Bybit_Incident_Investigation_-_Preliminary_Report.pdf (3 MB)

Verichains' preliminary Bybit report says the February 21, 2025 breach drained more than $1.4 billion from Bybit's Ether multisignature cold wallet, including 401,347 ETH plus stETH, mETH, and cmETH. The attacker first deployed malicious contracts, then used a multisig transaction involving three signers to upgrade Bybit's Safe.Global cold-wallet contract to a malicious implementation with sweepETH and sweepERC20 backdoor functions. The report ties the signing window to cached Safe.Global JavaScript files, Wayback snapshots containing malicious code, and later file updates roughly two minutes after the theft. It is useful for tracking the incident mechanics, but the provided source excerpt does not itself make a DPRK attribution.