The cryptocurrency industry was recently rocked by one of the largest exchange breaches in history. ByBit, a major trading platform, fell victim to a staggering $1.38 billion exploit, reinforcing a crucial lesson for crypto users: not your keys, not your coins.

At Unity Wallet, we prioritize security, and our partnership with Lukka (formerly Coinfirm) powers our Know Your Transaction (KYT) risk assessment feature to help users navigate the risks of illicit activity. Lukka’s investigative team has been closely monitoring this attack, and here’s what we know so far (based on their own publicly available reporting).

How the ByBit Hack Unfolded: Step-by-Step Breakdown

The attacker(s) took advantage of pre-existing smart contract vulnerabilities, enabling them to gain unauthorized access to ByBit’s cold wallet and systematically drain its funds.

Operating from 0x0fa09C3A328792253f8dee7116848723b72a6d2e, the hacker deployed two smart contracts designed to manipulate ByBit’s wallet infrastructure.

The breach escalated when the attacker executed a transaction (0x46de…7882), injecting malicious smart contract code into ByBit’s proxy contract. This altered the contract’s storage state, effectively compromising its integrity.

As a result of this manipulation, the hacker replaced ByBit’s legitimate implementation contract (0x34Cf…3F5F) with their own fraudulent contract (0xbDd0…9516). This critical change granted the attacker full control over ByBit’s wallet, paving the way for the systematic extraction of funds.

The breach unfolded in several key steps:

1. Injection of Malicious Code

The attacker executed a transaction (0x46de…7882) that modified the storage of ByBit’s proxy contract, replacing the legitimate contract (0x34Cf…3F5F) with a fraudulent one (0xbDd0…9516).

1. Taking Control of Funds

Once in control, the hacker activated two key functions:

• sweepERC20(address token, address to): Allowed unauthorized transfers of ERC-20 tokens.

• sweepETH(address receiver): Enabled the direct transfer of ETH.

1. Draining Assets

The breach led to the theft of:

• 401,346 ETH (~$1.08 billion)

• 90,375 stETH (~$242 million)

• 8,000 mETH (~$22.5 million)

• 15,000 cmETH (~$42 million)

Laundering the Stolen Funds

Following the heist, the hacker consolidated the assets into 0x4766…e2 and began an elaborate laundering process. Their strategy included:

• Swapping stolen stETH and mETH for ETH at 0xa4b2…449e to increase liquidity.

• Attempting to offload cmETH at 0x1542…4443, though this was partially unsuccessful.

• Dispersing ETH in 10,000 ETH increments across multiple addresses to obfuscate tracking.

• Using the wallet 0xdd90…f92 as a key distribution hub, sending 98,048 ETH before fragmenting the funds across additional wallets.

• Leveraging decentralized exchanges (DEXes), cross-chain bridges, and mixers to evade detection.

This methodical approach aligns with tactics seen in previous high-profile hacks, where stolen funds are funneled through multiple layers before being off-ramped into fiat.

North Korea’s Lazarus Group Suspected

Ongoing investigations suggest that North Korea’s Lazarus Group is behind the attack. On February 26, 2025, the FBI issued a Public Service Announcement confirming North Korea’s involvement in stealing approximately $1.5 billion in virtual assets. The advisory urged crypto exchanges and DeFi services to block transactions associated with the stolen funds.

For those interested in the FBI’s findings, the full announcement is available here.

Lukka’s Real-Time Investigations

Lukka’s forensic tools and blockchain analytics have been actively tracking the stolen funds. Their focus includes:

• Live monitoring of wallet movements to pinpoint liquidation attempts.

• Transaction pattern analysis to connect stolen assets to known threat actors.

• Cross-chain tracking to detect laundering activities across networks.

With over 20 known entities involved in fund layering, Lukka continues to collaborate with exchanges and regulatory bodies to freeze illicit funds before they disappear.

The Takeaway: Keep Your Assets Secure

This attack underscores the dangers of storing assets on centralized exchanges (CEXs). While ByBit is actively responding to the breach, history shows that funds lost in exchange hacks are rarely recovered. The best protection? Self-custody.

At Unity Wallet, we believe security should be in your hands, not an exchange’s. Our self-custodial wallet ensures you maintain full control over your private keys and digital assets, reducing the risks associated with CEX vulnerabilities.

Lessons for Crypto Users:

✅ Use a self-custodial wallet to retain control of your funds.

✅ Stay vigilant and use KYT tools (like those powered by Lukka) to assess risk.

✅ Avoid keeping assets on exchanges for extended periods—only use them for trading.

✅ Monitor security alerts and suspicious transactions in the industry.

The ByBit hack is a harsh reminder that security isn’t optional—it’s essential. Stay informed, take control, and make self-custody your priority.