ByBit, one of the leading cryptocurrency exchanges globally, recently suffered a $1.38 billion security breach, becoming one of the largest (if not the largest) exchange hacks in recent history.
After the breach, much of the cryptocurrency community consolidated their efforts to track the stolen funds and to prevent any attempts at laundering or legitimizing them.
Consistent with our mission to make the crypto world a safer place, we at Lukka support these efforts and strive to actively participate in them.
In this publication we want to focus on how the attack was initially made possible and how it was carried out. We believe that sharing this information will help the crypto community protect itself against similar incidents.
How the ByBit Happened - step-by-step analysis
The attacker(s) exploited existing smart contract vulnerabilities, allowing them to take control of ByBit’s cold wallet and systematically drain funds.
The attack was executed by 0x0fa09C3A328792253f8dee7116848723b72a6d2e, who deployed two smart contracts that were later used to manipulate ByBit’s wallet structure.
Following this, the hacker submitted a transaction (0x46de…7882) that injected malicious smart contract code, altering the storage state of ByBit’s proxy contract.
This modification replaced ByBit’s legitimate implementation contract (0x34Cf…3F5F) with the hacker’s own contract (0xbDd0…9516), granting them control over the wallet.
Once the hacker successfully altered the contract logic, they executed functions to siphon ETH and ERC-20 tokens from ByBit’s cold wallet. The contract contained two functions:
- sweepERC20(address token, address to): Allowed the transfer of ERC-20 tokens.
- sweepETH(address receiver): Allowed the direct transfer of ETH.
This exploit effectively gave the hacker complete control over ByBit’s wallet, enabling them to drain all funds in a structured manner.
The results of the ByBit Hack: Key Stolen Assets
As a result the following funds were drained from ByBit’s wallet:
- 401,346 ETH (~$1.08 billion)
- 90,375 stETH (~$242 million)
- 8,000 mETH (~$22.5 million)
- 15,000 cmETH (~$42 million)
Fund Movement and Laundering Attempts
Once the hacker consolidated the stolen funds into 0x4766…e2, they quickly began obfuscating fund movements through a multi-step laundering process.
The first step involved converting stETH and mETH into ETH, which was done at 0xa4b2…449e. This conversion increased liquidity and allowed the attacker to distribute funds more efficiently. However, an attempt to exchange cmETH at 0x1542…4443 was left incomplete, possibly due to liquidity constraints or security countermeasures.
With the majority of the stolen assets now in ETH, the hacker initiated a systematic dispersal operation. ETH was distributed in 10,000 ETH increments across multiple addresses, making tracking and recovery efforts more challenging.
One of the key laundering hubs was 0xdd90…f92, which received 98,048 ETH before further distributing 90,000 ETH across multiple wallets. That suggested an intentional multi-layered laundering approach, possibly involving bridges, decentralized exchanges, and mixers to further obscure the origin of the funds.
Attackers’ subsequent actions reinforced this hypothesis. They began strategically layering the stolen funds by utilizing decentralized exchanges (DEXes), cross-chain bridges or well known mixers (in total over 20 entities and growing). This approach deliberately circumvented centralized exchanges at this stage, likely to avoid the heightened scrutiny and potential tracking mechanisms associated with centralized platforms. DEXes, by their nature, offer a greater degree of anonymity and control over the transaction process, making them attractive for illicit activities. Cross-chain bridges, on the other hand, enable the transfer of assets between different blockchain networks, further obfuscating the movement of stolen funds. This calculated use of DEXes and cross-chain bridges highlights the attackers’ sophistication and their intent to maximize their chances of successfully laundering and retaining the stolen assets.
The use of multiple hops, smart contract interactions, and fragmented transfers suggests a well-planned laundering strategy. If the pattern follows previous high-profile exchange hacks, the next stages will likely involve further cross-chain transfers, liquidity pool interactions, and eventual fiat off-ramping.
The suspects: North Korea / The Lazarus Group
As the investigation is developing further, currently concluded investigations are leading to North Korea’s Lazarus Group as the ones standing behind this event.
On 26 February ‘25 The Federal Bureau of Investigation (FBI) released a PSA (Public Service Announcement) stating that North Korea was responsible for stealing approximately $1.5 billion in virtual assets from a cryptocurrency exchange, including the list of linked addresses. The FBI urged private sector entities—such as exchanges, node operators, and DeFi services—to block any transactions tied to them.
Lukka Investigations Team Monitoring On-Chain Movements
Given the scale and complexity of this breach, Lukka’s Investigations team is actively tracking the movement of stolen funds in real time. Using automated tracing methodologies, forensic tools, and advanced de-mixing techniques, the team is mapping out fund flows across multiple wallets to detect further laundering attempts.
Key tracking efforts include:
- Live monitoring of wallet activities to identify potential liquidation points.
- Transaction pattern analysis to detect links to known threat actors.
- Cross-chain tracking to assess movement through bridges and mixing services.
With large sums already dispersed across multiple chains, collaboration with exchanges, custodians, and compliance teams will be critical in freezing illicit funds before they are fully laundered.
Implications for the Industry
This attack highlights critical vulnerabilities in smart contract security and the importance of continuous blockchain monitoring. The ability to replace smart contract implementations poses a serious risk to custodial wallets, underscoring the need for strict security controls and real-time monitoring.
With billions in digital assets at stake, exchanges, custodians, and financial institutions must implement institutional-grade blockchain analytics to mitigate risks and detect threats before funds are moved beyond traceability.
The Lukka Investigations team will continue real-time surveillance of these assets, working with industry stakeholders to trace and recover stolen funds where possible.
Lukka Blockchain Analytics
Uncover hidden threats and ensure compliance with Lukka Blockchain Analytics—your all-in-one solution for blockchain analytics and transaction monitoring. Detect suspicious activity, perform real-time AML screening, and conduct forensic investigations with precision.
Explore Lukka Blockchain Analytics today and strengthen your crypto security.
Book a demo
