Bybit, a leading cryptocurrency exchange, has confirmed an attack that resulted in the unauthorized diversion of funds. The exchange explained that the attack occurred while it was conducting a routine operation to transfer assets between its cold wallet and hot wallet. During this process, the attackers managed to manipulate the destination address, effectively redirecting funds to their own wallets.
Blockchain security researcher ZachXBT has been actively tracking the movements of the stolen funds. His analysis identified five flagged wallets that received the illicit transfers. He has urged other exchanges and services to blacklist these addresses in an effort to prevent the attackers from laundering or cashing out the stolen assets.
Bybit has not yet disclosed the exact amount lost in the attack but has assured its users that investigations are underway, and necessary measures are being taken to secure its infrastructure. The exchange is collaborating with blockchain security firms and law enforcement agencies to track the stolen funds and identify the perpetrators.
This incident highlights the persistent risks associated with crypto transactions and the need for enhanced security measures when handling large fund transfers. It also raises concerns about the evolving tactics of hackers, who continue to exploit vulnerabilities in exchange operations.
The cryptocurrency community is closely monitoring the situation, with many urging exchanges to implement additional verification layers and wallet security enhancements to prevent similar attacks in the future.
Bybit has reassured its users that it remains financially stable and that customer funds are secure. The exchange has also pledged to strengthen its security framework to mitigate future threats.
The attack on Bybit’s Ethereum multisig cold wallet involved a sophisticated manipulation of the multisig signing process. Below is a detailed breakdown of how the attacker could have technically executed the exploit.
Bybit’s cold wallet likely used a Gnosis Safe (or similar Ethereum multisig setup), which requires multiple private keys to sign transactions before they are executed. The attack targeted this multisig system, tricking authorized signers into approving a transaction that they did not intend to sign.
Multisig Wallet (Gnosis Safe or custom implementation) – Requires multiple signatures to authorize transactions.
Signing Interface – A UI that presents transaction details for approval.
Warm Wallet – A wallet connected to an online environment, used for frequent transactions.
A cold wallet is a cryptocurrency wallet that is not connected to the internet, making it significantly more secure against hacking, phishing, and malware attacks. Cold wallets are used for long-term storage of digital assets, especially by exchanges, institutions, and individuals holding large amounts of cryptocurrency.
Offline Storage – Private keys are generated and stored in an air-gapped environment.
Highly Secure – Since it is not exposed to online threats, it is resistant to hacking and unauthorized access.
Manual Transaction Signing – Transactions must be signed offline and then broadcasted to the blockchain via an online device.
Used for Large Holdings – Ideal for securing large amounts of crypto that don’t require frequent transfers.
Hardware Wallets – Physical devices like Ledger, Trezor, and Keystone that store private keys offline.
Paper Wallets – Private keys written on paper or stored as QR codes, requiring manual entry for transactions.
Air-Gapped Devices – Computers or smartphones completely disconnected from the internet, used solely for signing transactions offline.
The attacker masked the signing interface, making it display the expected transaction details (correct destination address) while actually signing a different transaction with altered smart contract logic.
Front-End Injection or UI Manipulation:
The attacker could have injected malicious JavaScript or manipulated the transaction display interface, ensuring signers saw a "legitimate" transaction.
Example Attack Method: Injecting JavaScript via a compromised admin panel or browser extension.
Middle-Layer Hooking:
If Bybit used a backend API to fetch transaction details, the attacker could have intercepted and modified API responses, ensuring signers saw a falsified request.
Example: A compromised or exploited backend service that fetches and displays transaction details before signature.
Modifying the data Field in the Transaction:
In Ethereum transactions, a data field can contain smart contract interactions.
The attacker likely crafted a malicious data payload that:
Looked harmless in the UI (e.g., a simple ETH transfer to a warm wallet).
Actually, altered wallet permissions or redirected funds via a hidden smart contract call.
The key part of this attack was modifying the underlying smart contract logic, allowing the attacker to gain control of the multisig wallet.
If the cold wallet was based on an Upgradeable Proxy Contract, the attacker may have:
Executed a transaction that upgraded the implementation contract to one under their control.
Modified function behavior to redirect funds to their address while displaying an expected transaction.
delegatecallMany multisig wallets allow contract interactions.
The attacker could have:
Embedded a malicious delegatecall within the transaction.
delegatecall executes code in the context of the caller, allowing modification of the multisig wallet’s storage.
This could be used to change the ownership of the wallet or modify approval mechanisms.
Example Attack Code:
solidityCopyEditcontract MaliciousContract {
address public multisig;
constructor(address _multisig) {
multisig = _multisig;
}
function exploit() public {
(bool success, ) = multisig.call(abi.encodeWithSignature("setOwner(address)", msg.sender));
require(success, "Exploit failed");
}
}
This payload could be hidden within an innocuous-looking transfer.
If the contract had an addOwner() or replaceOwner() function, the attacker could have:
Embedded a malicious call inside a seemingly regular transaction.
Tricked signers into signing an owner update transaction that handed control to the attacker.
Once the multisig executed the manipulated transaction, the attacker had full control of the cold wallet. They then:
Drained funds to unidentified addresses.
Sent to DEX (Decentralised Exchanges) to launder stolen funds.
Possibly bridged funds to another blockchain to evade tracking.
To mitigate such attacks,
Harden Signing Processes:
Implement off-chain verification of transaction data before signing.
Use hardware security modules (HSMs) or air-gapped signing that cannot be manipulated.
Verify Smart Contract Calls:
Require human-readable decoding of all smart contract interactions.
Restrict transactions to whitelisted contract addresses.
Enhance UI & Backend Security:
Implement end-to-end transaction validation (signers verify raw transaction hex).
Prevent UI injection attacks via strict content security policies (CSP).
The attacker exploited a combination of UI spoofing and smart contract manipulation to trick signers into authorizing a transaction that gave them control of the cold wallet. This sophisticated attack highlights the importance of secure signing interfaces, contract audit processes, and multi-layer validation to prevent unauthorized access to high-value wallets. This may be a possible scenario; more will be uncovered as the investigations kick in and systems are updated or strengthened.
Fabian Owuor