| Americas | Articles
In February, the crypto world witnessed one of its largest ever breaches, a staggering $1.5 billion theft from Bybit’s cold wallet infrastructure. In an industry that prides itself on innovation and security, this attack was a stark reminder that even the most sophisticated platforms remain vulnerable to unaddressed security flaws.
At the center of this breach was a multi-layered exploit that blended supply chain compromise, user interface manipulation, and smart contract abuse. While the impact was devastating, the lessons learned could help shape stronger, more resilient safeguards for the future of crypto security.
Inside the Bybit hack: How did it happen?
This was not a brute force attack or a simple phishing scheme. It was an intricate, multi-stage exploit that methodically dismantled Bybit’s defenses.
The attackers, believed to be North Korea’s Lazarus Group, first compromised Safe {Wallet}, a multi-signature (multisig) wallet provider used by Bybit. This was not a direct attack on Bybit itself, but rather an infiltration of Safe’s development and cloud infrastructure.
How was Safe compromised?
Given Lazarus Group’s past exploits, it’s probable the attackers targeted a Safe {Wallet} developer by getting them to download a trojanized file, granting unrestricted access to their system.
Once inside, the attackers used stolen AWS credentials to access Safe {Wallet}’s cloud storage (S3 bucket), which hosted the JavaScript for Bybit’s wallet management application. They then injected malicious JavaScript designed to alter transaction requests only when Bybit’s wallet was accessed; a targeted approach that went unnoticed by other users.
Why did no one notice the change?
Safe {Wallet} didn’t implement Subresource Integrity (SRI) hashing to detect modified front-end code, and there was no real-time alerting mechanism in place to flag unauthorized edits to the application. In addition, stronger login security measures, such as multi-factor authentication or IP allowlisting, were absent.
How was the UI manipulated to allow attackers access to the wallet?
When Bybit’s cold wallet operators logged into the Safe {Wallet} interface to approve what they thought was a routine transaction, the compromised Safe {Wallet} UI altered the data in real time. This meant that, while the team believed they were transferring funds internally, they were unknowingly executing a smart contract that handed full control of their cold wallet to the attackers.
The key vulnerability was a “delegatecall” exploit, a function in Ethereum that allows a smart contract to execute another contract’s code within its own storage context, modifying the critical storage variables of the original contract. The attackers tricked Bybit’s signers into changing their wallet’s contract logic to a malicious version, effectively granting full control.
What could have prevented this?
Hacks of this scale rarely stem from a single point of failure; they exploit openings across multiple security layers. Bybit’s breach highlights several key weaknesses in crypto custody practices, and more importantly, the critical steps that could have prevented it.
Step 1: Strengthen software supply chains
During due diligence periods, ensure multisig wallet providers:
- use cryptographic code signing to prevent tampering
- deploy SRI so front-end modifications trigger alerts
- require multi-party code review for all wallet UI updates
- implement Cloud Security Posture Management (CSPM) tools to detect unauthorized AWS key usage.
Step 2: Conduct independent transaction verification
Make sure you do the following before signing Ethereum transactions:
- Always decode transaction data using blockchain explorers like Etherscan to verify there are no unauthorized contract interactions.
- Set up mempool monitoring to flag transactions containing delegatecall operations.
- Use an air gapped device to confirm transaction payloads outside a potentially compromised UI.
Step 3: Harden smart contract permissions
Implement additional verification layers to avoid malicious smart contract upgrades:
- Disable delegatecall functionality unless absolutely necessary.
- Implement whitelisted contract upgrades so only authorized replacements are allowed.
Step 4: Detect anomalies in real time
Set up a proactive monitoring system to flag any unusual uses of delegatecall or to detect an unauthorized contract upgrade to give you time to intervene before it’s too late.
Approve cold wallet transactions using a dedicated, offline signing device that independently verifies transaction data before signing. This ensures that transaction details match the intended request and can’t be altered by a compromised UI.
Why are Ethereum multisig wallets more vulnerable than Bitcoin multisig?
Investors and institutions should recognize that not all blockchains and wallets provide the same level of security. Although Ethereum’s multisig wallets offer more flexibility for advanced financial applications, they are also more vulnerable compared to Bitcoin’s simpler, script based multisig system.
Ethereum multisig solutions, such as Safe{Wallet}, operate through smart contracts, which means they can be upgraded, modified, and interact with other contracts. Despite being more flexible, it introduces attack vectors like contract upgrades, UI-based transaction manipulation, and permission delegation; none of which exist in Bitcoin’s native multisig. If that interface is compromised, hackers can manipulate transaction data before it’s signed to make a malicious transaction appear legitimate.
Bitcoin’s multisig system is built directly into the protocol and operates purely at the script level, eliminating the risks associated with upgradable software. It also follows fixed rules that can’t be altered once a wallet is created, avoiding unauthorized changes.
What does a future-proof approach to crypto custody look like?
The Bybit hack proves that relying on smart contract multisig UI alone is insufficient. When a user interface or infrastructure is compromised, even robust cryptographic safeguards can be bypassed.
Exchanges and custodians must implement a layered, zero trust approach to security:
- Assume that trusted platforms can be breached and implement cross checking mechanisms.
- Use off chain transaction validation so signers do not inadvertently approve malicious transactions.
- Restrict high level smart contract functions to prevent unauthorized contract upgrades.
With smarter, multi-layered security, the next billion-dollar heist can be stopped before it begins. Don’t trust, verify.
How can Bovill Newgate help you strengthen your custody security?
As the crypto and digital asset landscape rapidly evolves under the new administration, we’re here to help you seize opportunities while minimizing risks. Our expert team ensures that your RIA remains compliant, competitive, and confident in navigating the shifting regulatory currents of crypto and digital assets.
Get in touch if you need support in strengthening your digital asset security systems and processes.
Get in touch
Send a message:
