Bybit Becomes the Largest Cryptocurrency Heist in History
In early 2025, the globally renowned exchange Bybit suffered a hacking attack, resulting in the loss of over $1.3 billion in cryptocurrency, making it the largest cryptocurrency heist in history.
The hackers exploited vulnerabilities in the exchange’s system to steal a large amount of user assets and attempted to conceal the flow of funds through complex money laundering techniques, evading detection.
On February 21, 2025, Bybit announced that its platform had been hacked, leading to the theft of a significant amount of user assets. The hackers gained control over the computer of a developer from Bybit’s internal Safe wallet, implanted malicious code, and manipulated the exchange into signing fraudulent transactions that transferred funds to addresses controlled by the hackers. The stolen funds were then laundered across multiple wallets.
Chainvestigate’s CEO Chen Tsai-lu recalled that after the Bybit incident, their team quickly identified the hacker’s address and traced the funds to several non-custodial addresses, as well as a portion of stETH that was exchanged for Ethereum through DeFi before being redirected.
Editor’s Note: The above analysis was provided by Chen Tsai-lu during an interview on February 26 regarding the status of the case at that time.
Interestingly, during the tracking process, they discovered many transactions unrelated to the hacker’s address. Among the numerous transfers related to the wallets, several ordinary users also sent small amounts of money to the affected wallets just to leave comments, saying “Can you share some of that money with me?” Some even claimed to be white-hat hackers, offering assistance for a generous reward.
“The interesting thing about the blockchain network is that you can sign or leave messages. Most of the cash flow we observed was not records of the hacker transferring out, but rather a bunch of people sending money in,” said Chen Tsai-lu. “Their main purpose was to pay a Gas fee to leave a message saying: ‘Hey, can you share some of that money with me?’ and see if the exchange or the hacker could notice, as there have been similar cases in the past where they actually received money.”
Chen Tsai-lu pointed out that in previous hacking incidents, hackers typically dispersed large amounts of funds across multiple addresses to increase tracking difficulty. During subsequent tracking, they indeed observed that the hackers split Ethereum (ETH) into multiple transactions of 10,000 ETH each. Chen Tsai-lu stated, “This is usually done in preparation for entering a mixer later.”
The reason hackers break funds into smaller chunks is to utilize the mixer services more effectively, as most mixers require the funds of multiple users to be mixed together. Entering a large sum at once and then outputting it would lose the privacy of the mixing process.
However, before using the mixer, the hackers first exchanged part of the Ethereum into Bitcoin through an “Instant Swap Vendor” that did not require KYC verification, and then proceeded with further laundering.
How to Track Money Flow?
To help readers understand and grasp the situation on-chain through blockchain tools and tracking technologies, this article uses the Bybit hacking incident as an example to analyze tools and procedures that beginners can use.
Step 1: Track the Hacker’s Address
If you want to know what happened on the blockchain that day, the first and most important step is to find the “wallet address.”
On the day of the incident, February 21, the on-chain data tracking platform Arkham sent a warning on social media platform X, stating that $1.4 billion in Ethereum (ETH) had flowed out from Bybit, and attached a string of wallet address 0x47666Fab8bd0Ac7003bce3f5C3585383F09486E2 in the tweet. (Typically, a string of random characters starting with 0x is an address.)
ALERT: $1B+ OUTFLOWS FROM BYBIT
$1.4B in ETH and stETH outflows from Bybit
The funds have begun to move to new addresses where they are being sold. So far $200M stETH has been sold.
Address: 0x47666Fab8bd0Ac7003bce3f5C3585383F09486E2pic.twitter.com/TfGm2UCjM5— Arkham (@arkham)February 21, 2025
This is the simplest and fastest way to find a breakthrough, but of course, you can also dig through other sources or suspicious transactions from on-chain tools.
Step 2: Input into Blockchain Tools
Input the found wallet address into on-chain tools like Etherscan, OKLink, Arkham, etc., to view all transaction records of that wallet address, including transaction time, amount, and the addresses of senders and receivers.
Since this incident has passed for a while, you can see that this wallet address has already been labeled as “Hack,” and on Arkham, it is even marked as “Bybit Hacker.”
The list in the bottom right corner of Arkham will show the inflows and outflows of all funds in the wallet. To quickly find related funds, you can click on the three horizontal lines next to “From” at the top of the table and input “Bybit” to filter the source of funds for the wallet.
Then you can see that a total of 401,346 ETH and 90,375 stETH were transferred from Bybit to the hacker’s wallet.
stETH refers to “Lido Staked Ether,” a cryptocurrency token representing Ethereum (ETH) staked on the Lido Finance platform. When users stake their ETH through Lido, they receive an equal amount of stETH as a reward.
Subsequently, from the outflow column of funds (or by clicking on the red line in the line chart), you can filter the tokens and see that the hacker divided the funds into multiple transactions of 10,000 ETH and gradually transferred them to 40 non-custodial wallets. Additionally, a total of 90,376 stETH was transferred to a non-custodial wallet (0xa4b).
If using OKLink, you can also see that the first transaction time for this Ethereum wallet was February 21, 2025, and the wallet received the largest transaction of 401,346 ETH, with multiple records of transferring 10,000 ETH.
Step 3: Continue Tracking Upstream and Downstream
If you want to find more clues, you can only follow the lines upstream or downstream. Since on-chain assets ultimately need to be converted to fiat, just looking upstream or downstream will eventually lead you to the addresses of centralized exchanges. However, this part is usually the most complicated and troublesome.
For example, by clicking into the non-custodial wallet (0xa4b) where stETH was transferred, you can see that the hacker exchanged stETH for Ethereum through decentralized exchanges like DODO Exchange, Uniswap, ParaSwap, etc. However, the hackers then continued to disperse these Ethereum into multiple wallets, causing what was originally a large sum of stolen funds to now be scattered across nearly 50 different decentralized wallets.
If you choose to follow the flow downstream, although the end point on-chain will generally be a centralized exchange where withdrawals can occur, before that, hackers will certainly want to quickly make this illegal cash flow “complex.” Whether through mixers, cross-chain transfers, or decentralized exchanges that do not require KYC verification, the hackers will do everything possible to make the “originally stolen funds” continually morph, making it increasingly difficult to prove that “the traced funds are indeed the stolen funds.”
If you choose to trace upstream, although you can also find records of deposits into centralized exchanges, tracing to “KYC individuals” becomes more challenging. However, if the starting point is a centralized exchange, most of the time, the cash flow originates from the victims, making it harder to find an effective investigation entry point.
The further this process stretches, and the more complex the transactions become, the harder it becomes to determine whether the involved wallets are unaware third parties, victims exploited by the hackers, or wallets created by the hackers themselves.
Common Misconception: Money Flow Tracking is Not Omnipotent
In the world of cryptocurrency, being able to read transaction records on the blockchain and understand the basic flow of funds (i.e., “seeing the money flow”) is gradually becoming a fundamental skill, akin to understanding the income and expenditure details of bank accounts in traditional finance.
In recent years, with the booming development of the cryptocurrency market, blockchain technology and its applications have received widespread attention, and the term “money flow tracking” has gradually entered the public’s view. Many people, influenced by news reports, hold high expectations for tracking criminal funds through blockchain technology and recovering stolen assets, and even eagerly want to become “on-chain detectives” to catch the criminals.
However, when it comes to deeper analyses and tracking, such as clarifying complex financial networks, identifying the true intentions behind anonymous transactions, or even tracking the whereabouts of stolen funds in criminal investigations, “money flow tracking” rises to a completely different professional level. It is no longer just about interpreting information; it requires a high level of expertise, experience, and specific tools and techniques.
Tsai Meng-ling, CEO of Ruike Financial Technology, which has offered multiple blockchain investigation practical courses for Taiwan’s district prosecutors and investigators, points out that the two most common misconceptions people have about blockchain money flow tracking are: first, believing that money flow tracking is all-powerful; second, thinking that anyone can easily get started.
Misconception 1: Money Flow Tracking is Not Omnipotent
In reality, while money flow tracking can show the movement of funds, in cases involving money laundering, fraud, etc., the on-chain data is only part of law enforcement’s investigative process and serves as an auxiliary tool. It is more important to combine it with other investigative methods, such as reviewing surveillance footage, communication records, etc., to gain a comprehensive understanding of the case and confirm the suspect’s connection to the fraudulent group.
Tsai Meng-ling emphasizes that the focus of money flow tracking is not just on tracking funds but also on how to interpret the meaning behind these data, which requires knowledge of law and criminal investigation.
She admits that even if investigators can track the flow of funds, proving their identity in court remains a significant challenge. Since Taiwan is a civil law country, the legal recognition of new forms of evidence such as blockchain is relatively conservative. Even tracking funds through mixers, the legal connections are easily questioned. The existing legal system, including the applicability of search warrants, still struggles to fully address this kind of virtual crime and evidence form.
Misconception 2: Anyone Can Get Started
Additionally, when money flow tracking escalates to the level of cases, it becomes a more complex professional field that often requires the use of specialized paid tools, knowledge, and methodologies. It is not as simple as imagined, where anyone can do money flow tracking at home to save themselves. Many may not be familiar with concepts like on-chain smart contracts, leading to erroneous judgments and even incorrect tracking directions.
Chen Tsai-lu shares that there were previously individuals who sought his help, claiming they had already conducted on-chain investigations: “They confidently told me, ‘This is the wallet of that criminal group; I’m sure the money is all here.’ Guess what it actually was?” Chen Tsai-lu paused, “It turned out to be a stablecoin USDT smart contract, and the key point is they didn’t even know what that was.”
Chen Tsai-lu states, “If you want to trace on-chain cash flow yourself, you need to consider one thing: if it’s to ‘save yourself’ legally, how will you explain to the judge how the report was made when they ask?”
Tsai Meng-ling also believes that without relevant experience and background, simply following the on-chain data downstream can easily lead to incorrect tracking, resulting in tracing individuals unrelated to the case or victims who were exploited by criminal groups but were unaware.
Blockchain crime investigation is a complex system engineering task that requires the combination of on-chain and off-chain investigative methods, relying on legal, technical, and various professional knowledge. As criminal methods continuously evolve, even professionals in the field must keep learning to effectively combat crimes conducted using cryptocurrencies and protect the property safety of the public.