Bybit Breach: A Deep Dive into the $1.46 Billion Exploit

Key Takeaways

On February 21, 2025, Bybit suffered one of the largest crypto security breaches in history, losing approximately $1.46 billion due to a sophisticated smart contract attack.

What Happened?

• Attackers tricked Bybit’s Ethereum multisig signers into unknowingly approving a malicious contract upgrade.
• This allowed the attacker to modify Bybit’s wallet logic, granting them full control over funds.
• The attack bears similarities to the WazirX hack, suggesting a potential common attacker.
• All stolen assets were drained within minutes via a series of transactions.

This incident underscores the growing risks of smart contract governance manipulation—highlighting the need for advanced security layers to protect against such sophisticated threats.

Now, let’s break down the technical details.

Bybit Hack: How It Happened

Step 1: Exploiting the Multisig Approval

The attacker’s first goal was to craft a signed transaction, which required obtaining signatures from three of Bybit’s cold wallets.

How they did it:

• The attacker crafted a fake transaction that appeared legitimate to the signers.
• Bybit’s signing interface was manipulated—while the signers saw the correct addresses, the underlying smart contract logic was altered.
• This deception tricked the signers into approving a transaction that granted control to the attacker.

Signers involved:

• 0x1f4eb0a903619ac168b19a82f1a6e2e426522211
• 0x3cc3a225769900e003e264dd4cb43e90896bc21a
• 0xe3df2cceac61b1afa311372ecc5b40a3a6585a9e

Step 2: Upgrading the Proxy to a Malicious Implementation

Once the attacker obtained valid signatures, they used them to upgrade Bybit’s hot wallet proxy contract.

• The signed transaction was sent to Bybit’s hot wallet, where it performed a delegate call to execute the exploit contract’s transfer function.
• Instead of a normal transfer, the function updated the masterCopy variable—changing it to point to the attacker’s malicious contract at:
  0xbdd077f651ebe7f7b3ce16fe5f2b025be2969516

This step reprogrammed Bybit’s proxy wallet, giving the attacker full control.

Transaction hash:
0x46deef0f52e3a983b67abf4714448a41dd7ffd6d32d32da69d62081c68ad7882

Step 3: Draining the Funds

With complete control over Bybit’s proxy wallet, the attacker executed five major transactions to drain all ETH and ERC-20 tokens.

Key transactions involved in the theft:

• 0x25800d105db4f21908d646a7a3db849343737c5fba0bc5701f782bf0e75217c9
• 0xb61413c495fdad6114a7aa863a00b2e3c28945979a10885b12b30316ea9f072c
• 0xbcf316f5835362b7f1586215173cc8b294f5499c60c029a3de6318bf25ca7b20
• 0xa284a1bc4c7e0379c924c73fcea1067068635507254b03ebbbd3f4e222c1fae0
• 0x847b8403e8a4816a4de1e63db321705cdb6f998fb01ab58f653b863fda988647

The attacker used “sweepETH” and “sweepERC20” functions to move the stolen assets to external wallets.

Addresses Involved in the Exploit

Compromised Bybit Wallets

• Victim contract (Bybit’s proxy hot wallet)
  • 0x1db92e2eebc8e0c075a02bea49a2935bcd2dfcf4

Attacker addresses

• Malicious implementation (Attacker’s exploit contract)
  • 0xbdd077f651ebe7f7b3ce16fe5f2b025be2969516

• Attacker’s wallet (Deployed exploit & triggered upgrade)
  • 0x0fa09c3a328792253f8dee7116848723b72a6d2e

Funding Addresses

• Funding address 1 (Tested the exploit on a practice proxy before the hack):
  • 0xe8b36709dd86893bf7bb78a7f9746b826f0e8c84

Funding address 2 (Only used to forward funds to Funding address 1):

0x3b48fa59c2bbdf8d00d70ac40b2cda576fc519e3

Bybit’s Response & Next Steps

Official statement from Bybit:
“Bybit detected unauthorized activity involving one of our ETH cold wallets. The incident occurred when our ETH multisig cold wallet executed a transfer to our warm wallet. Unfortunately, this transaction was manipulated through a sophisticated attack that masked the signing interface, displaying the correct address while altering the underlying smart contract logic.”

Source: Bybit X Official Statement

Users are advised to beware of scam URLs and phishing attempts that may arise from this incident.

Key Lessons from the Attack

1. Multisig alone is not enough – The UI-level deception used in this attack shows that even multiple signers can be tricked.
2. Other attacks show similar patterns – This type of contract manipulation has been seen before, reinforcing the need for cross-exchange threat intelligence sharing.
3. Need for real-time anomaly detection – AI-powered fraud detection systems should be monitoring approval patterns for suspicious transactions.

Closing Thoughts

The Bybit exploit highlights the growing sophistication of crypto-related attacks, where technical vulnerabilities and social engineering are combined to bypass even the most secure setups. This breach reinforces that no system is immune when attackers can manipulate trust at the transaction level—whether through deceptive UI tactics, proxy upgrades, or governance manipulation.

For businesses handling digital assets—exchanges, financial institutions, and payment providers—this attack is a reminder that traditional security measures like multisig alone are not enough. Attackers are moving faster than detection models, and real-time fraud prevention is becoming a necessity, not a luxury.

This incident underscores the need for continuous monitoring, proactive risk detection, and security measures that go beyond on-chain validation. Companies must be able to identify threats before approvals happen, ensuring that attackers cannot exploit human oversight or contract logic to gain control.

The industry’s ability to prevent fraud and exploits before they happen will define the next era of digital asset security.