On February 21, 2025, cryptocurrency exchange Bybit experienced a large-scale security breach, resulting in the theft of approximately $1.5 billion in assets from its Ethereum cold wallet. This incident is considered the largest single theft in cryptocurrency history, surpassing previous records set by Poly Network ($611 million in 2021) and Ronin Network ($620 million in 2022), having a significant impact on the industry.

This article aims to introduce the hacker event and its money laundering methods while warning of an impending wave of freezes targeting OTC groups and crypto payment companies in the coming months.

The Theft Process

According to Bybit’s Ben Zhou and Bitrace’s preliminary investigation, the theft process is as follows:

1. Attack Preparation: The hackers deployed a malicious smart contract (Address: 0xbDd077f651EBe7f7b3cE16fe5F2b025BE2969516) at least three days before the event (i.e., February 19), laying the groundwork for the subsequent attack.
2. Compromising the Multi-Signature System: Bybit’s Ethereum cold wallet uses a multi-signature mechanism, requiring multiple authorized signatures to execute a transaction. The hackers infiltrated the computers managing the multi-signature wallet, likely through disguised interfaces or malware.
3. Fake Transaction: On February 21, Bybit planned to transfer ETH from the cold wallet to the hot wallet for daily trading needs. The hackers took advantage of this opportunity, disguising the transaction interface as a normal operation, which tricked the signers into confirming what appeared to be a legitimate transaction. However, the transaction was actually an instruction to modify the cold wallet’s smart contract logic.
4. Fund Transfer: Once the instruction was executed, the hackers quickly took control of the cold wallet and transferred ETH worth approximately $1.5 billion, along with ETH staking certificates, to an unknown address (Initial tracking address: 0x47666Fab8bd0Ac7003bce3f5C3585383F09486E2). The funds were then distributed across multiple wallets and began the money laundering process.

Money Laundering Methods

The money laundering process can be broken down into two stages:

1.Early Fund Splitting: The attackers quickly exchanged ETH staking certificates for ETH tokens, rather than using stablecoins that might be subject to freezing, and then split and transferred the ETH to subordinate addresses in preparation for laundering. During this phase, the attackers’ attempt to convert 15,000 mETH to ETH was blocked, helping the industry recover this portion of the loss.

2. Money Laundering Operations: The attackers used centralized and decentralized industry infrastructures to transfer the stolen ETH. These infrastructures included platforms like Chainflip, Thorchain, Uniswap, and eXch. Some protocols were used for exchanging funds, while others were employed for cross-chain transfers.

As of now, a significant portion of the stolen funds has been converted into BTC, DOGE, SOL, and other layer 1 tokens and moved across various networks. There were even memecoins issued, or funds were moved to exchange addresses to obfuscate the origin.

Bitrace is actively monitoring and tracking the addresses associated with the stolen funds. These threat intelligence updates will be pushed in real-time via BitracePro and Detrust to prevent users from unknowingly receiving stolen funds.

Historical Analysis

An analysis of the address 0x457 in the fund chain revealed connections to previous attacks, including the BingX exchange hack in October 2024 and the Phemex exchange hack in January 2025. This suggests that the mastermind behind these three attacks is the same entity.

Given their highly industrialized money laundering tactics and attack methods, some blockchain security experts attribute this event to the notorious hacker group “Lazarus,” which has launched multiple cyberattacks against crypto industry organizations and infrastructures over the years, illegally seizing billions of dollars worth of cryptocurrency.

Freeze Crisis

Through years of investigation, Bitrace has discovered that the group not only uses unlicensed industry infrastructures for money laundering but also heavily utilizes centralized platforms for dumping stolen funds. This has led to the freezing of numerous exchange accounts, whether by mistake or design, as well as OTC merchants and payment institutions’ business addresses being frozen by Tether.

In 2024, the Japanese cryptocurrency exchange DMM was attacked by Lazarus, and $600 million worth of Bitcoin was illegally transferred. The attackers bridged the funds to the Southeast Asian crypto payment platform HuionePay, causing its hot wallet address to be frozen by Tether, locking up over $29 million.

In 2023, Poloniex was attacked, with the suspected Lazarus group behind it. Over $100 million worth of funds were illegally transferred. Some of the funds were laundered via OTC transactions, leading to the freezing of multiple OTC merchants’ business addresses or risk control measures applied to exchange accounts holding business funds, causing major disruptions to business operations.

Conclusion

Frequent hacking incidents have already caused significant losses in our industry, and the subsequent money laundering activities have polluted many more individual and institutional addresses. For these innocent parties and potential victims, it is crucial to pay attention to these threatening funds during business activities to avoid being affected.

This serves as a wake-up call that it’s time to take cryptocurrency anti-money laundering awareness and KYT (Know Your Transaction) procedures more seriously.

With Detrust and Bitrace Pro, cryptocurrency businesses can gain a full understanding of the funding risks associated with their business addresses. Real-time risk alerts enable them to quickly initiate or respond to collaborations, minimizing the impact of risky funds on business addresses and helping crypto enterprises better comply with anti-money laundering regulations in different jurisdictions.

Detrust has been operational for over a year, providing excellent services to cryptocurrency exchanges, VAOTC merchants, payment platforms, and other enterprises. Any crypto company can reach us through the following channels:

Email: bd@bitrace.io

Twitter: @Bitrace_team

LinkedIn：@bitrace tech