How Bybit’s multi-signature crypto wallet was compromised

Security researchers have determined that hackers injected malicious JavaScript directly into Safe’s online infrastructure hosted on AWS. The code was specifically designed to activate only when interacting with Bybit’s contract address, allowing it to remain undetected by regular users, describes Oded Vanunu at Check Point.

The recent high-profile breach of Bybit has revealed deep cracks in the security protocols of the industry, reminding us that even the most sophisticated defences can be compromised. This time, the hackers were able to breach a multisig cold wallet, stealing about $1.5 billion worth of Ethereum tokens.

“This attack proves that a prevention-first approach, securing every step of a transaction, is the only way to stop cybercriminals from carrying out similar high-impact attacks in the future. We cannot afford to rely solely on conventional cryptographic models as attacks become increasingly complex,” says Oded Vanunu, Chief Technologist and Head of Product Vulnerability Research, Check Point.

Rather, we need a comprehensive strategy that addresses social engineering tactics, user interface manipulation risks and human vulnerabilities. Crypto institutions can better safeguard their assets in an increasingly complex threat landscape by enforcing real-time threat monitoring, educating users and bolstering transaction verification.

Although no security system is entirely foolproof, staying ahead of cybercriminals will require a proactive and flexible approach. The sector needs to move toward multi-layered defence tactics that combine stringent verification procedures, education and technology.

As digital assets become more mainstream, security practices must evolve just as rapidly. Trust, transparency and protection should be at the forefront of the crypto ecosystem, because, at the end of the day, security is not just about code. It is about people.

Multi signature wallets

What is a multisig cold wallet? A multi-signature wallet is a type of cryptocurrency wallet that requires multiple signatures, instead of just one, to execute each transaction. These signatures are associated with different cryptographic private keys, and a defined threshold of keys must sign a transaction to validate it.

According to Coinbase, a multi-signature wallet requires multiple signatures, instead of just one, to execute each transaction. These signatures are associated with different cryptographic private keys, and a defined threshold of keys must sign a transaction to validate it. This feature strives to prevent the abuse of power and introduce safeguards, making it a tool for businesses, institutions, and decentralized autonomous organizations.

The workflow of a multi-sig wallet remains the same irrespective of the number of signers. Any parties to a multi-sig wallet can initiate a transaction signed with their private key. However, the transaction is displayed as pending until other parties sign it.

Multi-sig wallets may implement an N-of-N setup where all signatories must validate a transaction before it is considered valid. Alternatively, an N-of-M setting requires a specific subset of signers to approve a transaction. For example, in a 3-of-4 wallet, three out of four signers must validate the transaction for it to be executed.

When used properly, a multi-sig wallet aims to offer additional security by eliminating the single point of failure risk associated with having one private key. It makes it difficult for hackers to steal funds from a wallet, because they must have the different keys to complete any action. This feature is especially desirable when the assets belong to multiple parties in a company or a decentralized autonomous organization.

While multi-sig wallets provide a level of security, they are not without their risks. High-profile breaches have occurred from compromised multi-sig wallets, where the private keys were stored improperly. It is essential to distribute multi-sig private key access among distinct entities.

A multi-sig setup where a single entity holds multiple private keys and stores them in a single location is essentially the same as a single-key wallet. A recommended scenario is distributing access to entities in a way that a single security breach does not lead to the loss of two or more keys.

Malicious JavaScript injected into Safe hosted on AWS

According to Check Point, this attack is especially troubling because it was not a conventional vulnerability that looked for a flaw in the blockchain system or a smart contract. Rather, security researchers have determined that hackers injected malicious JavaScript directly into Safe’s online infrastructure hosted on AWS. The code was specifically designed to activate only when interacting with Bybit’s contract address, allowing it to remain undetected by regular users.

Safe is governed by SafeDAO, a decentralized collective of core contributors, backers, GnosisDAO, users, and ecosystem contributors, that is Safe{Guardians}. Safe Multisig is a customisable crypto wallet running on Ethereum that requires a predefined number of signatures to confirm transactions to prevent unauthorized access to the assets stored

According to Hacker News, such attacks do not exploit any vulnerability in AWS. Rather, the threat actors take advantage of misconfigurations in victims’ environments that expose their AWS access keys in order to send phishing messages by abusing Amazon Simple Email Service and WorkMail services.

In doing so, the modus operandi offers the benefit of not having to host or pay for their own infrastructure to carry out the malicious activity. It enables the threat actor’s phishing messages to sidestep email protections since the digital missives originate from a known entity from which the target organization has previously received emails.

According to Check Point, the JavaScript manipulation modified transaction data behind the scenes:

• When Bybit signers accessed the interface, the code identified target addresses
• It silently modified critical transaction parameters including recipient address and operation type
• It preserved the appearance of legitimacy by displaying the original transaction details to signers

This finding confirms this attack sets a new precedent in crypto security by bypassing a multisig cold wallet through sophisticated user interface manipulation, further proving that multisigs and cold wallets are not automatically secure when the interface layer can be compromised.

Attackers used social engineering and user interface deception to carefully manipulate human behaviour. The presence of human error compromises even the most robust systems.

This event highlights the pressing need for more robust security models, specifically in how transactions are authenticated and how signers verify transactions. The increasing complexity of user interface-based attacks necessitates a change of strategy, moving beyond traditional cryptographic security toward comprehensive risk mitigation.

Gold standard for crypto assets

For years, multisig wallets and cold storage have been considered the gold standard for securing crypto assets. But this breach shattered that assumption, revealing three major weaknesses:

• Multisig is not infallible, if signers can be deceived, multiple approvals do not guarantee safety.
• Cold wallets are not immune, an attacker does not need to breach the storage itself if they can manipulate what a signer sees.
• Supply chain and user interface-based attacks are evolving rapidly, making them difficult to detect with traditional security measures.

With this shift in attack strategies, crypto institutions, exchanges and custodians must rethink how they authenticate and verify transactions.

Here is what needs to change

Given the increasing complexity of attacks, securing digital assets requires a multi-layered approach that goes beyond cryptographic security.

Real-time threat monitoring

• A prevention-first approach, securing every step of a transaction
• Developing advanced anomaly detection systems that can flag unusual transaction patterns.
• Leveraging AI and behavioural analysis to detect and prevent social engineering attempts.

Human-centric security measures

• Educating users and institutional signers on user interface-based manipulation techniques.
• Implementing multi-factor verification processes that include independent transaction confirmation.

Transaction verification protocols

• Introducing secondary verification mechanisms to confirm transaction details before execution.
• Using independent, air-gapped devices for transaction approvals to reduce user interface-based risks.

Zero-Trust security model

• Treating every device and signer as potentially compromised.
• Implementing strict access controls and segregating signing authority across multiple verification channels.

---

Key takeaways

---

FBI announces North Korea responsible for $1.5B Bybit hack

On 26 February, the Federal Bureau of Investigation made this statement. FBI is releasing this public service announcement to advise the Democratic People’s Republic of Korea, North Korea was responsible for the theft of approximately $1.5 billion US$ in virtual assets from cryptocurrency exchange, Bybit, on or about February 21, 2025. FBI refers to this specific North Korean malicious cyber activity as TraderTraitor.

TraderTraitor actors are proceeding rapidly and have converted some of the stolen assets to Bitcoin and other virtual assets dispersed across thousands of addresses on multiple blockchains. It is expected these assets will be further laundered and eventually converted to fiat currency.

FBI encourages private sector entities including RPC node operators, exchanges, bridges, blockchain analytics firms, DeFi services, and other virtual asset service providers to block transactions with or derived from addresses TraderTraitor actors are using to launder the stolen assets.

FBI maintains its commitment to protecting the virtual asset community by identifying, mitigating, and disrupting North Korea’s illicit cybercrime and virtual asset theft activities.

The following Ethereum addresses are holding or have held assets from the theft, and are operated by or closely connected to North Korean TraderTraitor actors:

• 0x51E9d833Ecae4E8D9D8Be17300AEE6D3398C135D
• 0x96244D83DC15d36847C35209bBDc5bdDE9bEc3D8
• 0x83c7678492D623fb98834F0fbcb2E7b7f5Af8950
• 0x83Ef5E80faD88288F770152875Ab0bb16641a09E
• 0xAF620E6d32B1c67f3396EF5d2F7d7642Dc2e6CE9
• 0x3A21F4E6Bbe527D347ca7c157F4233c935779847
• 0xfa3FcCCB897079fD83bfBA690E7D47Eb402d6c49
• 0xFc926659Dd8808f6e3e0a8d61B20B871F3Fa6465
• 0xb172F7e99452446f18FF49A71bfEeCf0873003b4
• 0x6d46bd3AfF100f23C194e5312f93507978a6DC91
• 0xf0a16603289eAF35F64077Ba3681af41194a1c09
• 0x23Db729908137cb60852f2936D2b5c6De0e1c887
• 0x40e98FeEEbaD7Ddb0F0534Ccaa617427eA10187e
• 0x140c9Ab92347734641b1A7c124ffDeE58c20C3E3
• 0x684d4b58Dc32af786BF6D572A792fF7A883428B9
• 0xBC3e5e8C10897a81b63933348f53f2e052F89a7E
• 0x5Af75eAB6BEC227657fA3E749a8BFd55f02e4b1D
• 0xBCA02B395747D62626a65016F2e64A20bd254A39
• 0x4C198B3B5F3a4b1Aa706daC73D826c2B795ccd67
• 0xCd7eC020121Ead6f99855cbB972dF502dB5bC63a
• 0xbdE2Cc5375fa9E0383309A2cA31213f2D6cabcbd
• 0xD3C611AeD139107DEC2294032da3913BC26507fb
• 0xB72334cB9D0b614D30C4c60e2bd12fF5Ed03c305
• 0x8c7235e1A6EeF91b980D0FcA083347FBb7EE1806
• 0x1bb0970508316DC735329752a4581E0a4bAbc6B4
• 0x1eB27f136BFe7947f80d6ceE3Cf0bfDf92b45e57
• 0xCd1a4A457cA8b0931c3BF81Df3CFa227ADBdb6E9
• 0x09278b36863bE4cCd3d0c22d643E8062D7a11377
• 0x660BfcEa3A5FAF823e8f8bF57dd558db034dea1d
• 0xE9bc552fdFa54b30296d95F147e3e0280FF7f7e6
• 0x30a822CDD2782D2B2A12a08526452e885978FA1D
• 0xB4a862A81aBB2f952FcA4C6f5510962e18c7f1A2
• 0x0e8C1E2881F35Ef20343264862A242FB749d6b35
• 0x9271EDdda0F0f2bB7b1A0c712bdF8dbD0A38d1Ab
• 0xe69753Ddfbedbd249E703EB374452E78dae1ae49
• 0x2290937A4498C96eFfb87b8371a33D108F8D433f
• 0x959c4CA19c4532C97A657D82d97acCBAb70e6fb4
• 0x52207Ec7B1b43AA5DB116931a904371ae2C1619e
• 0x9eF42873Ae015AA3da0c4354AeF94a18D2B3407b
• 0x1542368a03ad1f03d96D51B414f4738961Cf4443
• 0x21032176B43d9f7E9410fB37290a78f4fEd6044C
• 0xA4B2Fd68593B6F34E51cB9eDB66E71c1B4Ab449e
• 0x55CCa2f5eB07907696afe4b9Db5102bcE5feB734
• 0xA5A023E052243b7cce34Cbd4ba20180e8Dea6Ad6
• 0xdD90071D52F20e85c89802e5Dc1eC0A7B6475f92
• 0x1512fcb09463A61862B73ec09B9b354aF1790268
• 0xF302572594a68aA8F951faE64ED3aE7DA41c72Be
• 0x723a7084028421994d4a7829108D63aB44658315
• 0xf03AfB1c6A11A7E370920ad42e6eE735dBedF0b1
• 0xEB0bAA3A556586192590CAD296b1e48dF62a8549
• 0xD5b58Cf7813c1eDC412367b97876bD400ea5c489

---

Timeline of responses to the Bybit security incident

Bybit suffered a major hacking incident on Feb 21, 2025, affecting one of Bybit’s Ethereum cold wallets and resulting in almost $1.5 billion in losses. The exploit is linked to the North Korean state-backed Lazarus Group.

February 21, 2025, 13:30 UTC: Bybit conducted a routine transfer from one of our Ethereum multisig cold wallets to a warm wallet, first transferring an amount of 30,000 ETH.

February 21, 2025, 14:13 UTC: Hackers exploited the UI of the Safe multisig cold wallet through a sophisticated phishing attack, masking the specific transaction, which resulted in the change in smart contract logic of the ETH cold wallet. This allowed hackers to transfer out the funds from the compromised cold wallet, splitting it all across 39 addresses.

How much was lost in the hack?

Only a single Bybit cold wallet was compromised, resulting in the loss of $1.46 billion as follows:

• 401,347 ETH, $1.12 billion
• 90,375 stETH, $253.16 million
• 15,000 cmETH, $44.13 million
• 8,000 mETH, $23 million

February 21, 2025, 15:44 UTC: Bybit’s co-founder and CEO Ben Zhou tweeted about the evolving situation, informing the community early on that the hackers took control of the specific ETH cold wallet, and assuring users that Bybit is solvent and can cover the loss, ensuring client assets are backed 1:1.

February 21, 2015, 16:07 UTC: Ben reiterated in his X post that “Bybit is Solvent even if this hack loss is not recovered, [and] all of clients’ assets are 1 to 1 backed, [so] we can cover the loss.”

February 21, 2025, 17:15 UTC: Ben went on a livestream to explain the situation transparently to affected users.

How did the hack happen?

Through a phishing attack on the Ethereum cold wallet multisig signers, the transaction and Safe UI was spoofed, allowing the hacker to change the smart contract logic of the multisig wallet. This allowed the hacker to gain control of the Bybit cold wallet, and to transfer out the funds.

No plan to purchase ETH

Ben stated during a livestream that there are currently no plans to purchase ETH. However, he emphasized that the company is actively seeking assistance and leveraging bridge loans from partners, in order to navigate liquidity constraints during this critical period.

Other cold wallets are safe

Ben clarified that Bitcoin remains the primary reserve asset, and that other cold wallets remain unaffected.

Withdrawals as usual

Ben reassured users that all products and services are operating as usual. Withdrawals have not been halted, and continue to be processed as normal.

Normal P2P Services

Bybit’s Head of Derivatives and Institutional, Shunyet Jan, confirmed during the livestream that the platform’s P2P services are functioning normally.

February 21, 2025, 19:09 UTC: ZachXBT submitted definitive proof linking the attack to the Lazarus Group, a North Korean cybercriminal organization, and claimed the bounty from Arkham Intelligence. His analysis included test transactions, connected wallets, forensic graphs and timing details. According to ZachXBT, the cluster of addresses is also linked to the Phemex and BingX hack.

February 21, 2025, 20:09 UTC: Bitget deposited 40,000 ETH to Bybit, exhibiting the strong support demonstrated by industry partners and peers.

February 21, 2025, 21:07 UTC: Bybit reported the case to the appropriate authorities, and will provide updates as soon as further information becomes available. It actively collaborated with on-chain analytics providers in order to identify and demix the implicated addresses.

February 22, 2025, 00:54 UTC: Ben announced that 99.994% of over 350,000 withdrawal requests had been processed within 10 hours following the hack, with the Bybit team working around the clock to ensure smooth operations and assure client concerns.

February 22, 2025, 01:08 UTC: Safe confirmed that there was neither any compromise of its codebase, nor any malicious dependencies, and no other Safe addresses were affected. Following the incident, Safe has temporarily paused its {Wallet} functionality in order to conduct a thorough review of service.

February 22, 2025, 01:21 UTC: Hacken stated that the Bybit hack was significant, and had dealt a heavy blow to the industry. However, Bybit’s reserves still exceed its liabilities, and its user funds remain fully backed.

February 22, 2025, 02:51 UTC: Ben tweeted that all withdrawals have been processed, and that the platform has resumed normal operations, less than 12 hours after the $1.4 billion hacking incident, the largest in the industry to date.

February 22, 2025, 07:29 UTC: According to the latest monitoring data from SoSoValue and on-chain security team TenArmor, over $4 billion in funds have flowed into the Bybit trading platform in the past 12 hours. Comparative fund inflow analysis indicates that this capital influx has fully covered the shortfall caused by yesterday’s hack.

February 22, 2025, 08:52 UTC: Chainflip responded on X, stating that while they have made every effort to assist, as a decentralized protocol they’re unable to fully block, freeze or redirect any funds.

February 22, 20225, 11:00 UTC: Ben and Shunyet held a Chinese-language AMA with ETHPanda, Wu Blockchain, Bitget CEO Gracy Chen and other participants, in order to discuss the hack incident and share their insights on how to manage it.

February 22, 2025, 13:15 UTC: Tether CEO Paolo Ardoino announced that Tether had frozen $181,000 USDT linked to the hack.

February 22, 2025, 13:45 UTC: Bybit processed approximately $4 billion in withdrawals following the surge, post-exploit. Hacken confirmed that Bybit’s user funds remain fully backed, with reserves still exceeding liabilities.

February 22, 2025, 15:32 UTC: Bybit launched a Recovery Bounty Program, with a reward of 10% of the stolen funds.

February 22, 2025, 16:01 UTC: Ben went on a live AMA with Crypto Town Hall, to discuss how he was handling the situation post-hack; the industry support Bybit received from peers, such as Bitget; and the way that the Bybit team was working tirelessly to handle the crisis. 

Ben also stated that rolling back Ethereum should be a community decision, rather than an individual choice, possibly through a vote.

February 23, 2025, 04:32 UTC —Ben emphasized that the issue goes beyond Bybit or any single entity, stating, “It’s about our industry’s approach to hackers.” He urged eXch to reconsider and assist in blocking the outflow of funds.

February 23, 2025, 08:55 UTC: Bybit announced that all deposits and withdrawals have resumed to normal levels.

February 23, 2025, 15:41 UTC: In total, $42.89 million of exploited funds were frozen, thanks to the coordinated efforts of industry partners, including Tether, THORchain, ChangeNOW, FixedFloat, Avalanche, CoinEx, Bitget and Circle. Additionally, mETH Protocol recovered 15,000 cmETH tokens worth nearly $43 million.

February 24, 2025, 02:35 UTC: Two days following the hack, Bybit received $1.23 billion in ETH through bridge loans, whale deposits and OTC purchases, effectively covering the ETH deficit from the exploit.

February 24, 2025, 09:12 UTC: Hacken, an independent blockchain security firm, released an updated proof-of-reserves, PoR report. Bybit has fully closed the ETH gap of client assets within 72 hours, through strategic partnerships with Galaxy Digital, FalconX, Wintermute and others, along with support from Bitget, MEXC and DWF Labs. Key assets, such as BTC, ETH, SOL, USDT and USDC, exceed 100% collateral ratios.

February 25, 2025, 14:40 UTC: Ben announced the launch of the LazarusBounty program: the industry-first bounty platform that specifically aims to recover funds allegedly stolen by the North Korean state-backed Lazarus Group in the Bybit exploit.

February 26, 2025, 15:17 UTC: Ben shared the preliminary reports of the hack. These reports, conducted by Sygnia Labs and Verichains, both have suggested that the root cause of the hack was due to malicious JavaScript code on Safe{Wallet}’s platform, and no vulnerability was detected in Bybit’s infrastructure.

February 28, 2025, 13:25 UTC: Ben announced the V1.1 update to the LazarusBounty platform, which added the following:

• a cross-chain hacker address analysis
• Discord channel
• hacker address wallet balance
• verified ranking of bounty hunters

---