chatsimple
Blog Post

ByBit Billion Dollar Hack - Part 1: Smart Contracts Forensics Timeline

February 28, 2025

Victor Fang, Philip Werlau - AnChain.AI 

Key Takeaways:

  • AnChain.AI has conducted in-depth smart contract forensics, revealing the Bybit hackers’ attack vector and timeline. 
  • DeFi hack prevention and investigation requires new tooling in smart contract and bytecode. 
  • The hacker deployed the malicious smart contract 3 days before the Feb 21 exploit
  • Web3 security requires full attack surface protection. The root cause was the AWS cloud compromise that allowed hackers to deploy malicious Javascript code to alter the DeFi transaction. 
  • The Safe{Wallet} smart contract delegate call is “a feature not a bug”, but there is room for improvement. 

The Largest Hack in Crypto History

Days ago, the world was shocked by the $1.5 Billion Bybit hack. Subsequently, the AnChain.AI team has been hard at work with our partners in both the public and private sectors to debrief the situation, and take preventative action.

As we continue to closely monitor the incident and subsequent money flows, the underlying factors behind this attack have become clear:

1.  Bybit press confirmed its Safe{Wallet} Javascript front end compromise

2.  FBI refers to this specific North Korean malicious cyber activity as "TraderTraitor."

https://www.ic3.gov/PSA/2025/PSA250226

Web3 Attack Surface Analysis 

The AnChain.AI started by taking a detailed look at the Web3 attack surface, developing the following timeline pictured below.

Bybit Safe{Wallet} Exploit Timeline

  • Tuesday, February 18, 2025: The attacker deployed a malicious smart contract in preparation for the exploit.
  • Friday, February 21, 2025: The attacker successfully executed a phishing attack against Bybit’s cold wallet multisig signers (including Bybit CEO). This deception led them to unknowingly approve a transaction that replaced the Gnosis Safe smart contract wallet implementation with the attacker’s malicious smart contract. The exploit combines attack vectors from Blockchain smart contract, Cloud infrastructure, Javascript frontend, Hardware multisig wallets and more. 
  • Sunday, February 23, 2025: The attacker started laundering the stolen cryptocurrency. 

Detailed Attack Vector Analysis and Timeline 

Subsequently, the AnChain.AI investigation team honed in on the period following the Bybit 400K ETH transfer. Here is the attack vector analysis and timeline, with highlights of the attack surface. 

Pre-Exploit - (Attack surface: Blockchain)

Tuesday, February 18, 2025: The attacker deployed a malicious smart contract bytecode on Ethereum mainnet, in preparation for the exploit.

Exploit: 

Friday, February 21, 2025: The attacker successfully executed a phishing attack against Bybit’s cold wallet multisig signers (including Bybit CEO). This deception led them to unknowingly approve a transaction that replaced the Safe{Wallet} Gnosis smart contract wallet implementation with the attacker’s malicious smart contract. 

The exploit, based on AnChain.AI, mainly comes in two angles:

1. JavaScript-Based Attack (Cloud Compromise)

  • Malicious Injection: The attacker injected malicious JavaScript into a resource hosted on Safe{Wallet}’s AWS S3 bucket.

  • Transaction Manipulation: When Bybit users initiated transactions via Safe{Wallet}, the injected script altered the transaction content during signing, enabling unauthorized modifications.

  • Targeted Execution: The JavaScript executed only when transactions originated from Bybit’s smart contract address or an unidentified contract controlled by the attacker.

  • Rapid Cover-Up: Within two minutes of the exploit, a clean version of the JavaScript was uploaded to Safe{Wallet}’s AWS S3 bucket, erasing evidence of the attack.

2. Blockchain-Based Exploit (Smart Contract Manipulation)

  • Malicious Smart Contract Deployment: The attacker pre-deployed a malicious smart contract on Ethereum three days before the attack (February 18, 2025).

  • Phishing & Unauthorized Approval: On February 21, 2025, the attacker tricked Bybit’s cold wallet multisig signers, including CEO Ben Zhou, into approving a fraudulent transaction via Ledger hardware wallets.

  • Gnosis Safe Exploit: The attacker used the execTransaction function in Gnosis Safe, exploiting operator = 1 to delegate execution to the malicious contract, effectively replacing the cold wallet’s smart contract implementation.

  • Asset Drainage: The malicious contract introduced sweepETH and sweepERC20 functions, allowing the attacker to transfer 400,000+ ETH (~$1.5 billion) from Bybit’s cold wallet without requiring multisig approval.


DeFi investigation such as Safe{Wallet} smart contracts presents a challenge entirely distinct from tracing bitcoin UTXO or stablecoin tokens. 

In order to address the unique obstacles presented in the course of DeFi forensics, our investigators utilize the SCREEN engine, a tool developed by AnChain.AI designed to empower frontline investigators, having played pivotal roles in Tornado Cash, Crema Finance, and other high-profile cases.

Decoding the Exploit: Smart Contract Internal transaction

To set the stage, these are the key wallet addresses and smart contract exploit transactions that AnChain.AI identified. 

Exploiter Wallet: 0x0fa09C3A328792253f8dee7116848723b72a6d2e

Exploit Contract: 0xbdd077f651ebe7f7b3ce16fe5f2b025be2969516

Exploit Contract Creation: 0xc47ac9038127cef763a1c9a33309a645c5a4fa9df1b4858634ae596ccc2aee5e

Bybit Cold Wallet: 0x1Db92e2EeBC8E0c075a02BeA49a2935BcD2dFCF4

Cold Wallet Exploit Transaction: 0x46deef0f52e3a983b67abf4714448a41dd7ffd6d32d32da69d62081c68ad7882

Exploit Input Data in Gnosis Safe Data Payload:

The attacker altered this data field, in the Safe{Wallet} Gnosis Data Payload:

0xa9059cbb000000000000000000000000bdd077f651ebe7f7b3ce16fe5f2b025be296951600000000000...

The AnChain.AI team was able to decode this into 2 pieces: 

  • Gnosis Safe Exploit: The attacker used the execTransaction function in Gnosis Safe, exploiting operator = 1 to delegate execution to the malicious contract, effectively replacing the cold wallet’s smart contract implementation.

  • Asset Drainage: The malicious contract introduced sweepETH and sweepERC20 functions, allowing the attacker to transfer 400,000+ ETH (~$1.5 billion) from Bybit’s cold wallet without requiring multisig approval.

This can be clearly visualized below utilizing the SCREEN platform, in which we can directly highlight the manner in which the internal transaction was able to transfer 401K ETH to the hacker. 

Figure: the Bybit multisig exploit transaction that sent 401K ETH to the hacker. 

This examination within the SCREEN platform also revealed additional exploit transactions worthy of note, as listed below.

  1. 0x25800d105db4f21908d646a7a3db849343737c5fba0bc5701f782bf0e75217c9

90 USDT ($90)

  1. 0xb61413c495fdad6114a7aa863a00b2e3c28945979a10885b12b30316ea9f072c

401,346.768858404671846374 ETH ($1,066,920,182.99 @ $2,658.35)

  1. 0xbcf316f5835362b7f1586215173cc8b294f5499c60c029a3de6318bf25ca7b20

8,000 mETH ($22,380,480.00 @ $2,797.56)

  1. 0xa284a1bc4c7e0379c924c73fcea1067068635507254b03ebbbd3f4e222c1fae0

90,375.547907685258392043 stETH ($239,938,042.14 @ $2,654.90)

  1. 0x847b8403e8a4816a4de1e63db321705cdb6f998fb01ab58f653b863fda988647

15,000 cmETH ($42,038,400.00 @ $2,802.56)

      Total: $1,371,277,195.13  (All dollar values calculated using asset day close price) 

Bytecode Analysis

However, not all smart contracts deployed on Ethereum blockchain contain Solidity source code.  Ordinarily this presents an immediate roadblock, but by utilizing the SCREEN platform, we are able to circumvent this obstacle by taking advantage of a smart contract’s deployed bytecode.

The Exploit Contract: 0xbdd077f651ebe7f7b3ce16fe5f2b025be2969516 doesn’t contain Solidity source code, which makes it nearly impossible for DeFi investigators to understand the malicious business logics that may or may not be contained within

However, using AI and machine learning, especially GPT embedding models, SCREEN can decode the bytecode, uncovering key logics: 

  • Transfer
  • SweepETH
  • SweepERC20 
  • BalanceOf

These are confirmed in further transaction analysis. 

Figure: We reverse engineered the Bybit exploit bytecode, leading to 4 smart contract functions, and 50 other similar smart contracts, based on embedding. 

Myth: Is Safe{Wallet} delegate call, a bug or feature? 

This leads to a natural question, one which arose frequently in discussion with our customers and law enforcement partners: “Is Safe{Wallet} smart contract delegate call, a bug or feature?”

Based on our in-depth analysis at AnChain.AI, we conclude that this functionality is a legitimate design choice within the Gnosis Safe smart contract architecture. The delegate call mechanism allows the contract to execute logic from an external smart contract while maintaining the context of the original contract. This is a commonly used feature in upgradable and modular smart contract systems, enabling flexibility and extensibility.

However, in this case, the attacker exploited this feature to replace the contract’s implementation with a malicious version, as AnChain.AI SCREEN reveals, effectively hijacking control over Bybit’s cold wallet. This underscores the inherent risks of delegate calls, particularly when proper security measures, such as strict access controls and validation mechanisms, are not in place. 

Gnosis Safe Contract

https://github.com/destenson/gnosis--gnosis-safe-contracts/blob/master/contracts/GnosisSafe.sol

The function is operating as intended, but the failure of other security measures have exposed it to exploitation at an unprecedented level.

How can Safe{Wallet} improve security? 

Although we agree that Safe{Wallet} delegate call is a feature by design, we must recognize the lack of Restriction & Over-Reliance on the Frontend. 

  • The security model of Safe{Wallet} relies heavily on frontend safeguards to prevent unauthorized contract upgrades or delegate call exploits.
  • This means that while the UI may enforce restrictions on contract interactions, such as preventing unauthorized changes to the smart contract implementation, these restrictions exist only at the application layer and not at the smart contract level.
  • As a result, attackers can bypass the frontend entirely and directly interact with the blockchain, executing delegate calls on the smart contract through custom scripts or blockchain explorers like Etherscan.

Recommendations : 

  • Frontend-based security is insufficient: Relying on UI restrictions is ineffective against direct blockchain interactions by malicious actors.
  • Delegate calls need stricter controls: The smart contract should have explicit restrictions to prevent arbitrary upgrades or modifications without stringent validation.
  • Access control mechanisms should be on-chain: Instead of depending on frontend logic, security measures such as whitelisting trusted upgrade paths, requiring extra approval layers, or restricting certain delegate call operations should be enforced at the smart contract level

Conclusion: 

The billion-dollar Bybit hack is a stark reminder that what we've witnessed in DeFi hacks is just the tip of the iceberg. As the severity and sophistication of these attacks escalate, it's crucial to critically reassess and enhance our investigative toolsets. AnChain.AI’s SCREEN engine is designed from the ground up to tackle these DeFi threats, and has already spearheaded groundbreaking investigations in both the public and private sectors.

For any VASPs or financial institutions with DeFi exposure such as Safe{Wallet}, we recommend a thorough Web3 security pentest and vulnerability assessment. Contact our experts today to get started.

Looking to equip your business with the tools and skills to protect against DeFi threats? Schedule a live training session with AnChain.AI, trusted by the world’s leading regulators.

Sign Up For Our Newsletter

Thank you for signing up!
Something went wrong! Please try again.

© 2024 AnChain.AI. All Rights Reserved | Privacy Policy