Hacker Techniques and Questions Behind Bybit’s Nearly $1.5 Billion Theft
Contents
SlowMist: Hacker Techniques and Questions Behind Bybit’s Nearly $1.5 Billion Theft
Background
On February 21, 2025, on-chain investigator ZachXBT disclosed a large-scale fund outflow from the Bybit platform. This incident resulted in the theft of over $1.46 billion, making it the largest cryptocurrency theft in recent years.
On-Chain Tracking and Analysis
Following the incident, the SlowMist security team promptly issued a security alert and launched an investigation to track the stolen assets.
According to the SlowMist security team’s analysis, the stolen assets primarily include:
- 401,347 ETH (~$1.068 billion)
- 8,000 mETH (~$26 million)
- 90,375.5479 stETH (~$260 million)
- 15,000 cmETH (~$43 million)
We used the on-chain tracking and anti-money laundering tool MistTrack(https://misttrack.io/) to analyze the initial hacker address 0x47666Fab8bd0Ac7003bce3f5C3585383F09486E2 and obtained the following information:
The stolen ETH is being dispersed. The initial hacker address distributed 400,000 ETH across 40 addresses, each receiving 10,000 ETH, and the transfers are still ongoing.
Among them, 205 ETH was swapped for BTC via Chainflip …
Background
On February 21, 2025, on-chain investigator ZachXBT disclosed a large-scale fund outflow from the Bybit platform. This incident resulted in the theft of over $1.46 billion, making it the largest cryptocurrency theft in recent years.
On-Chain Tracking and Analysis
Following the incident, the SlowMist security team promptly issued a security alert and launched an investigation to track the stolen assets.
According to the SlowMist security team’s analysis, the stolen assets primarily include:
- 401,347 ETH (~$1.068 billion)
- 8,000 mETH (~$26 million)
- 90,375.5479 stETH (~$260 million)
- 15,000 cmETH (~$43 million)
We used the on-chain tracking and anti-money laundering tool MistTrack(https://misttrack.io/) to analyze the initial hacker address 0x47666Fab8bd0Ac7003bce3f5C3585383F09486E2 and obtained the following information:
The stolen ETH is being dispersed. The initial hacker address distributed 400,000 ETH across 40 addresses, each receiving 10,000 ETH, and the transfers are still ongoing.
Among them, 205 ETH was swapped for BTC via Chainflip …
IoC
A4B2Fd68593B6F34E51cB9eDB66E71c1B4Ab449e
96221423681A6d52E184D440a8eFCEbB105C7242
0fa09C3A328792253f8dee7116848723b72a6d2e
1542368a03ad1f03d96D51B414f4738961Cf4443
47666Fab8bd0Ac7003bce3f5C3585383F09486E2
bDd077f651EBe7f7b3cE16fe5F2b025BE2969516
dd90071d52f20e85c89802e5dc1ec0a7b6475f92
46deef0f52e3a983b67abf4714448a41dd7ffd6d32d32da69d62081c68ad7882
96221423681A6d52E184D440a8eFCEbB105C7242
0fa09C3A328792253f8dee7116848723b72a6d2e
1542368a03ad1f03d96D51B414f4738961Cf4443
47666Fab8bd0Ac7003bce3f5C3585383F09486E2
bDd077f651EBe7f7b3cE16fe5F2b025BE2969516
dd90071d52f20e85c89802e5dc1ec0a7b6475f92
46deef0f52e3a983b67abf4714448a41dd7ffd6d32d32da69d62081c68ad7882