A serious security breach has been confirmed by Bybit, a top-tier cryptocurrency exchange. It resulted in a major loss of around $1.5 billion in digital assets.
The breach appears to have focused on the exchange’s Ethereum (ETH) multisig cold wallet, and it has sent shockwaves of concern throughout the cryptocurrency industry. Cybersecurity experts assessing the situation believe the attack was carried out using a highly sophisticated strategy aimed at tricking the actual wallet signers into approving a change in the smart contract logic.
🚨ALERT🚨Our system has detected abnormal activity, including suspicious behavior involving the @Bybit_Official wallet!
Several wallets are exhibiting highly suspicious patterns, and we are actively reaching out to the exchange to warn them. The total affected assets are… pic.twitter.com/iAQqlgU4Rf— 🚨 Cyvers Alerts 🚨 (@CyversAlerts) February 21, 2025
Concerns about the breach’s implications have been raised, particularly regarding the security of cold wallets and the dangers of blind signing—the process of approving transactions with promise not to look at the fine print of the contract code. Bybit’s managers maintain that, apart from whatever was given over to the hackers, all other parts of the Bybit cryptocurrency system (including “hot,” “warm,” and cold wallets) are operable and secure. Despite this reassurance, it’s hard to see how the “confidence in the platform” hasn’t taken a hit.
Contents [hide]
Deceptive Transaction Tricked Signers
When a malicious hacker wanted to get into Bybit’s ETH multisig cold wallet, they didn’t barge in like a brute-force attacker. Instead, they crept in like a cat burglar by executing a deceptive transaction. They used that transaction to try and make the contract *think* it was signing a legitimate transaction when it was not. To do this, the hacker manipulated the signing process and tricked the wallet signers into approving the transaction. As a result, the wallet appeared to receive a valid transaction, allowing the hacker to gain full control of the cold wallet.
🚨UPDATE🚨It seems that @Bybit_Official's #ETH multisig cold wallet was compromised through a deceptive transaction that tricked signers into unknowingly approving a malicious smart contract logic change.
UI deception: Signers saw the correct address and a trusted @safe URL,… https://t.co/7ybpM7MOnR
— 🚨 Cyvers Alerts 🚨 (@CyversAlerts) February 21, 2025
After the contract logic was altered, the hacker could send all the ETH in the cold wallet to an address that remains unknown. The transfer took place in mere minutes and kicked off a highly surgical attack that eluded typical security measures meant to keep digital currency safe.
A Blind Signing Attack
The assault resembles prior events in the world of cryptocurrencies, such as the notorious breaches that affected WazirX and Radiant Capital. In those instances, however, never disclosed to the public before now, hackers exploited vulnerabilities in blind signing to commandeer user wallets. In Bybit’s case, the hacker took the extraordinary step of reimplementing Bybit’s multisig Safe wallet just before the hack began and redirecting calls to a malicious contract—effectively making it appear as if there were sufficient signatures authorizing the withdrawal of funds from the wallets affected.
This attack demonstrates a significant risk in the crypto space: blind signing. In this variant of social engineering, the attacker tricks people into approving a malicious contract by making them think they’re approving something harmless or even beneficial. Just how many people were impelled to act in this way? Etherscan says 100 signers were involved. That was obviously quite a few people who were convinced they were doing the right thing. Once the attacker’s contract was live and operating, they had no need of using more signing props. They just made off with the crypto and kept on rolling.
Bybit ETH multisig cold wallet just made a transfer to our warm wallet about 1 hr ago. It appears that this specific transaction was musked, all the signers saw the musked UI which showed the correct address and the URL was from @safe . However the signing message was to change…
— Ben Zhou (@benbybit) February 21, 2025
Bybit’s Response and Assurance to Users
Bybit’s leadership, including Co-Founder and CEO Ben Zhuo, has provided reassurances to users, despite the weight of the situation. In a statement, Zhuo affirmed the exchange’s solvency, even if the entire $1.5 billion loss is not made up. He was clear that all of Bybit’s clients’ assets remain 1:1 backed, and the company can cover that loss while leaving user funds untouched.
Bybit is Solvent even if this hack loss is not recovered, all of clients assets are 1 to 1 backed, we can cover the loss.
— Ben Zhou (@benbybit) February 21, 2025
Bybit’s CEO also clarified that the breach happened only to the ETH cold wallet, and that all other wallets—hot warm, and cold—remain secure. Withdrawals and deposits on the platform are normal, and the exchange worries not that there is any threat to any part of its infrastructure.
The incident is a stark reminder of the risks that crypto exchanges take when they deal with not-so-simple multisig wallets and cold storage. Bybit was quick to address the issue and assure users that funds weren’t at risk. Still, the breach is certainly a black mark on the crypto industry, and it speaks to the necessity of exchanges, especially those dealing with derivatives, to practice due diligence and enhance security.
Moving Forward: Enhanced Security Measures
With the continued rise in the adoption of cryptocurrencies, the security of digital asset exchanges will come under even greater scrutiny. This attack serves as a cautionary tale for other platforms, emphasizing the importance of thorough security practices and the need to ensure that wallet signers understand the risks associated with signing without first verifying the content of the transaction.
Bybit has said that it is working in close cooperation with cybersecurity specialists to grasp just how deep the breach goes and to ensure that similar attacks do not happen again. The exchange has promised not only to shore up its security infrastructure but also to examine its procedures and processes to ensure that its users’ assets are safe—safer than before, at any rate.
Although the incident has prompted an inquiry into the multisig cold wallet’s safety and the smart contracts it interacts with, Bybit’s rapid response and the assurances it has given concerning the other wallets it manages and the security of its users’ funds have largely calmed the waters in which the exchange found itself after the breach. Still, this story is a reminder that the cryptocurrency sector needs to keep a sharp lookout for threats and constantly work to upgrade the protective measures it offers to users and their holdings.
Disclosure: This is not trading or investment advice. Always do your research before buying any cryptocurrency or investing in any services.
Follow us on Twitter @nulltxnews to stay updated with the latest Crypto, NFT, AI, Cybersecurity, Distributed Computing, and Metaverse news!
