Event chronology
Get advice from AML Crypto experts
Source : https://t.me/Bybit_exploit
DAY 1. 2025-02-21
Show more
On 2025-02-21 at 14:16:11 (UTC), the Bybit cryptocurrency exchange faced a major hacker attack. The attackers gained access to one of the platform's cold wallets and withdrew 401,346 ETH, as well as 113,375.548 synthetic ETH (including 15,000 cmETH, 90,375 stETH, 8,000 mETH) and 90 USDT. At the time of the theft, the total equivalent of the stolen funds exceeded 1.4 billion US dollars.
Bybit exchange address: 0x1Db92e2EeBC8E0c075a02BeA49a2935BcD2dFCF4
Exploiter address: 0x47666Fab8bd0Ac7003bce3f5C3585383F09486E2
Theft transactions:
0xb61413c495fdad6114a7aa863a00b2e3c28945979a10885b12b30316ea9f072c
(401,346 ETH)
0xa284a1bc4c7e0379c924c73fcea1067068635507254b03ebbbd3f4e222c1fae0
(90,375 stETH)
0x847b8403e8a4816a4de1e63db321705cdb6f998fb01ab58f653b863fda988647
(15,000 cmETH)
0xbcf316f5835362b7f1586215173cc8b294f5499c60c029a3de6318bf25ca7b20
(8000 mETH)
0x25800d105db4f21908d646a7a3db849343737c5fba0bc5701f782bf0e75217c9
(90 USDT)
Number of attacker addresses at a given time: 1
P.S. The attacker didn't even leave the 90 USDT that were at the address. As they say, 90 dollars are never too much 🙂
Bybit is one of the largest cryptocurrency exchanges, founded in 2018, operating in more than 195 countries. As of 2025, the number of users of the platform has exceeded 60 million, making it the second largest crypto exchange in the world. Bybit's average daily trading volume exceeds $36 billion, and the total amount of reserves is estimated in the range of $10.95-20 billion according to various estimates.
Bybit exchange address: 0x1Db92e2EeBC8E0c075a02BeA49a2935BcD2dFCF4
Exploiter address: 0x47666Fab8bd0Ac7003bce3f5C3585383F09486E2
Theft transactions:
0xb61413c495fdad6114a7aa863a00b2e3c28945979a10885b12b30316ea9f072c
(401,346 ETH)
0xa284a1bc4c7e0379c924c73fcea1067068635507254b03ebbbd3f4e222c1fae0
(90,375 stETH)
0x847b8403e8a4816a4de1e63db321705cdb6f998fb01ab58f653b863fda988647
(15,000 cmETH)
0xbcf316f5835362b7f1586215173cc8b294f5499c60c029a3de6318bf25ca7b20
(8000 mETH)
0x25800d105db4f21908d646a7a3db849343737c5fba0bc5701f782bf0e75217c9
(90 USDT)
Number of attacker addresses at a given time: 1
P.S. The attacker didn't even leave the 90 USDT that were at the address. As they say, 90 dollars are never too much 🙂
Bybit is one of the largest cryptocurrency exchanges, founded in 2018, operating in more than 195 countries. As of 2025, the number of users of the platform has exceeded 60 million, making it the second largest crypto exchange in the world. Bybit's average daily trading volume exceeds $36 billion, and the total amount of reserves is estimated in the range of $10.95-20 billion according to various estimates.
On 2025-02-21 at 14:16:11 (UTC), the Bybit cryptocurrency exchange faced a major hacker attack. The attackers gained access to one of the platform's cold wallets and withdrew 401,346 ETH, as well as 113,375.548 synthetic ETH (including 15,000 cmETH, 90,375 stETH, 8,000 mETH) and 90 USDT. At the time of the theft, the total equivalent of the stolen funds exceeded 1.4 billion US dollars.
Bybit exchange address: 0x1Db92e2Ee
BC8E0c075a02BeA49a2935BcD2dFCF4
Exploiter address: 0x47666Fab8bd0Ac
7003bce3f5C3585383F09486E2
Транзакции кражи:
9f072c
(401,346 ETH)
fae0
(90,375 stETH)
647
(15,000 cmETH)
a7b20
(8000 mETH)
5217c9
(90 USDT)
Number of attacker addresses at a given time: 1
P.S. The attacker didn't even leave the 90 USDT that were at the address. As they say, 90 dollars are never too much 🙂
Bybit is one of the largest cryptocurrency exchanges, founded in 2018, operating in more than 195 countries. As of 2025, the number of users of the platform has exceeded 60 million, making it the second largest crypto exchange in the world. Bybit's average daily trading volume exceeds $36 billion, and the total amount of reserves is estimated in the range of $10.95-20 billion according to various estimates.
Bybit exchange address: 0x1Db92e2Ee
BC8E0c075a02BeA49a2935BcD2dFCF4
Exploiter address: 0x47666Fab8bd0Ac
7003bce3f5C3585383F09486E2
Транзакции кражи:
- 0xb61413c495fdad6114a7aa863a0
9f072c
(401,346 ETH)
- 0xa284a1bc4c7e0379c924c73fcea1
fae0
(90,375 stETH)
- 0x847b8403e8a4816a4de1e63db321
647
(15,000 cmETH)
- 0xbcf316f5835362b7f1586215173c
a7b20
(8000 mETH)
- 0x25800d105db4f21908d646a7a3d
5217c9
(90 USDT)
Number of attacker addresses at a given time: 1
P.S. The attacker didn't even leave the 90 USDT that were at the address. As they say, 90 dollars are never too much 🙂
Bybit is one of the largest cryptocurrency exchanges, founded in 2018, operating in more than 195 countries. As of 2025, the number of users of the platform has exceeded 60 million, making it the second largest crypto exchange in the world. Bybit's average daily trading volume exceeds $36 billion, and the total amount of reserves is estimated in the range of $10.95-20 billion according to various estimates.
Bybit Hack: Inside the $1.4B Theft
Bybit has different types of wallets, including hot and cold wallets for storing funds. Periodically, Bybit employees rebalance funds between them. On 2025-02-21, Bybit employees did this. But as a result, all funds were withdrawn from the Bybit cold wallet without authorization.
This address uses multi-signature, which means that multiple keys must be signed to complete a transaction. In Bybit's case, the keys were owned by different people for security purposes. The wallet is managed through the Safe interface.
Gnosis Safe (now Safe) is a multisig wallet for secure storage and management of crypto assets.
To successfully complete a transaction at this address, signatures from 3 out of 6 signatories were required. Having initiated a normal transaction to transfer funds from a cold wallet, the transaction was signed by all three participants in the site interface and confirmed by each on their device.
However, as a result, a different transaction was sent to the network, and not the one shown in the safe.global site interface. This unauthorized transaction allowed the attackers to gain control over the cold wallet.
There was probably a visual substitution of data in the web interface when signing the transaction.
This address uses multi-signature, which means that multiple keys must be signed to complete a transaction. In Bybit's case, the keys were owned by different people for security purposes. The wallet is managed through the Safe interface.
Gnosis Safe (now Safe) is a multisig wallet for secure storage and management of crypto assets.
To successfully complete a transaction at this address, signatures from 3 out of 6 signatories were required. Having initiated a normal transaction to transfer funds from a cold wallet, the transaction was signed by all three participants in the site interface and confirmed by each on their device.
However, as a result, a different transaction was sent to the network, and not the one shown in the safe.global site interface. This unauthorized transaction allowed the attackers to gain control over the cold wallet.
There was probably a visual substitution of data in the web interface when signing the transaction.
How did the hack happen?
2025-02-21 at 15:20 ZachXBT publishes information on his Telegram channel about suspicious outgoing transactions worth $1.46 billion+ from addresses belonging to ByBit
Number of attacker addresses at a given time: 4
Number of attacker addresses at a given time: 4
Detection of a suspicious event by blockchain researcher Zach
2025-02-21 15:44 (UTC) In his post on Platform X, Bybit CEO Ben Zhou reports an unauthorized transfer of funds. Calls on analytics teams to help track the funds.
Number of attacker addresses at a given time: 4
Number of attacker addresses at a given time: 4
Bybit CEO Ben Zhou’s reaction
2025-02-21 14:43 (UTC) the attacker starts withdrawing USDT, mETH, stETH, cmETH tokens to a separate blockchain address and then exchanges them for ETH. For the exchange, he uses DEX Uniswap, ParaSwap, Dodo.
Number of attacker addresses at a given time: 4
API to get blacklist: https://btrace.amlcrypto.io/api/v2/bybit_blacklist
Summary of services:
- ParaSwap is a liquidity aggregator that searches for the best token swap rates by routing orders between different DEXs.
- Uniswap is the largest decentralized exchange (DEX) that uses an automated market maker (AMM) to swap tokens without intermediaries.
- Dodo is a DEX powered by a **Proactive Market Maker (PMM)** mechanism, which provides lower slippage and optimized pricing compared to classic AMMs.
Number of attacker addresses at a given time: 4
API to get blacklist: https://btrace.amlcrypto.io/api/v2/bybit_blacklist
Summary of services:
- ParaSwap is a liquidity aggregator that searches for the best token swap rates by routing orders between different DEXs.
- Uniswap is the largest decentralized exchange (DEX) that uses an automated market maker (AMM) to swap tokens without intermediaries.
- Dodo is a DEX powered by a **Proactive Market Maker (PMM)** mechanism, which provides lower slippage and optimized pricing compared to classic AMMs.
Swaps of stolen synthetic tokens and USDT via DEX
2025-02-21 15:48 the attacker starts to scatter funds across multiple addresses
Number of attacker addresses at a given time: 44
API to get blacklist: https://btrace.amlcrypto.io/api/v2/bybit_blacklist
Number of attacker addresses at a given time: 44
API to get blacklist: https://btrace.amlcrypto.io/api/v2/bybit_blacklist
Initial distribution of stolen funds
2025-02-21 at 17:15 A post with a live broadcast was [published] on the official Bybit X page, in which Bybit CEO Ben Zhou comments on the situation.
Introduction and Overview:
Ben Zhou started the live stream by explaining the current situation and thanking the viewers for tuning in. He mentioned that ByBit is going through a very challenging time after the hack of their Ethereum wallet. The incident occurred about two hours ago. Ben stated that the live stream would provide updates and answer questions from the community.
How the Incident Happened:
- ByBit uses a cold and hot wallet system for managing funds. When the balance in the hot wallet reaches a certain threshold, funds are transferred from the cold wallet to the hot wallet.
- During a routine transfer from the cold wallet to the hot wallet, the transaction was carried out using a multisig (multi-signature) system through the Safe service. This system requires multiple signers to approve the transaction.
- At the time of signing, Ben, being the last signer, verified the URL and destination address using the official Safe website. He also used a Ledger device to sign the transaction.
- About 30 minutes after signing, Ben received an emergency call that the wallet had been drained — the funds were stolen.
Details of the Hack:
- Hackers managed to manipulate the signing interface, possibly by compromising the computers of all the signers or exploiting a vulnerability in the Safe service. While Ben was confident they were using the correct URL and destination address, it’s possible that the hackers altered the transaction data at the smart contract level.
- Ben emphasized that Ethereum uses smart contracts, which can be more vulnerable to manipulation, and this vulnerability was likely exploited in the hack of ByBit’s Ethereum wallet.
Size of the Damage:
- Around 401,000 ETH was stolen. This affected only the Ethereum wallet, and no other assets or wallets were compromised.
- According to Ben, other wallets holding assets like Bitcoin or USDT were not affected by this incident.
- Despite the loss, the company is actively working to mitigate the consequences and recover the stolen funds.
Current Situation with Withdrawals:
- ByBit continues to process withdrawal requests, but the number of requests has increased significantly over the past few hours, causing delays.
- At the moment, withdrawals remain open, but some large requests require additional verification from the security team.
- Importantly, despite the high load, the company is still paying out funds and overall 70% of withdrawal requests have already been processed.
Answers to Client Questions:
- Ben guaranteed that customer funds are safe, as ByBit adheres to a 1:1 principle on reserves.
- Ben noted that despite the theft of funds from the Ethereum wallet, the company has enough reserves to cover losses from its coffers if needed.
- Question about possible compensation for the stolen funds: ByBit plans to reach out to partners and use its reserve fund to cover losses if the funds cannot be recovered.
Investigation and Security Measures:
- ByBit is working with the security team and law enforcement to recover the stolen funds and find out the details of the hack.
- An investigation is currently underway and the team is working with external specialists to trace the stolen funds and possibly recover them through centralised exchanges or other channels.
- Ben said ByBit's security team is scrutinising all other wallets to make sure there are no other vulnerabilities. So far, only the Ethereum wallet has been compromised.
Recovery Efforts and Security Enhancements:
- To address the liquidity issue with Ethereum, ByBit is securing a bridge loan from partners to cover the deficit and ensure the continuation of withdrawals.
- Ben clarified that ByBit is not buying Ethereum on the market but is relying on bridge loans to resolve the liquidity crunch.
- Additionally, ByBit is working with the Safe team to understand what happened and identify any weaknesses in their security protocols.
Follow-up on Client Questions:
- Ben responded to concerns about whether ByBit would be able to recover the stolen Ethereum. He confirmed that the company is actively working with partners and authorities to track and recover the stolen funds. However, the amount is large, and the recovery may take time.
- Withdrawals for tokens other than Ethereum are unaffected, and all other services are functioning as usual.
Conclusion:
- Despite the hack, Ben Zhou reassured the community that ByBit will continue operating, and clients’ funds will be protected. He thanked partners and clients for their support and assured everyone that ByBit is committed to transparency and restoring trust.
- The company is investigating the incident, and more updates will be provided as the situation unfolds.
- ByBit plans to conduct a thorough review of its security procedures and implement necessary improvements to prevent such incidents in the future.
Number of attacker addresses at the moment: 44
API to get blacklist: https://btrace.amlcrypto.io/api/v2/bybit_blacklist
Introduction and Overview:
Ben Zhou started the live stream by explaining the current situation and thanking the viewers for tuning in. He mentioned that ByBit is going through a very challenging time after the hack of their Ethereum wallet. The incident occurred about two hours ago. Ben stated that the live stream would provide updates and answer questions from the community.
How the Incident Happened:
- ByBit uses a cold and hot wallet system for managing funds. When the balance in the hot wallet reaches a certain threshold, funds are transferred from the cold wallet to the hot wallet.
- During a routine transfer from the cold wallet to the hot wallet, the transaction was carried out using a multisig (multi-signature) system through the Safe service. This system requires multiple signers to approve the transaction.
- At the time of signing, Ben, being the last signer, verified the URL and destination address using the official Safe website. He also used a Ledger device to sign the transaction.
- About 30 minutes after signing, Ben received an emergency call that the wallet had been drained — the funds were stolen.
Details of the Hack:
- Hackers managed to manipulate the signing interface, possibly by compromising the computers of all the signers or exploiting a vulnerability in the Safe service. While Ben was confident they were using the correct URL and destination address, it’s possible that the hackers altered the transaction data at the smart contract level.
- Ben emphasized that Ethereum uses smart contracts, which can be more vulnerable to manipulation, and this vulnerability was likely exploited in the hack of ByBit’s Ethereum wallet.
Size of the Damage:
- Around 401,000 ETH was stolen. This affected only the Ethereum wallet, and no other assets or wallets were compromised.
- According to Ben, other wallets holding assets like Bitcoin or USDT were not affected by this incident.
- Despite the loss, the company is actively working to mitigate the consequences and recover the stolen funds.
Current Situation with Withdrawals:
- ByBit continues to process withdrawal requests, but the number of requests has increased significantly over the past few hours, causing delays.
- At the moment, withdrawals remain open, but some large requests require additional verification from the security team.
- Importantly, despite the high load, the company is still paying out funds and overall 70% of withdrawal requests have already been processed.
Answers to Client Questions:
- Ben guaranteed that customer funds are safe, as ByBit adheres to a 1:1 principle on reserves.
- Ben noted that despite the theft of funds from the Ethereum wallet, the company has enough reserves to cover losses from its coffers if needed.
- Question about possible compensation for the stolen funds: ByBit plans to reach out to partners and use its reserve fund to cover losses if the funds cannot be recovered.
Investigation and Security Measures:
- ByBit is working with the security team and law enforcement to recover the stolen funds and find out the details of the hack.
- An investigation is currently underway and the team is working with external specialists to trace the stolen funds and possibly recover them through centralised exchanges or other channels.
- Ben said ByBit's security team is scrutinising all other wallets to make sure there are no other vulnerabilities. So far, only the Ethereum wallet has been compromised.
Recovery Efforts and Security Enhancements:
- To address the liquidity issue with Ethereum, ByBit is securing a bridge loan from partners to cover the deficit and ensure the continuation of withdrawals.
- Ben clarified that ByBit is not buying Ethereum on the market but is relying on bridge loans to resolve the liquidity crunch.
- Additionally, ByBit is working with the Safe team to understand what happened and identify any weaknesses in their security protocols.
Follow-up on Client Questions:
- Ben responded to concerns about whether ByBit would be able to recover the stolen Ethereum. He confirmed that the company is actively working with partners and authorities to track and recover the stolen funds. However, the amount is large, and the recovery may take time.
- Withdrawals for tokens other than Ethereum are unaffected, and all other services are functioning as usual.
Conclusion:
- Despite the hack, Ben Zhou reassured the community that ByBit will continue operating, and clients’ funds will be protected. He thanked partners and clients for their support and assured everyone that ByBit is committed to transparency and restoring trust.
- The company is investigating the incident, and more updates will be provided as the situation unfolds.
- ByBit plans to conduct a thorough review of its security procedures and implement necessary improvements to prevent such incidents in the future.
Number of attacker addresses at the moment: 44
API to get blacklist: https://btrace.amlcrypto.io/api/v2/bybit_blacklist
Ben Zhou Live Stream
2025-02-21 19:09 Arham [stated] that ZachXBT provided Arham with the evidence it collected that Lazarus Group is behind the incident. The data has been forwarded to Bybit.
Number of attacker addresses at the moment: 44
API for getting the blacklist: https://btrace.amlcrypto.io/api/v2/bybit_blacklist
Number of attacker addresses at the moment: 44
API for getting the blacklist: https://btrace.amlcrypto.io/api/v2/bybit_blacklist
Lazarus Group is behind Bybit Hack incident, according to ZachXBT
2025-02-21 23:59 UTC Following the results of the first day, AMLcrypto.io published an analysis of the movement of stolen assets through transit addresses, the use of Uniswap, ParaSwap, Dodo.
🟣 - Bybit exchange address hacked [13], decentralized exchange addresses [23-26]
⚫️ - Exploiter addresses
Number of attacker addresses at the time: 44
API for getting blacklist: https://btrace.amlcrypto.io/api/v2/bybit_blacklist
🟣 - Bybit exchange address hacked [13], decentralized exchange addresses [23-26]
⚫️ - Exploiter addresses
Number of attacker addresses at the time: 44
API for getting blacklist: https://btrace.amlcrypto.io/api/v2/bybit_blacklist
Results of blockchain transaction analysis from AMLcrypto team
DAY 2. 2025-02-22
Show more
2025-02-22 at 06:22:31 on the Bitcointalk forum, a Bybit employee publishes a screenshot of the correspondence with a Bybit representative regarding this incident. A screenshot of a letter from Bybit is provided asking Exch to assist in this incident, since the transfer of part of the funds to the Exch crypto exchanger
In response to Bybit's message, exch points out the problem it had previously encountered, that its users' funds were blocked on the exch exchange. It is specified why Bybit believes that exch will help?!
eXch — is an automatic cryptocurrency exchanger that allows users to exchange various cryptocurrencies without registration. The platform supports fast exchanges and provides an API for integration.
Number of attacker addresses at the time: 44
API for getting blacklist: https://btrace.amlcrypto.io/api/v2/bybit_blacklist
In response to Bybit's message, exch points out the problem it had previously encountered, that its users' funds were blocked on the exch exchange. It is specified why Bybit believes that exch will help?!
eXch — is an automatic cryptocurrency exchanger that allows users to exchange various cryptocurrencies without registration. The platform supports fast exchanges and provides an API for integration.
Number of attacker addresses at the time: 44
API for getting blacklist: https://btrace.amlcrypto.io/api/v2/bybit_blacklist
Details of Exch's refusal to help Bybit
2022-02-22 07:04:11 (UTC) the attacker transferred funds to deposit addresses of the ChainFlip service. According to the service explorer data, the funds were sent to the address bc1qlu4a33zjspefa3tnq566xszcr0fvwz05ewhqfq on the Bitcoin network.
Chainflip is a decentralized cross-chain protocol that allows users to exchange native crypto assets between different blockchains (e.g. Bitcoin, Ethereum, Solana) without wrapped tokens and centralized intermediaries.
Data source in screenshot 1: https://scan.chainflip.io/swaps
The designations on the transaction graph are:
🟣 - Bybit exchange address subjected to hacking [1], Chainflip addresses [7-10]
⚫️ - Ethereum network exploiter addresses [2-6], Bitcoin network exploiter addresses [11-15].
Number of attacker addresses at the time: 58
API for getting blacklist: https://btrace.amlcrypto.io/api/v2/bybit_blacklist
Chainflip is a decentralized cross-chain protocol that allows users to exchange native crypto assets between different blockchains (e.g. Bitcoin, Ethereum, Solana) without wrapped tokens and centralized intermediaries.
Data source in screenshot 1: https://scan.chainflip.io/swaps
The designations on the transaction graph are:
🟣 - Bybit exchange address subjected to hacking [1], Chainflip addresses [7-10]
⚫️ - Ethereum network exploiter addresses [2-6], Bitcoin network exploiter addresses [11-15].
Number of attacker addresses at the time: 58
API for getting blacklist: https://btrace.amlcrypto.io/api/v2/bybit_blacklist
2022-02-22 07:04:11 (UTC) the attacker transferred funds to deposit addresses of the ChainFlip service. According to the service explorer data, the funds were sent to the address bc1qlu4a33zjspefa3tnq566xszcr0fvwz
05ewhqfq on the Bitcoin network.
Chainflip is a decentralized cross-chain protocol that allows users to exchange native crypto assets between different blockchains (e.g. Bitcoin, Ethereum, Solana) without wrapped tokens and centralized intermediaries.
Data source in screenshot 1: https://scan.chainflip.io/swaps
The designations on the transaction graph are:
🟣 - Bybit exchange address subjected to hacking [1], Chainflip addresses [7-10]
⚫️ - Ethereum network exploiter addresses [2-6], Bitcoin network exploiter addresses [11-15].
Number of attacker addresses at the time: 58
API for getting blacklist: https://btrace.amlcrypto.io/api/v2/bybit_blacklist
05ewhqfq on the Bitcoin network.
Chainflip is a decentralized cross-chain protocol that allows users to exchange native crypto assets between different blockchains (e.g. Bitcoin, Ethereum, Solana) without wrapped tokens and centralized intermediaries.
Data source in screenshot 1: https://scan.chainflip.io/swaps
The designations on the transaction graph are:
🟣 - Bybit exchange address subjected to hacking [1], Chainflip addresses [7-10]
⚫️ - Ethereum network exploiter addresses [2-6], Bitcoin network exploiter addresses [11-15].
Number of attacker addresses at the time: 58
API for getting blacklist: https://btrace.amlcrypto.io/api/v2/bybit_blacklist
Withdrawal of part of funds via ChainFlip
2025-02-22 15:10 UTC Arham reported that he has found a link between the blockchain addresses used in the ByBit and Phemex hacks, which may indicate that the same hacker was involved in both incidents.
This confirms the involvement of Lazarus Group, as this hacker group has previously used similar attack methods and money laundering schemes to those seen in the ByBit and Phemex hacks.
Number of attacker addresses at the time: 557
API for getting blacklist: https://btrace.amlcrypto.io/api/v2/bybit_blacklist
This confirms the involvement of Lazarus Group, as this hacker group has previously used similar attack methods and money laundering schemes to those seen in the ByBit and Phemex hacks.
Number of attacker addresses at the time: 557
API for getting blacklist: https://btrace.amlcrypto.io/api/v2/bybit_blacklist
Arkham Confirms Lazarus Group Tie-in
2025-02-22 at 15:22 mETH Protocol reports successful locking and return of $15,000 cmETH, as announced in a post on Platform X.
mETH Protocol is a liquid Ethereum staking platform created by the Mantle community. Users can stake ETH and receive $mETH in return, which generates income and can be used in DeFi applications. If necessary, it can be exchanged back for ETH, taking into account the accumulated rewards.
Number of attacker addresses at a given time: 573
API to get blacklist: https://btrace.amlcrypto.io/api/v2/bybit_blacklist
mETH Protocol is a liquid Ethereum staking platform created by the Mantle community. Users can stake ETH and receive $mETH in return, which generates income and can be used in DeFi applications. If necessary, it can be exchanged back for ETH, taking into account the accumulated rewards.
Number of attacker addresses at a given time: 573
API to get blacklist: https://btrace.amlcrypto.io/api/v2/bybit_blacklist
Blocking and returning stolen 15,000 cmETH thanks to mETH Protoco
2025-02-22 at 16:43 SlowMist published an article in which it claimed to have found evidence of possible involvement of Lazarus Group in the Bybit hack. SlowMist found identical addresses and other evidence pointing to similar attack patterns.
In September 2024, Singapore-based cryptocurrency exchange BingX was hacked, resulting in over $43 million being stolen from hot wallets. The stolen assets included Ethereum (ETH), Binance Coin (BNB), and Tether (USDT).
In January 2025, Singapore-based cryptocurrency exchange Phemex was hacked, resulting in approximately $85 million being stolen from hot wallets.
Some security experts have suggested that the North Korean-linked hacking group Lazarus may be behind both attacks, based on the tactics used.
Number of attacker addresses at a given time: 751
API to get blacklist: https://btrace.amlcrypto.io/api/v2/bybit_blacklist
In September 2024, Singapore-based cryptocurrency exchange BingX was hacked, resulting in over $43 million being stolen from hot wallets. The stolen assets included Ethereum (ETH), Binance Coin (BNB), and Tether (USDT).
In January 2025, Singapore-based cryptocurrency exchange Phemex was hacked, resulting in approximately $85 million being stolen from hot wallets.
Some security experts have suggested that the North Korean-linked hacking group Lazarus may be behind both attacks, based on the tactics used.
Number of attacker addresses at a given time: 751
API to get blacklist: https://btrace.amlcrypto.io/api/v2/bybit_blacklist
SlowMist Confirms Link to Lazarus Group
Cryptocurrency exchange Bybit has launched a recovery bounty program for the recovery of stolen funds following a recent hack. The initiative offers rewards of up to 10% of the recovered amount to cybersecurity specialists and blockchain analysts who help track down and recover the stolen assets. In the event of a full recovery of funds, the total reward amount could reach $140 million. Bybit emphasizes that this move is aimed at enhancing security and protecting users of the platform.
Number of attacker addresses at the time: 607
API for getting the blacklist: https://btrace.amlcrypto.io/api/v2/bybit_blacklist
Number of attacker addresses at the time: 607
API for getting the blacklist: https://btrace.amlcrypto.io/api/v2/bybit_blacklist
Bybit Offers Rewards Up to $140 Million for Help in Recovering Stolen Funds
ChangeNOW is a non-custodial, instant cryptocurrency exchange service that supports over 850 digital assets and operates without registration. The platform allows users to exchange cryptocurrency without limits and storage, providing fast and anonymous transactions.
THORChain is a decentralized liquidity protocol that allows users to exchange crypto assets between different blockchains without the need for centralized exchanges or wrapped tokens.
Number of attacker addresses at the time: 884
API for getting the blacklist: https://btrace.amlcrypto.io/api/v2/bybit_blacklist
THORChain is a decentralized liquidity protocol that allows users to exchange crypto assets between different blockchains without the need for centralized exchanges or wrapped tokens.
Number of attacker addresses at the time: 884
API for getting the blacklist: https://btrace.amlcrypto.io/api/v2/bybit_blacklist
AMLcrypto.io published an investigation summary with 884 attacker blockchain addresses. Interactions with ChangeNow, ThorChain were identified.
2025-02-23 at 4:32 UTC In the post, Ben Zhou called on eXch to provide assistance, since this is not about the relationship between the two companies, but a common confrontation with the attackers. He also emphasized that Interpol and other international regulatory bodies are handling the case.
Number of attacker addresses at the time: 995
API for getting the blacklist: https://btrace.amlcrypto.io/api/v2/bybit_blacklist
Number of attacker addresses at the time: 995
API for getting the blacklist: https://btrace.amlcrypto.io/api/v2/bybit_blacklist
Bybit CEO Ben Zhou responded to the published correspondence between Bybit and eXch
Tether. Tether Limited is the issuer of the USDT stablecoin, pegged to the US dollar. Founded in 2014, Tether provides users with the ability to transact in digital assets while minimizing the volatility associated with other cryptocurrencies.
FixedFloat is a non-custodial automated service for instant cryptocurrency exchange, launched in 2018. The platform supports over 60 digital assets, including Bitcoin, Ethereum, Tether, and Monero, and allows users to exchange them without registration and KYC procedures.
Avax. Avalanche is a smart contract platform for decentralized applications and its native token AVAX. Launched in September 2020 by Ava Labs, a Cornell alumni company, Avalanche enables the creation of feature-rich blockchains and dApps while ensuring high scalability and cross-chain compatibility.
Coinex. CoinEx is an international cryptocurrency exchange founded in 2017, providing users in over 200 countries with convenient access to digital asset trading.
Bitget. Bitget is a centralized cryptocurrency exchange founded in 2018 and registered in the Seychelles.
Circle. Circle Internet Financial Limited is a financial technology company founded in October 2013 by Jeremy Allaire and Sean Neville. The company operates the USDC stablecoin, whose value is pegged to the US dollar. Circle is headquartered in Boston, Massachusetts.
Number of attacker addresses at the time: 1 450
API for getting the blacklist: https://btrace.amlcrypto.io/api/v2/bybit_blacklist
FixedFloat is a non-custodial automated service for instant cryptocurrency exchange, launched in 2018. The platform supports over 60 digital assets, including Bitcoin, Ethereum, Tether, and Monero, and allows users to exchange them without registration and KYC procedures.
Avax. Avalanche is a smart contract platform for decentralized applications and its native token AVAX. Launched in September 2020 by Ava Labs, a Cornell alumni company, Avalanche enables the creation of feature-rich blockchains and dApps while ensuring high scalability and cross-chain compatibility.
Coinex. CoinEx is an international cryptocurrency exchange founded in 2017, providing users in over 200 countries with convenient access to digital asset trading.
Bitget. Bitget is a centralized cryptocurrency exchange founded in 2018 and registered in the Seychelles.
Circle. Circle Internet Financial Limited is a financial technology company founded in October 2013 by Jeremy Allaire and Sean Neville. The company operates the USDC stablecoin, whose value is pegged to the US dollar. Circle is headquartered in Boston, Massachusetts.
Number of attacker addresses at the time: 1 450
API for getting the blacklist: https://btrace.amlcrypto.io/api/v2/bybit_blacklist
2025-02-23 at 15:41 Bybit reported successfully freezing $42.89 million in a day.
DAY 4. 2025-02-24
Show more
Number of attacker addresses at the time: 2 291
API for getting the blacklist: https://btrace.amlcrypto.io/api/v2/bybit_blacklist
API for getting the blacklist: https://btrace.amlcrypto.io/api/v2/bybit_blacklist
2025-02-24 13:00 UTC. Elliptic published an article claiming that the attackers have already laundered 14.5% of the stolen assets, which currently amounts to $195 million. Elliptic suggests that they may have used mixers to do this. The report also notes that eXch has refused to cooperate with the investigation.
2025-02-25-25 2:07 Ben Zhou announced something in the next few days that will allow the entire industry to fight hackers and solve the problem of recovering stolen funds.
Number of attacker addresses at the time: 4 153
API for getting the blacklist: https://btrace.amlcrypto.io/api/v2/bybit_blacklis
Number of attacker addresses at the time: 4 153
API for getting the blacklist: https://btrace.amlcrypto.io/api/v2/bybit_blacklis
Ben Zhou: Let's introduce something to protect against hackers and solve the problem of recovering stolen assets
Chainalysis analyzes the attack methods in a blog post, pointing out similarities to tactics previously used by hackers linked to North Korea. The article highlights the importance of transparency and cooperation in the crypto industry to track and recover stolen funds, as well as to strengthen collective security against such threats.
Number of attacker addresses at the time: 4 181
API for getting the blacklist: https://btrace.amlcrypto.io/api/v2/bybit_blacklist
Number of attacker addresses at the time: 4 181
API for getting the blacklist: https://btrace.amlcrypto.io/api/v2/bybit_blacklist
Chainalysis and Bybit Collaboration
Lazarus Group is one of the most notorious and dangerous hacker groups in the world, believed to be linked to the North Korean government (DPRK). The group specializes in cyber espionage, cyberattacks on financial institutions, and the development of malicious software.
Group Objectives:
- Funding the DPRK regime through cybercrime.
- Sabotaging and disrupting enemy infrastructure.
- Conducting industrial and military espionage operations.
Key Attacks:
- Sony Pictures Attack (2014)
Lazarus Group is attributed with the cyberattack on Sony Pictures Entertainment in response to the release of The Interview, a film satirizing the assassination of North Korean leader Kim Jong-un.
- WannaCry Campaign (2017)
The spread of the WannaCry ransomware worm, which infected over 200,000 computers across 150 countries.
- Bank Heists via SWIFT (2016 – Present)
In 2016, hackers targeted the Central Bank of Bangladesh, attempting to steal $1 billion through the SWIFT system but managed to withdraw "only" $81 million.
- Cryptocurrency Theft (2018 – Present)
One of the most high-profile attacks was the 2022 hack of the Ronin Network bridge, resulting in the theft of $600 million.
Attack Methods:
- Phishing and Social Engineering (e.g., attacks through fake job offers targeting IT specialists).
- Use of Malicious Software (e.g., Remote Access Trojans – RATs).
- Exploitation of Software Vulnerabilities.
Record-Breaking Thefts and Increased Activity in 2024–2025
Hackers affiliated with North Korea stole approximately $660.5 million across 20 incidents in 2023. In 2024, this amount surged to $1.34 billion across 47 incidents—a 102.88% increase compared to the previous year. The Bybit hack alone resulted in a stolen sum that exceeded the total amount stolen by North Korea throughout 2024 by nearly $160 million.
Number of attacker addresses at the time: 4 876 (2025-02-25 12:35)
API for getting the blacklist: https://btrace.amlcrypto.io/api/v2/bybit_blacklist
Group Objectives:
- Funding the DPRK regime through cybercrime.
- Sabotaging and disrupting enemy infrastructure.
- Conducting industrial and military espionage operations.
Key Attacks:
- Sony Pictures Attack (2014)
Lazarus Group is attributed with the cyberattack on Sony Pictures Entertainment in response to the release of The Interview, a film satirizing the assassination of North Korean leader Kim Jong-un.
- WannaCry Campaign (2017)
The spread of the WannaCry ransomware worm, which infected over 200,000 computers across 150 countries.
- Bank Heists via SWIFT (2016 – Present)
In 2016, hackers targeted the Central Bank of Bangladesh, attempting to steal $1 billion through the SWIFT system but managed to withdraw "only" $81 million.
- Cryptocurrency Theft (2018 – Present)
One of the most high-profile attacks was the 2022 hack of the Ronin Network bridge, resulting in the theft of $600 million.
Attack Methods:
- Phishing and Social Engineering (e.g., attacks through fake job offers targeting IT specialists).
- Use of Malicious Software (e.g., Remote Access Trojans – RATs).
- Exploitation of Software Vulnerabilities.
Record-Breaking Thefts and Increased Activity in 2024–2025
Hackers affiliated with North Korea stole approximately $660.5 million across 20 incidents in 2023. In 2024, this amount surged to $1.34 billion across 47 incidents—a 102.88% increase compared to the previous year. The Bybit hack alone resulted in a stolen sum that exceeded the total amount stolen by North Korea throughout 2024 by nearly $160 million.
Number of attacker addresses at the time: 4 876 (2025-02-25 12:35)
API for getting the blacklist: https://btrace.amlcrypto.io/api/v2/bybit_blacklist
Lazarus Group: North Korean Hacker Group
*on the graph of connections:
⚫️ - addresses that ZachXBT marked as Bybit Exploiter
Linking addresses are marked in red
2025-02-25 13:30 UTC The AML crypto team is conducting its own investigation and is also closely monitoring the publications of other blockchain specialists on the topic of Bybit Exploit. This is important, as it allows for collective cross-checking of the conclusions made.
ZachXBT on the Chainabuse portal publishes data on addresses associated with Bybit Exploit. AML crypto has drawn attention to a number of marked addresses:
TAdAXB1qNaRNnbPhF6AggZGjFDP6ndUuL8 [7 on the graph of connections]
TPgcin4u3bGY9cbHZbD3aR8ND7fHxv1Eng [49]
TRRgVeHVRa2UTSyUGEebViYq1DYGEV8uob [53]
TEiWvzw5m3avWeYZbFjoZjMPHQ8Cg39gjx [28]
TUWJqNHmcg5LWvUhMU1ngQkJFzxHMn5vbX [9]
THo4ws4A6Zhm4UukKpSChKWfR36z5Zecmg [27]
TU4Nr8bhPiMo4iNAhRPFPrkpt1vPCRofnE [41]
TUGHL3BFGFdrwWaE2eLTCSUva8DjmpwsPH [5]
TRRCnSvSK6pCwCEEiLe46A1LuyJBL4S7hZ [51]
TXL8bN4jBVrvCC1wjeRr7tPw8BYBGG9wfe [12]
While the AMLcrypto team is wondering how ZachXBT got to these addresses and if there is reason to believe they were involved in the incident, then other addresses should also be marked:
TCUkJWjhK7sK593pS6nq12P7zSykLNNj8d [13]
TA1cgLrNVWHrWGXg6H47KhpB7F51796kB7 [14]
TCyweypgUHSG8ZETwVJa1XfYw5Mh6WA9av [15]
TG5wUqBkukAho2E38ca3EZG4zvYp3hUivZ [16]
TRYLLacKZTRcyuLVRL6zS8cTNWwhmk6aHL [21]
TLmCTRMMDtgcFMxFkKVmeVZnj25EBgGL2G [22]
TMSocPC3qM1pmvahhYH7zemBf19AGGW5wp [23]
TAibbFBAkcNioexXTFWKbp65mgLp7JiqHD [24]
TJoKWUBFua3E7cM6UL1G9EJC7JkdoRmkQe [17]
TDTim4xjb2mDYnWBzgf7PpTYV4eD7cEeg2 [33]
TMzDKiuLX1q1Xnqvvim8BuQh8Gv99JbErj [34]
TEpEux1JxPn5NGVdbxzGHrcsh5H2ChKK2A [35]
TYiGFkVF7BR36rG1Nnu1BeGfL1dMh6A9ij [42]
TVmmGGnDwgmbTeemmZh4s5LoZzsavG3RfU [30]
TEtwfNRsn7kFfHotyTqpnNYaKv7sBeu7H7 [32]
TEZKYjQVENBhgi5P7CGxCdP3AfcTshFX2x [36]
TCcqJQXwkqSJNv7xZ627J8xQoS8sn42Uxp [37]
TRWjw3A3yxwBhdiz7SVvf69vZzyQNs73vw [38]
TYDpZMjeLQrv8ZCAZiWFkeMuEjzm6fdgBi [40]
TX3HCyGndvv5BhAeEdf8gymfzDgLEW7g6T [43]
TRWjLQmuWGcDC5qFMKqD5BFMJVDFTs73vw [44]
TQDEQiYewt5S14rq43vCYFaa9uNJPCtMEd [46]
TPUDEK4JSMj5JTDHZ9MzFjGmrXgHoJvvdp [48]
⚫️ - addresses that ZachXBT marked as Bybit Exploiter
Linking addresses are marked in red
2025-02-25 13:30 UTC The AML crypto team is conducting its own investigation and is also closely monitoring the publications of other blockchain specialists on the topic of Bybit Exploit. This is important, as it allows for collective cross-checking of the conclusions made.
ZachXBT on the Chainabuse portal publishes data on addresses associated with Bybit Exploit. AML crypto has drawn attention to a number of marked addresses:
TAdAXB1qNaRNnbPhF6AggZGjFDP6ndUuL8 [7 on the graph of connections]
TPgcin4u3bGY9cbHZbD3aR8ND7fHxv1Eng [49]
TRRgVeHVRa2UTSyUGEebViYq1DYGEV8uob [53]
TEiWvzw5m3avWeYZbFjoZjMPHQ8Cg39gjx [28]
TUWJqNHmcg5LWvUhMU1ngQkJFzxHMn5vbX [9]
THo4ws4A6Zhm4UukKpSChKWfR36z5Zecmg [27]
TU4Nr8bhPiMo4iNAhRPFPrkpt1vPCRofnE [41]
TUGHL3BFGFdrwWaE2eLTCSUva8DjmpwsPH [5]
TRRCnSvSK6pCwCEEiLe46A1LuyJBL4S7hZ [51]
TXL8bN4jBVrvCC1wjeRr7tPw8BYBGG9wfe [12]
While the AMLcrypto team is wondering how ZachXBT got to these addresses and if there is reason to believe they were involved in the incident, then other addresses should also be marked:
TCUkJWjhK7sK593pS6nq12P7zSykLNNj8d [13]
TA1cgLrNVWHrWGXg6H47KhpB7F51796kB7 [14]
TCyweypgUHSG8ZETwVJa1XfYw5Mh6WA9av [15]
TG5wUqBkukAho2E38ca3EZG4zvYp3hUivZ [16]
TRYLLacKZTRcyuLVRL6zS8cTNWwhmk6aHL [21]
TLmCTRMMDtgcFMxFkKVmeVZnj25EBgGL2G [22]
TMSocPC3qM1pmvahhYH7zemBf19AGGW5wp [23]
TAibbFBAkcNioexXTFWKbp65mgLp7JiqHD [24]
TJoKWUBFua3E7cM6UL1G9EJC7JkdoRmkQe [17]
TDTim4xjb2mDYnWBzgf7PpTYV4eD7cEeg2 [33]
TMzDKiuLX1q1Xnqvvim8BuQh8Gv99JbErj [34]
TEpEux1JxPn5NGVdbxzGHrcsh5H2ChKK2A [35]
TYiGFkVF7BR36rG1Nnu1BeGfL1dMh6A9ij [42]
TVmmGGnDwgmbTeemmZh4s5LoZzsavG3RfU [30]
TEtwfNRsn7kFfHotyTqpnNYaKv7sBeu7H7 [32]
TEZKYjQVENBhgi5P7CGxCdP3AfcTshFX2x [36]
TCcqJQXwkqSJNv7xZ627J8xQoS8sn42Uxp [37]
TRWjw3A3yxwBhdiz7SVvf69vZzyQNs73vw [38]
TYDpZMjeLQrv8ZCAZiWFkeMuEjzm6fdgBi [40]
TX3HCyGndvv5BhAeEdf8gymfzDgLEW7g6T [43]
TRWjLQmuWGcDC5qFMKqD5BFMJVDFTs73vw [44]
TQDEQiYewt5S14rq43vCYFaa9uNJPCtMEd [46]
TPUDEK4JSMj5JTDHZ9MzFjGmrXgHoJvvdp [48]
*on the graph of connections:
⚫️ - addresses that ZachXBT marked as Bybit Exploiter
Linking addresses are marked in red
2025-02-25 13:30 UTC The AML crypto team is conducting its own investigation and is also closely monitoring the publications of other blockchain specialists on the topic of Bybit Exploit. This is important, as it allows for collective cross-checking of the conclusions made.
ZachXBT on the Chainabuse portal publishes data on addresses associated with Bybit Exploit. AML crypto has drawn attention to a number of marked addresses:
While the AMLcrypto team is wondering how ZachXBT got to these addresses and if there is reason to believe they were involved in the incident, then other addresses should also be marked:
⚫️ - addresses that ZachXBT marked as Bybit Exploiter
Linking addresses are marked in red
2025-02-25 13:30 UTC The AML crypto team is conducting its own investigation and is also closely monitoring the publications of other blockchain specialists on the topic of Bybit Exploit. This is important, as it allows for collective cross-checking of the conclusions made.
ZachXBT on the Chainabuse portal publishes data on addresses associated with Bybit Exploit. AML crypto has drawn attention to a number of marked addresses:
- TAdAXB1qNaRNnbPhF6AggZGjFDP6
- TPgcin4u3bGY9cbHZbD3aR8ND7fHx
- TRRgVeHVRa2UTSyUGEebViYq1DYG
- TEiWvzw5m3avWeYZbFjoZjMPHQ8C
- TUWJqNHmcg5LWvUhMU1ngQkJFz
- THo4ws4A6Zhm4UukKpSChKWfR36
- TU4Nr8bhPiMo4iNAhRPFPrkpt1vPC
- TUGHL3BFGFdrwWaE2eLTCSUva8Dj
- TRRCnSvSK6pCwCEEiLe46A1LuyJBL
- TXL8bN4jBVrvCC1wjeRr7tPw8BYBG
While the AMLcrypto team is wondering how ZachXBT got to these addresses and if there is reason to believe they were involved in the incident, then other addresses should also be marked:
- TCUkJWjhK7sK593pS6nq12P7zSykL
- TA1cgLrNVWHrWGXg6H47KhpB7F5
- TCyweypgUHSG8ZETwVJa1XfYw5M
- TG5wUqBkukAho2E38ca3EZG4zvYp
- TRYLLacKZTRcyuLVRL6zS8cTNWwh
- TLmCTRMMDtgcFMxFkKVmeVZnj25
- TMSocPC3qM1pmvahhYH7zemBf19
- TAibbFBAkcNioexXTFWKbp65mgLp7
- TJoKWUBFua3E7cM6UL1G9EJC7Jk
- TDTim4xjb2mDYnWBzgf7PpTYV4eD
- TMzDKiuLX1q1Xnqvvim8BuQh8Gv99
- TEpEux1JxPn5NGVdbxzGHrcsh5H2
- TYiGFkVF7BR36rG1Nnu1BeGfL1dM
- TVmmGGnDwgmbTeemmZh4s5LoZ
- TEtwfNRsn7kFfHotyTqpnNYaKv7sBe
- TEZKYjQVENBhgi5P7CGxCdP3AfcTs
- TCcqJQXwkqSJNv7xZ627J8xQoS8s
- TRWjw3A3yxwBhdiz7SVvf69vZzyQN
- TYDpZMjeLQrv8ZCAZiWFkeMuEjzm
- TX3HCyGndvv5BhAeEdf8gymfzDgLE
- TRWjLQmuWGcDC5qFMKqD5BFMJ
- TQDEQiYewt5S14rq43vCYFaa9uNJP
- TPUDEK4JSMj5JTDHZ9MzFjGmrXg
Data Verification “The Key to Success”
Transaction hash: 0x0a1c34806d862ad82936a38ce24c406120e236cf036e06e2e72a835e348aa233
Bybit exploiter address: 0x81eFb9709D403493DCdCA0f1e27aD4D82A4168a5
Gate IO deposit address: 0x60b30037aD28b63BBbC29155c4eC876E472EeC86
API for getting the blacklist: https://btrace.amlcrypto.io/api/v2/bybit_blacklist
Bybit exploiter address: 0x81eFb9709D403493DCdCA0f1e27aD4D82A4168a5
Gate IO deposit address: 0x60b30037aD28b63BBbC29155c4eC876E472EeC86
API for getting the blacklist: https://btrace.amlcrypto.io/api/v2/bybit_blacklist
Transaction hash: 0x0a1c34806d862ad82936a38ce24c406
120e236cf036e06e2e72a835e348aa233
Bybit exploiter address: 0x81eFb9709D403493DCdCA0f1e27aD
4D82A4168a5
Gate IO deposit address: 0x60b30037aD28b63BBbC29155c4eC8
76E472EeC86
API for getting the blacklist: https://btrace.amlcrypto.io/api/v2/bybit_blacklist
120e236cf036e06e2e72a835e348aa233
Bybit exploiter address: 0x81eFb9709D403493DCdCA0f1e27aD
4D82A4168a5
Gate IO deposit address: 0x60b30037aD28b63BBbC29155c4eC8
76E472EeC86
API for getting the blacklist: https://btrace.amlcrypto.io/api/v2/bybit_blacklist
2025-02-25 3:22:11 a portion of the stolen funds in the amount of 1.1242264 ETH was deposited to the Gate IO exchange deposit address.
*Legend on the transaction graph:
[1] - Bybit exploiter addresses cluster
[2,3,4,5,6,7,8,9] - Bybit exploiter addresses
[10,11,12,13,14,15,16] - HitBTC deposit addresses
Transaction hashes:
0x3de4657b5b721c4e166b0c75d07b30fc65758f0f51d763f4182fece364f2934f
0x8e6c12fa61d13c779633d1abb41b1f37d30181e5c990cd57a64c800a240e7104
0x405be08d91be46d46df0ef15343b57c5f20116b68ee3a7eedbd2743c8b9b556a
0xfac437e6796cef79d596dd3233866788d38239ff951475269162322c67031e07
0xa978b8b8407f437fc389e00ce6496357e872456d6a2839d2ec2ad8c48e1d55a9
0x397bec85ebbccfc6387686a6d0ac0e1134a66867046f16e84aa3fd3bca6c508c
0x2015a55d31ec6d7a086e330536daaeef8c93137f950869499890f8bccef44ed4
Bybit addresses exploiter:
0x2340b61caf2df1d61b0e9b42235f712bbe04c782 [3]
0xa6937bf41ee94dc6fab7d57577a9e9feab0101c1 [4]
0x286b425f3cf99b24e075043739f7faa9ca0ac2b6 [5]
0xeab7d41f583863984d2d4a0a8bf56f7006f93c43 [6]
0x43115427da5d02c7cb0d677056e369bb032fd8d2 [7]
0x8d1dca7d5187b1fa5571c11944bc71eb1979d115 [8]
0x44c9f73c3afd708d406db7557535ad852b262602 [9]
Deposit addresses HitBTC:
0x3cA9EEF657bA441DF9b05Da5C54cf4053057f40a [10]
0x0cBf954D0176BC12445460D355eF383c4B6effaD [11]
0x151534FC47fDc4FEdAd9B125D96b3E0D7D608C2b [12]
0xeA7b46cD64F2990aFA82ab90ee7b3860Cd72f97a [13]
0xB92158f660129596C473d792B2F0eB2Fee3E7E0d [14]
0x5f05d30eA26c290B092773cB00052A806390Aab9 [15]
0x71D76Dd389C3763D50b4928232E017CEDfedc39b [16]
API for getting the blacklist: https://btrace.amlcrypto.io/api/v2/bybit_blacklist
[1] - Bybit exploiter addresses cluster
[2,3,4,5,6,7,8,9] - Bybit exploiter addresses
[10,11,12,13,14,15,16] - HitBTC deposit addresses
Transaction hashes:
0x3de4657b5b721c4e166b0c75d07b30fc65758f0f51d763f4182fece364f2934f
0x8e6c12fa61d13c779633d1abb41b1f37d30181e5c990cd57a64c800a240e7104
0x405be08d91be46d46df0ef15343b57c5f20116b68ee3a7eedbd2743c8b9b556a
0xfac437e6796cef79d596dd3233866788d38239ff951475269162322c67031e07
0xa978b8b8407f437fc389e00ce6496357e872456d6a2839d2ec2ad8c48e1d55a9
0x397bec85ebbccfc6387686a6d0ac0e1134a66867046f16e84aa3fd3bca6c508c
0x2015a55d31ec6d7a086e330536daaeef8c93137f950869499890f8bccef44ed4
Bybit addresses exploiter:
0x2340b61caf2df1d61b0e9b42235f712bbe04c782 [3]
0xa6937bf41ee94dc6fab7d57577a9e9feab0101c1 [4]
0x286b425f3cf99b24e075043739f7faa9ca0ac2b6 [5]
0xeab7d41f583863984d2d4a0a8bf56f7006f93c43 [6]
0x43115427da5d02c7cb0d677056e369bb032fd8d2 [7]
0x8d1dca7d5187b1fa5571c11944bc71eb1979d115 [8]
0x44c9f73c3afd708d406db7557535ad852b262602 [9]
Deposit addresses HitBTC:
0x3cA9EEF657bA441DF9b05Da5C54cf4053057f40a [10]
0x0cBf954D0176BC12445460D355eF383c4B6effaD [11]
0x151534FC47fDc4FEdAd9B125D96b3E0D7D608C2b [12]
0xeA7b46cD64F2990aFA82ab90ee7b3860Cd72f97a [13]
0xB92158f660129596C473d792B2F0eB2Fee3E7E0d [14]
0x5f05d30eA26c290B092773cB00052A806390Aab9 [15]
0x71D76Dd389C3763D50b4928232E017CEDfedc39b [16]
API for getting the blacklist: https://btrace.amlcrypto.io/api/v2/bybit_blacklist
*Legend on the transaction graph:
[1] - Bybit exploiter addresses cluster
[2,3,4,5,6,7,8,9] - Bybit exploiter addresses
[10,11,12,13,14,15,16] - HitBTC deposit addresses
Transaction hashes:
104
56a
1e07
55a9
08c
d4
Bybit addresses exploiter:
Deposit addresses HitBTC:
API for getting the blacklist: https://btrace.amlcrypto.io/api/v2/bybit_blacklist
[1] - Bybit exploiter addresses cluster
[2,3,4,5,6,7,8,9] - Bybit exploiter addresses
[10,11,12,13,14,15,16] - HitBTC deposit addresses
Transaction hashes:
- 0x3de4657b5b721c4e166b0c75d07b
- 0x8e6c12fa61d13c779633d1abb41b1
104
- 0x405be08d91be46d46df0ef15343b
56a
- 0xfac437e6796cef79d596dd323386
1e07
- 0xa978b8b8407f437fc389e00ce649
55a9
- 0x397bec85ebbccfc6387686a6d0ac
08c
- 0x2015a55d31ec6d7a086e330536da
d4
Bybit addresses exploiter:
- 0x2340b61caf2df1d61b0e9b42235f7
- 0xa6937bf41ee94dc6fab7d57577a9
- 0x286b425f3cf99b24e075043739f7f
- 0xeab7d41f583863984d2d4a0a8bf5
- 0x43115427da5d02c7cb0d677056e3
- 0x8d1dca7d5187b1fa5571c11944bc
- 0x44c9f73c3afd708d406db7557535
Deposit addresses HitBTC:
- 0x3cA9EEF657bA441DF9b05Da5C5
- 0x0cBf954D0176BC12445460D355e
- 0x151534FC47fDc4FEdAd9B125D96
- 0xeA7b46cD64F2990aFA82ab90ee7
- 0xB92158f660129596C473d792B2F
- 0x5f05d30eA26c290B092773cB000
- 0x71D76Dd389C3763D50b4928232
API for getting the blacklist: https://btrace.amlcrypto.io/api/v2/bybit_blacklist
2025-02-25 from 5:14:11 to 5:51:59, part of the funds stolen during the Bybit exploit in the total amount of 17.84984 ETH was transferred in seven transactions to the deposit address of the HitBTC exchange.
Ben Zhou announced the launch of lazarusbounty.com, a website that provides full transparency into Lazarus money laundering. The platform allows you to connect your wallet, help track funds, and receive an instant reward if your data leads to the freezing of funds. The entire chain of participants, including exchanges and mixers, receives a share of the reward. The site also provides a rating of honest and dishonest participants, which motivates companies to avoid being blacklisted.
More features are planned for the future, such as real-time wallet balance updates, tools for regulators, and expanded support for other Lazarus victims.
Number of attacker addresses at the time: 6 469
API for getting the blacklist: https://btrace.amlcrypto.io/api/v2/bybit_blacklist
More features are planned for the future, such as real-time wallet balance updates, tools for regulators, and expanded support for other Lazarus victims.
Number of attacker addresses at the time: 6 469
API for getting the blacklist: https://btrace.amlcrypto.io/api/v2/bybit_blacklist
Ben Zhou declares hunting season on Lazarus Hacker group
AML Crypto team has identified the flow of ETH from address 0x47666Fab8bd0Ac7003bce3f5C3585383F09486E2 through the Solana and Binance Smart Chain networks into Bitcoin. The conversion was carried out using the Debridge and Bridgers bridges.
Number of attacker addresses at the time: 6 527
API for getting the blacklist: https://btrace.amlcrypto.io/api/v2/bybit_blacklist
Number of attacker addresses at the time: 6 527
API for getting the blacklist: https://btrace.amlcrypto.io/api/v2/bybit_blacklist
AML Crypto team has identified the flow of ETH from address 0x47666Fab8bd0Ac7003bce3f
5C3585383F09486E2 through the Solana and Binance Smart Chain networks into Bitcoin. The conversion was carried out using the Debridge and Bridgers bridges.
Number of attacker addresses at the time: 6 527
API for getting the blacklist: https://btrace.amlcrypto.io/api/v2/bybit_blacklist
5C3585383F09486E2 through the Solana and Binance Smart Chain networks into Bitcoin. The conversion was carried out using the Debridge and Bridgers bridges.
Number of attacker addresses at the time: 6 527
API for getting the blacklist: https://btrace.amlcrypto.io/api/v2/bybit_blacklist
Elliptic launches free data feed on illegal addresses linked to Bybit exploit
Number of attacker addresses at the time: 6 527
API for getting the blacklist: https://btrace.amlcrypto.io/api/v2/bybit_blacklist
Number of attacker addresses at the time: 6 527
API for getting the blacklist: https://btrace.amlcrypto.io/api/v2/bybit_blacklist
Bybit Hack Details via Elliptic API
DAY 6. 2025-02-26
Show more
AML Crypto conducted an express analysis of information from the API presented the day before by Elliptic, and identified a number of addresses that should be re-checked for involvement in the incident.
According to AML Crypto, a number of addresses belong to users, as well as various services.
AML Crypto also shared its API with data on Bybit Exploit for joint data verification and markup refinement.
Number of attacker addresses at the time: 6 527
API for getting blacklist: https://btrace.amlcrypto.io/api/v2/bybit_blacklist
According to AML Crypto, a number of addresses belong to users, as well as various services.
AML Crypto also shared its API with data on Bybit Exploit for joint data verification and markup refinement.
Number of attacker addresses at the time: 6 527
API for getting blacklist: https://btrace.amlcrypto.io/api/v2/bybit_blacklist
AML Crypto Calls on Elliptic to Collaborate on Bybit Exploit Data Sharing
Want to learn more and get expert advice?
Leave your email and we will contact you promptly!
Leave your email and we will contact you promptly!
Check blockchain address using Btrace
In seconds, determine the risk level of the counterparty’s address, find out the source of his funds and make an informed decision about interacting with him.
PREVENT FUNDS BLOCKING
PROTECT YOURSELF FROM SCAMMERS
AVOID TROUBLE WITH THE LAW
We also recommend