final Destination: 0x47666Fab8Bd0ac7003bCe3F5c3585383F09486E2 (unknown wallet)
Attack Overview
The breach occurred during a routine transfer from ByBit’s cold wallet to a warm wallet, a common process used by exchanges to manage assets. Attackers exploited vulnerabilities in the transfer process, redirecting funds to unauthorized addresses. The primary recipient wallet, identified as 0x47666Fab8Bd0ac7003bCe3F5c3585383F09486E2, received a total of 401,347 ETH, making it one of the biggest crypto heists.
The attack exploited a execTransaction on GnosisSafe multi-signature proxy contract that delegates execution to a master contract while requiring multiple signatures to authorize transactions.
The proxy contract shown below follows a delegatecall-based proxy pattern, meaning it forwards transactions to a master contract (called masterCopy). The attacker deceived signers with a fake UI, altering transaction data before execution. The manipulated transaction ran on masterCopy but used the proxy’s storage and permissions, enabling unauthorized actions like fund transfers.
The above contract present at 0xbDd077f651EBe7f7b3cE16fe5F2b025BE2969516, enforce ownership checks so only 0xfa09c3a328792253f8dee7116848723b72a6d2e can execute sensitive actions, suggesting centralized control by an attacker. The transfer() function modifies stor0 instead of transferring tokens, hinting at manipulation. unknown1163b2b0() drains the contract’s balance to an arbitrary address, while unknown582515c7() checks token holdings and executes unauthorized transfers. These functions allow the attacker to steal funds and tokens while maintaining exclusive control.
|
Address |
Usage / Purpose |
How the Attacker Exploited It |
|---|---|---|
|
stor0 |
Stores the masterCopy address, which determines where the proxy forwards calls. |
The attacker changed it to a malicious contract, hijacking all transactions and rerouting funds. |
|
stor2[addr(_owner)] |
Maps owner addresses to their permissions in the multisig contract. |
The attacker used swapOwner() and removeOwner() to replace legitimate signers, taking full control over approvals. |
|
stor6C9A.field_0 |
Stores the fallback handler address, which processes unrecognized function calls. |
The attacker modified it to a rogue contract, intercepting transactions and manipulating execution logic. |
|
0xfa09c3a328792253f8dee7116848723b72a6d2e |
Hardcoded “owner” address that has exclusive privileges to execute certain functions. |
The attacker compromised or controlled this address, gaining unrestricted access to critical contract functions. |
|
0xbdd077f651ebe7f7b3ce16fe5f2b025be2969516 |
Address used in a delegatecall execution—potentially the attacker’s contract. |
The attacker executed malicious code via delegatecall, triggering unauthorized fund transfers. |
Flowchart of the Attack Process
- Attackers manipulate the UI (phishing attack) → Signers approve a fake transaction.
- The fake transaction modifies ownership (swapOwner, removeOwner) → Attackers gain control of the Safe.
- Attackers update the masterCopy (changeMasterCopy) → Execution is redirected to a malicious contract.
- Using execTransactionFromModule → Attackers drain funds via delegatecall.
Post-Breach Fund Movements:
Following the initial transfer, the stolen funds were rapidly dispersed across numerous blockchain addresses. The attackers converted portions of the stolen ETH into other cryptocurrencies, including Bitcoin, to obfuscate the trail and facilitate laundering.
Key Transfers & Explanations
Researchers at Bolster analyzed the transaction history for the final destination address 0x47666Fab8Bd0ac7003bCe3F5c3585383F09486E2. After the 401,347 ETH heist, multiple major transactions were observed, likely part of a laundering strategy.
- 401,347 ETH → Bybit Cold Wallet
- From: Exploiter Wallet (0x0fa09C3A328792253f8dee7116848723b72a6d2e)
- To: Bybit Cold Wallet (0x1Db92e2EeBC8E0c075a02BeA49a2935BcD2dFCF4)
- 47,000 ETH → Wallet 1
- From: Bybit Cold Wallet (0x1Db92e2EeBC8E0c075a02BeA49a2935BcD2dFCF4)
- To: Unknown Wallet (0x7bA645D1D0dE42c6C73aFeB8FAF1B51f7fD432A3)
- Explanation: Large sum moved, possibly an intermediary address for further laundering.
- 3,000,000 Tokens → Wallet 2
- From: Unknown Wallet (0x7bA645D1D0dE42c6C73aFeB8FAF1B51f7fD432A3)
- To: Unknown Wallet (0x2F1c87d40C395d3cD5C38c1C4dF01D4a0A6849b8)
- Explanation: ERC-20 token conversion, possibly to mix assets and break the traceability of ETH.
- 15,231,021 Tokens → Wallet 3
- From: Unknown Wallet (0x2F1c87d40C395d3cD5C38c1C4dF01D4a0A6849b8)
- To: Unknown Wallet (0x6D82Bc0fE4a0c6Eb786C75FdAe2a3Cd892B84761)
- Explanation: Further token movement indicates structured fund dispersion across multiple wallets.
- 2,000,000 Tokens → Wallet 4
- From: Unknown Wallet (0x6D82Bc0fE4a0c6Eb786C75FdAe2a3Cd892B84761)
- To: Unknown Wallet (0x8A4f6C00A29D3F9bBF6aBC6dC421EaD9B14e8b50)
- Explanation: Bulk ERC-20 token transfer, potentially towards a final laundering phase or DEX swap.
- 100,000 ETH → Unknown Wallet
- From: Unknown Wallet (0x47666Fab8Bd0ac7003bCe3F5c3585383F09486E2)
- To: Unknown Wallet (0x9F42eDd6A3c5ABf45fA648dD5c28b6B5D6896351)
- Explanation: A potential exit point for laundering, possibly a mixer, exchange, or OTC off-ramp.
Timeline of Key Events
|
Event |
Timestamp (UTC) |
Details |
|---|---|---|
|
Initial Attack |
Feb 21, 2025, 14:16 |
401,347 ETH stolen from Bybit cold wallet |
|
Primary Transfer |
Feb 21, 2025 |
Funds moved to 0x47666Fab8Bd0ac7003bCe3F5c3585383F09486E2 |
|
First Dispersals |
Feb 22-23, 2025 |
Microtransactions (~$0.27, $2.75, etc.) start |
|
High-Volume Transfers |
Feb 23-24, 2025 |
Large transfers (10,000 ETH each) observed |
|
Token Swaps Detected |
Feb 24-26, 2025 |
ETH swapped for obscure tokens (18.64B units, $210) |
|
Possible Mixing Activity |
Feb 25-27, 2025 |
Structured transactions suggest Tornado Cash |
|
Wallet Address |
ETH Received |
Possible Role |
|---|---|---|
|
0x47666Fab8Bd0ac7003bCe3F5c3585383F09486E2 |
401,347 ETH |
Primary laundering hub |
|
0x1Db92e2EeBC8E0c075a02BeA49a2935BcD2dFCF4 |
~47,000,000 tokens |
Exchange or secondary launderer |
|
0x0fa09C3A328792253f8dee7116848723b72a6d2e |
~18.64B tokens ($210) |
Potential bridge or mixer |
|
Unknown Wallets (Multiple Small ETH Deposits) |
Varying amounts |
Likely used for obfuscation |
As of March 3, 2025, approximately 23% of the 401,347 ETH stolen during the Bybit hack has been laundered, leaving around 309,037 ETH (approximately $1.16 billion) unlaundered.
Phishing Threat Observed
While researching the ByBit Heist, the researchers at Bolster also found live and active phishing links targeting ByBit. Cybercriminals have been using fake login pages to steal credentials and hijack accounts.
Observed Phishing Tactics:
Enticing offers, such as “Trade & Redeem Up to $50,000 in BTC” and “Sign up to get $5,020 in Bonuses,” are serving as bait to lure unsuspecting users into entering their login details or linking their accounts. Additionally, the inclusion of Google and Apple sign-in buttons could indicate an attempt to hijack OAuth tokens, allowing attackers to gain access to users’ Bybit accounts without requiring their passwords. Multiple fraudulent ByBit phishing domains were hosted on Webflow.io and Gitbook.io, exploiting free subdomains to appear legitimate.
Multiple ByBit phishing URLs were observed and are listed below:
|
DOMAINS |
|
|---|---|
|
aauth–lern–b-sso-bybit.webflow.io/ |
authe-bybbiet–help.gitbook.io/us |
|
aauth-b–sso–bybbite.webflow.io |
autho–b–sso—bybite.webflow.io/ |
|
aauth-b–sso–bybbitte.webflow.io/ |
login–us-bybiits.gitbook.io/us |
|
aauth-sso-s-bybbit.gitbook.io/us |
my-app–bybit-auth.webflow.io/ |
|
app–en–bybiit–auth.webflow.io/ |
official-bybitlogin-acc.webflow.io/ |
|
auth—service–bybeit.gitbook.io/us |
service–bybit–aauth.webflow.io/ |
|
auth–service-ss-bybit–s.gitbook.io/us |
sso–bybbit–s-auth.gitbook.io/us |
|
auth-sso-bybit-m-login.webflow.io |
sso–bybitogin–by.gitbook.io/us |
|
auth-sso-bybitlogin.webflow.io/ |
sso-by-bybit-auth.webflow.io/ |
|
Associated IPs |
|
|
172.64.151.8 |
104.18.36.248 |
Upon further investigation, more similar URLs were found. These domains attempt to impersonate well-known platforms like Bybit, Coinbase, BlockFi, Gemini, Ledger, Robinhood, MetaMask, and many more crypto brands.
Key Observations :
- Slight misspellings like coinsbase (instead of Coinbase), ledggro (instead of Ledger), and metamosk (instead of MetaMask).
- Use of secure, auth, sso, cdn, etc., to appear legitimate (secure-ndax-cdn-auth.webflow.io, login-gemini-homepage–sso.webflow.io).
- All domains are hosted on Webflow (*.webflow.io). Possible abuse of Webflow’s free subdomain service for phishing. Attackers use it to host fake login pages and steal credentials.
|
Domain |
Brand |
Suspicious Elements |
|---|---|---|
|
apps–secure–blockfi-n-cdn.webflow.io |
BlockFi |
Uses secure, cdn to appear trustworthy |
|
secure–blockfi–sso–cdn—bni.webflow.io |
BlockFi |
Fake SSO authentication page |
|
auth-sso-bybit-m-login.webflow.io |
Bybit |
Mimics an SSO login page |
|
coinsbase-exste.webflow.io/ |
Coinbase |
Misspelling of Coinbase |
|
en–app–coinbasepro—cdn-x–auth.webflow.io |
Coinbase Pro |
Uses cdn, auth to appear legit |
|
secure-coinbasepro–cdn-s-cdn.webflow.io/ |
Coinbase Pro |
Uses secure, cdn for legitimacy |
|
login-gemini-homepage–sso.webflow.io |
Gemini |
Mimics official login |
|
ledggro-live–logn.webflow.io/ |
Ledger |
Typosquatting (ledggro instead of Ledger) |
|
metamosk–chrom.webflow.io/ |
MetaMask |
Fake MetaMask site |
|
metamsk-mozilla—-org.webflow.io |
MetaMask |
Typosquatting and fake Mozilla reference |
|
portal-cdn-ndaxio-app-auth-en.webflow.io |
NDAX |
Mimics a secure portal |
|
secure-ndax-cdn-auth.webflow.io |
NDAX |
Uses secure and cdn to gain trust |
|
sso–robinhood-com–cdn-h–autths.webflow.io/ |
Robinhood |
Fake SSO page for credential theft |
|
suiwalet.webflow.io/ |
Sui Wallet |
Fake Sui Wallet phishing |
|
web–terzer–suites-f9d094.webflow.io |
Trezor |
Likely targeting a financial service |
|
docs-treezr-cdn.webflow.io |
Trezor |
Possible document-related phishing |
Stealer Logs Found on Russian Market
Researchers also discovered ByBit.com Lumma Stealer logs being sold on Russianmarket, a popular stealer log market. These logs contained compromised credentials, session tokens, and API keys from ByBit users, potentially giving attackers direct access to high-value accounts. The presence of these logs raises the possibility that stolen credentials were used to gain unauthorized access, facilitating fund withdrawals or internal exploitation.
Lumma Stealer
Lumma is an info-stealer that targets browser credentials, cookies, FTP clients, cryptocurrency wallets, and messaging apps. Frequently updated to bypass detection, it exfiltrates stolen data via Telegram or cloud storage.
|
Endpoint |
Info |
Date |
|---|---|---|
|
bybit.com [https://www.bybit.com:443/] |
Login, Password, Cookies |
02/02/2025 |
|
app.bybit.com |
Login, Password, Cookies |
02/12/2025 |
|
affiliates.bybit.com |
Login, Password, Cookies |
02/19/2025 |
|
m.bybit.com |
Login, Password |
02/19/2025 |
Conclusion
The ByBit Heist of February 2025 highlights the vulnerabilities in cryptocurrency exchanges, particularly during routine wallet transfers. The swift and complex laundering tactics employed by the attackers make it difficult to trace the stolen funds. In addition, the rise of phishing attacks targeting ByBit and other crypto platforms further compounds the risks for users.
As the cryptocurrency space continues to grow, both exchanges and users must remain vigilant. Exchange platforms need to enhance their security protocols, while users must be cautious of phishing schemes and fraudulent sites attempting to steal personal and financial information.
