Bybit hack considerations

The Bybit attack is set to be one of the most significant cybersecurity events of the year. Beyond ranking among the most profitable hacks in history, with more than 400,000 ETH stolen—amounting to approximately $1.5 billion—it also marks a milestone in the maturity, strategic planning, and execution of sophisticated cyber tradecraft.

We have been following intelligence on this attack from the very beginning. Here, I am using only TLP-publicly available information and forensic report leaks—though one might question whether these reports can now be considered public.

For those who missed key details, here’s a high-level summary of the attack executed on February 19, 2025. The Bybit hack leveraged multiple complex tradecrafts, including:

- Supply Chain Compromise: The attackers gained control over an S3 bucket belonging to a Bybit supplier, Safe[wallet].

- Targeted Social Engineering: Attackers manipulated individuals with signing rights on the Safe multisig wallet using UI phishing injected into the browser.

- Malicious Smart Contracts: The hackers reverse-and re-engineered Bybit’s execTransaction/delegate functions, allowing unauthorized movement of funds.

- Fund Transfer & Laundering: The stolen funds were first moved from a cold wallet to a warm wallet, and then quickly spread across multiple addresses and DeFi derivates.

Attribution and State-Sponsored Connections

Crypto investigator ZachXBT linked the attack to Lazarus Group, a well-known North Korean cybercrime syndicate specializing in financial cyberattacks. This attribution suggests the hack was state-sponsored, likely funding military programs. Given Lazarus' track record, the attack aligns with past high-profile crypto heists linked to North Korea’s intelligence operations.

Financial Market Impact

The attack triggered a significant drop in ETH prices, reinforcing broader concerns about security in the crypto industry. With this latest breach, total crypto-related thefts in 2024-2025 have now surpassed $2.2 billion. A big bank-run followed with more than 5 billion of withdrawals, obviously, from the Bybit platform.

Critical Security Questions Raised

This incident inevitably raises "how it's possible" questions:

1. Why wasn’t Bybit’s cold storage truly “cold”?

- The reality is that many exchanges operate with warm gap systems to facilitate business operations. I previously wrote about this when working in the crypto security space.

2. How was a well-developed, highly secure multisig wallet compromised?

- Attackers didn’t break the cryptography—they targeted the signers. This is reminiscent of the classic “three keys to launch a missile” scenario in spy movies. Safe[wallet] likely had security controls but the attack was carefully designed.

3. Why do browser-based attacks keep succeeding?

- Once again, man-in-the-browser (MitB) attacks prove to be a critical security risk, underscoring the need for better browser and session integrity protections.

Key Takeaways & Security Lessons

This hack reinforces the urgent need to improve:

- Third-party and supply chain security through better software component analysis.

- Browser security to prevent phishing and UI-based exploits.

- Human factor risk mitigation—yes, I am totally sad to say that social engineering remains an attack vector.

The Path Forward

While using custodians to store crypto assets remains, for me, the safest options, the current state of security in supply chain risk management is far from sufficient. Rating the security level of a supplier based on some 'external indicators' might be something to re-think. Our industry must work harder and smarter to close these gaps. I am also convinced that our current-security industry-state of the art third party risk and software component analysis/supply chain risks, are definitely not enough to control and mitigate attacks of this type.

While these questions will persist, at Crimson7, we are committed to uncovering answers—especially those that lie within the inner technical space.

‍