A serious security breach has been confirmed by Bybit, a top-tier cryptocurrency exchange. It resulted in a major loss of around $1.5 billion in digital assets.
The breach appears to have focused on the exchange’s Ethereum (ETH) multisig cold wallet, and it has sent shockwaves of concern throughout the cryptocurrency industry. Cybersecurity experts assessing the situation believe the attack was carried out using a highly sophisticated strategy aimed at tricking the actual wallet signers into approving a change in the smart contract logic.
🚨ALERT🚨Our system has detected abnormal activity, including suspicious behavior involving the @Bybit_Official wallet!
Several wallets are exhibiting highly suspicious patterns, and we are actively reaching out to the exchange to warn them. The total affected assets are… pic.twitter.com/iAQqlgU4Rf
— 🚨 Cyvers Alerts 🚨 (@CyversAlerts) February 21, 2025
Concerns about the breach’s implications have been raised, particularly regarding the security of cold wallets and the dangers of blind signing—the process of approving transactions with promise not to look at the fine print of the contract code. Bybit’s managers maintain that, apart from whatever was given over to the hackers, all other parts of the Bybit cryptocurrency system (including “hot,” “warm,” and cold wallets) are operable and secure. Despite this reassurance, it’s hard to see how the “confidence in the platform” hasn’t taken a hit.
Deceptive Transaction Tricked Signers
When a malicious hacker wanted to get into Bybit’s ETH multisig cold wallet, they didn’t barge in like a brute-force attacker. Instead, they crept in like a cat burglar by executing a deceptive transaction. They used that transaction to try and make the contract *think* it was signing a legitimate transaction when it was not. To do this, the hacker manipulated the signing process and tricked the wallet signers into approving the transaction. As a result, the wallet appeared to receive a valid transaction, allowing the hacker to gain full control of the cold wallet.
🚨UPDATE🚨It seems that @Bybit_Official‘s #ETH multisig cold wallet was compromised through a deceptive transaction that tricked signers into unknowingly approving a malicious smart contract logic change.
UI deception: Signers saw the correct address and a trusted @safe URL,… https://t.co/7ybpM7MOnR
— 🚨 Cyvers Alerts 🚨 (@CyversAlerts) February 21, 2025
After the contract logic was altered, the hacker could send all the ETH in the cold wallet to an address that remains unknown. The transfer took place in mere minutes and kicked off a highly surgical attack that eluded typical security measures meant to keep digital currency safe.
A Blind Signing Attack
The assault resembles prior events in the world of cryptocurrencies, such as the notorious breaches that affected WazirX and Radiant Capital. In those instances, however, never disclosed to the public before now, hackers exploited vulnerabilities in blind signing to commandeer user wallets. In Bybit’s case, the hacker took the extraordinary step of reimplementing Bybit’s multisig Safe wallet just before the hack began and redirecting calls to a malicious contract—effectively making it appear as if there were sufficient signatures authorizing the withdrawal of funds from the wallets affected.
This attack demonstrates a significant risk in the crypto space: blind signing. In this variant of social engineering, the attacker tricks people into approving a malicious contract by making them think they’re approving something harmless or even beneficial. Just how many people were impelled to act in this way? Etherscan says 100 signers were involved. That was obviously quite a few people who were convinced they were doing the right thing. Once the attacker’s contract was live and operating, they had no need of using more signing props. They just made off with the crypto and kept on rolling.
Bybit ETH multisig cold wallet just made a transfer to our warm wallet about 1 hr ago. It appears that this specific transaction was musked, all the signers saw the musked UI which showed the correct address and the URL was from @safe . However the signing message was to change…
— Ben Zhou (@benbybit) February 21, 2025
Bybit’s Response and Assurance to Users
Bybit’s leadership, including Co-Founder and CEO Ben Zhuo, has provided reassurances to users, despite the weight of the situation. In a statement, Zhuo affirmed the exchange’s solvency, even if the entire $1.5 billion loss is not made up. He was clear that all of Bybit’s clients’ assets remain 1:1 backed, and the company can cover that loss while leaving user funds untouched.
Bybit is Solvent even if this hack loss is not recovered, all of clients assets are 1 to 1 backed,
