Request Demo
Platform
Company
Resources
Request Demo

Hack Track: Uncovering the $1.5B Bybit Hack & Its WazirX Connection

Merkle Science
February 25, 2025

On February 21, 2025, Bybit—a leading centralized cryptocurrency exchange—suffered a critical security breach that resulted in the theft of over $1.5 billion in digital assets. The incident exposed serious vulnerabilities in multi-signature (multi-sig) cold storage solutions and highlighted that human factors remain a significant weak link in otherwise robust systems. 

“Bybit’s breach involved a fraudulent interface that tricked operators into authorizing a malicious transaction. This altered the cold wallet’s smart contract logic, granting attackers control—similar to hot wallet compromises seen in the Horizon Bridge and Lazarus-linked hacks.
Aaron Ratcliff, Merkle Science Investigation and Attribution Lead

Anatomy of the Bybit Attack: Multi-Sig Exploit & UI Manipulation

During a routine transfer of ETH from Bybit’s multi-sig cold wallet to its hot wallet, attackers exploited a critical flaw. Bybit explained that the transfer was a scheduled move, but the attackers manipulated the underlying smart contract logic and masked the signing interface. In simple terms, the transaction details that operators saw on the Safe wallet interface—Bybit’s trusted tool for verifying transactions—were altered so that they didn't reflect the true, malicious transaction. As a result, when operators approved what they believed was a legitimate transfer, they inadvertently handed control of the cold wallet to attackers.

Key elements of the attack included: 

  • Masked Transactions: Attackers introduced a falsified transaction into the multi-sig process, disguising malicious intent behind what appeared to be a legitimate transfer. Think of this as a disguise: the true details of the transaction were hidden, while a fake, seemingly normal version was shown to the operators.
  • User Interface Manipulation: The Safe wallet interface, designed for accurate transaction verification, was tampered with to hide the true details, leading to unintentional authorization of the attacker’s actions. 

Bybit Hack in Context: How It Connects to Other Exchange Breaches

This method is reminiscent of previous breaches at WazirX and Radiant Capital. In the WazirX hack, attackers exploited weaknesses in multi-signature systems by manipulating transaction data. Similarly, the Radiant Capital breach involved a pre-deployed malicious contract that tricked signature verifiers.

These incidents underscore a troubling trend: attackers are increasingly targeting multi-sig cold storage solutions using sophisticated methods. As Binance CEO, Changpeng Zhao, highlighted, these recurring tactics demonstrate that the risk extends beyond any single provider—it’s a systemic vulnerability in crypto security.

How Bybit Responded to the $1.5B Hack & Security Fixes

Despite the significant scale of the hack, Bybit’s 1:1 reserve guarantee ensured that client assets remained fully intact. Remarkably, the exchange processed over 350,000 withdrawal requests efficiently within 12 hours, restoring confidence across the crypto community and showcasing Bybit’s preparedness in the face of crisis. Additionally, Bybit has successfully frozen $42.89 million in assets through swift and coordinated action with crypto institutions  like Tether and FixedFloat, demonstrating the power of collaborative efforts in enhancing security and asset recovery.

In parallel, Safe Wallet swiftly paused its services to conduct a risk assessment and safeguard user assets. Within 24 hours, it implemented enhanced security measures including: 

  • Stricter transaction validation protocols 
  • AI-driven monitoring system for real-time threat detection
  • Additional checks for transaction hashes, data, and signatures

Merkle Science’s On-Chain Investigation and Flow of Funds

Our on-chain investigation into the Bybit hack has provided critical insights into the manipulation techniques used in this breach. Our findings emphasize that despite robust technical safeguards, human factors and interface vulnerabilities remain critical targets for sophisticated attackers. 

According to Merkle Science's research, the stolen funds from the Bybit hack were laundered using a sophisticated multi-step strategy:

  • Conversion to Native Assets: Immediately after the theft, the attackers converted stolen tokens into native blockchain assets like Ether. This was primarily done through decentralized exchanges (DEXs) to avoid potential asset freezing by centralized entities. 
  • Layering Through Extensive Address Networks: To further obscure the trail, the laundered funds were routed through a vast network of addresses. Initial movements saw the distribution of 400,000 ETH to 40 separate addresses, each receiving 10,000 ETH. This pattern has continued, with the operation reportedly involving approximately 1,500 unique addresses to date, creating a convoluted transaction history that challenges investigators.
  • Utilization of Non-KYC Exchanges: A significant portion of the laundered funds was funneled through non-KYC (Know Your Customer) exchanges, notably eXch. These platforms allow users to trade cryptocurrencies anonymously, making them attractive for illicit activities.
  • Usage of Swapping Services and Cross-Chain Bridges: The Lazarus Group utilized swapping services and cross-chain bridges—such as Thorchain, Debridge.Finance, and Chainflip—to convert and transfer the stolen ETH into various cryptocurrencies across multiple blockchains, including BTC and TRX.
  • Connection to Wazir X: Further analysis has revealed a crucial link between the Bybit Hack and the WazirX Hack through an overlapping address: 0x7a5ff09e62d953e6f79f19e1e4ecf208cd2a8dbf.
    • Bybit Hack: 0xfce75385e6b80a81f3074afcc21b19447f106503
    • WazirX Hack: 0x9bb7f2bae2e466d72050cc6c92ef197510010218

Interestingly, our investigation has also uncovered connections between the Bybit Hack and previous hacks on Poloniex, Phemex, and BingX, revealing a complex web of interconnected laundering activities.

Lessons from the Bybit Hack: How to Strengthen Crypto Security

The Bybit hack underscores a need for shifting security paradigms in the crypto industry. To better protect digital assets and enhance resilience to sophisticated attacks, the cryptosphere must integrate multi-layered defenses that encompass technical measures and human factors. We recommend the following actions: 

  • Adopt MPC Wallets: Transition from traditional multi-sig systems to Distributed Multi-Party Computation (MPC) wallets, which split cryptographic keys into multiple parts stored across different secure environments and reduce the risk of a single point of failure. 
  • Enhance Custody Solutions: Utilize off-exchange trading solutions—like Fireblocks’ Off Exchange Settlement and Ledger’s Tradelink—to segregate assets and minimize counterparty risk.
  • Strengthen Employee Risk Monitoring & Training: Implement continuous security awareness training and real-time risk scoring to mitigate vulnerabilities from social engineering and phishing attacks. 
  • Implement Clear Signing Protocols: Deploy clear signing technology that ensures full visibility of transaction details before approval, reducing the risk of blind signing. 

Early Warning with Blockchain Forensics

Given the evolving threat landscape, we urge industry stakeholders to integrate blockchain forensics tools like Merkle Science’s Tracker.  With automated cross-chain tracing and advanced fund flow mapping, Tracker helps you stay ahead of evolving crypto crime and fortify your security posture.

The Bybit breach serves as a stark reminder of the persistent and sophisticated threats facing the crypto industry. By adopting advanced security measures, reinforcing operational protocols, and leveraging blockchain forensics tools, the industry can build a more resilient ecosystem and protect valuable digital assets from future attacks.