Odaily News The Beosin security team conducted in-depth tracking and analysis of the stolen funds in the Bybit exchange hacker attack. The study found that one of the stolen funds deposit addresses, 0x36ed3c0213565530c35115d93a80f9c04d94e4cb, transferred 5,000 ETH to the split address 0x4571bd67d14280e40bf3910bd39fbf60834f900a at 06:28:23 UTC on February 22, 2025. Subsequently, the funds were split into amounts ranging from tens to hundreds of ETH at a frequency of once every few minutes, and further transferred to multiple addresses. It is worth noting that after multiple transfers, some funds attempted to cross-chain to the BTC chain address bc1qlu4a33zjspefa3tnq566xszcr0fvwz05ewhqfq through Chainflip, indicating that hackers attempted to further conceal the flow of funds through cross-chain operations.
In addition, at 07:44:47 UTC on February 22, 2025, the split address transferred 56.68 ETH to the black address 0x33d057af74779925c4b2e720a820387cb89f8f65. This address is marked as "Hacker: Phemex Hacker" in the Beosin tag library, and the "Phemex Exchange $85 million theft" was done by the well-known hacker group Lazarus Group. This key discovery further confirms our previous inference based on the similarity between the attack mode and the WazirX incident, that is, the Bybit exchange hacker attack is very likely related to the Lazarus Group.
It is worth mentioning that in the Phemex incident, some of the stolen funds were transferred to mixers such as Tornado Cash to conceal their flow. For the Bybit incident, we are fully prepared. Once the relevant funds enter the Tornado.cash mixer, Beosin will immediately start the fund penetration analysis. The special working group has been equipped with the latest version of the Tornado Cash penetration algorithm, and several professional analysts who have successfully completed fund penetration in similar cases have joined to ensure that the flow of funds can be tracked efficiently and provide strong support for subsequent actions. At present, the Beosin security team is cooperating with the Bybit security team to track funds.