Bybit Incident Technical Analysis
Contents
Bybit Incident Technical Analysis
2025. 2. 23.
Twitter Logo
Telegram Logo
Reddit Logo
Reddit Logo
Bybit Incident Technical Analysis
Incident Summary
On Feb-21-2025 at 02:16:11 PM UTC, the Bybit’s cold ethereum wallet (0x1db92e2eebc8e0c075a02bea49a2935bcd2dfcf4) was drained due to the compromise of a Safe {Wallet} developer machine which affected an account operated by Bybit.Safe
According to Bybit CEO Ben Zhou, what they saw was a masked transaction, with a legitimate transaction displayed on Safe{Wallet} UI, while the malicious transaction data was sent to Ledger. The attacker managed to obtain three valid signatures to authorize a transaction that replaced the Safe’s multi-sig wallet implementation contract with a malicious contract, allowing them to drain the wallet's funds. This exploit resulted in an estimated loss of approximately $1.46 billion, marking the largest breach in Web3 history.
Exploit Transactions
Upgrade safe wallet implementation to malicious contract: https://etherscan.io/tx/0x46deef0f52e3a983b67abf4714448a41dd7ffd6d32d32da69d62081c68ad7882
Multiple transactions draining funds from Bybit's cold wallet.
Drained 401,346 ETH: https://etherscan.io/tx/0xb61413c495fdad6114a7aa863a00b2e3c28945979a10885b12b30316ea9f072c
Drained 15,000 cmETH: https://etherscan.io/tx/0x847b8403e8a4816a4de1e63db321705cdb6f998fb01ab58f653b863fda988647
Drained 8,000 mETH: https://etherscan.io/tx/0xbcf316f5835362b7f1586215173cc8b294f5499c60c029a3de6318bf25ca7b20
Drained 90,375 stETH: https://etherscan.io/tx/0xa284a1bc4c7e0379c924c73fcea1067068635507254b03ebbbd3f4e222c1fae0
Drained 90 …
2025. 2. 23.
Twitter Logo
Telegram Logo
Reddit Logo
Reddit Logo
Bybit Incident Technical Analysis
Incident Summary
On Feb-21-2025 at 02:16:11 PM UTC, the Bybit’s cold ethereum wallet (0x1db92e2eebc8e0c075a02bea49a2935bcd2dfcf4) was drained due to the compromise of a Safe {Wallet} developer machine which affected an account operated by Bybit.Safe
According to Bybit CEO Ben Zhou, what they saw was a masked transaction, with a legitimate transaction displayed on Safe{Wallet} UI, while the malicious transaction data was sent to Ledger. The attacker managed to obtain three valid signatures to authorize a transaction that replaced the Safe’s multi-sig wallet implementation contract with a malicious contract, allowing them to drain the wallet's funds. This exploit resulted in an estimated loss of approximately $1.46 billion, marking the largest breach in Web3 history.
Exploit Transactions
Upgrade safe wallet implementation to malicious contract: https://etherscan.io/tx/0x46deef0f52e3a983b67abf4714448a41dd7ffd6d32d32da69d62081c68ad7882
Multiple transactions draining funds from Bybit's cold wallet.
Drained 401,346 ETH: https://etherscan.io/tx/0xb61413c495fdad6114a7aa863a00b2e3c28945979a10885b12b30316ea9f072c
Drained 15,000 cmETH: https://etherscan.io/tx/0x847b8403e8a4816a4de1e63db321705cdb6f998fb01ab58f653b863fda988647
Drained 8,000 mETH: https://etherscan.io/tx/0xbcf316f5835362b7f1586215173cc8b294f5499c60c029a3de6318bf25ca7b20
Drained 90,375 stETH: https://etherscan.io/tx/0xa284a1bc4c7e0379c924c73fcea1067068635507254b03ebbbd3f4e222c1fae0
Drained 90 …