The largest theft in the history of Crypto Assets: a certain platform lost 1.5 billion dollars

On February 21, 2025, a well-known Crypto Assets trading platform experienced a major security incident, leading to the theft of approximately $1.5 billion in assets from its Ethereum cold wallet. This incident is considered the largest single theft in the history of Crypto Assets, surpassing previous large-scale thefts that occurred in 2021 and 2022, causing a significant impact on the entire industry.

This article will provide a detailed introduction to the hacking incident and its money laundering methods, while reminding readers that in the coming months, over-the-counter (OTC) trading groups and Crypto Assets payment companies may face a large-scale risk of account freezes.

Theft Process

According to the description of executives from the trading platform and the preliminary investigation by a blockchain analytics company, the theft process is roughly as follows:

1. Attack Preparation: The hacker deployed a malicious smart contract at least three days before the incident to prepare for the subsequent attack.

2. Infiltration of the multi-signature system: The Ethereum cold wallet of this trading platform employs a multi-signature mechanism. Hackers infiltrated the computer managing the multi-signature wallet through unknown means, possibly using a disguised interface or malware.

3. Camouflaged Transaction: On February 21st, the trading platform planned to transfer ETH from the cold wallet to the hot wallet. Hackers took advantage of this opportunity by disguising the trading interface as a normal operation, inducing the signers to confirm an instruction that appeared legitimate but actually altered the cold wallet's smart contract logic.

4. Fund transfer: After the instruction took effect, the hacker quickly took control of the cold wallet, transferring approximately $1.5 billion worth of ETH and ETH staking certificates to an unknown address. Subsequently, the funds were dispersed to multiple wallets and began the money laundering process.

Money Laundering Techniques

Money laundering generally consists of two stages:

1. Early capital splitting:

   • The attacker quickly exchanged the ETH staking certificate for ETH.
   • Strictly split and transfer ETH to the subordinate address, preparing for cleaning.
   • At this stage, the attacker's attempt to exchange 15000 mETH for ETH was halted, recovering some losses.

2. Fund laundering:

   • Attackers transfer and exchange funds through various decentralized and centralized platforms.
   • Some of the stolen funds were exchanged for BTC, DOGE, SOL and other tokens.
   • Some funds are used to issue meme coins or transferred to exchange addresses for obfuscation.

Blockchain analysis companies are monitoring and tracking relevant addresses to prevent users from mistakenly receiving stolen funds.

Hacker Organization Background

By analyzing the funding chain, it was found that this address is related to two theft incidents at exchanges that occurred in October 2024 and January 2025, indicating that these three attacks may have been orchestrated by the same entity.

Combining its highly industrialized money laundering techniques and attack methods, some blockchain security experts speculate that this may be the work of a notorious hacking organization. This organization has launched cyber attacks on the Crypto Assets industry multiple times over the past few years, illegally obtaining billions of dollars in Crypto Assets.

Potential Freezing Risks

According to past investigations, this hacker organization not only uses decentralized platforms to launder funds but also heavily relies on centralized platforms for cashing out. This has led to many exchange users' accounts, which unknowingly received stolen funds, being risk-controlled, and the business addresses of OTC merchants and payment institutions being frozen.

For example:

• In 2024, a certain exchange in Japan was attacked, resulting in approximately $600 million in Bitcoin being stolen. Some of the funds flowed into a Southeast Asian encryption payment institution, leading to the freezing of the institution's hot wallet address, with nearly $30 million in funds locked.

• In 2023, another trading platform was attacked, resulting in over 100 million USD in assets being stolen. Some of the funds were washed through over-the-counter trades, leading to the freezing of business addresses of many OTC merchants or the risk control of exchange accounts, severely impacting normal operations.

Conclusion

Frequent hacker attacks have caused significant losses to the Crypto Assets industry. Subsequent money laundering activities have further affected many innocent individuals and institutions. To avoid becoming potential victims, industry insiders should exercise extra caution when conducting transactions and closely monitor suspicious fund flows to protect their own interests.