The largest crypto theft in history was not a smart-contract exploit. It was a supply-chain attack on a developer laptop, a poisoned UI, and three signers who had no way of knowing what they were actually signing.
On February 21, 2025, Bybit executed what looked like a routine cold-wallet rebalancing operation. Within 47 minutes, 401,346 ETH — approximately $1.5 billion at the time — had moved from Bybit’s cold storage to wallets controlled by North Korea’s Lazarus Group. The exchange had been successfully attacked without a single line of smart-contract code being exploited. The entire operation was won at the human and infrastructure layer, long before the fateful transaction was signed.
The attack did not begin on February 21. It began months earlier, when Lazarus Group’s TraderTraitor subunit identified that Bybit used Safe (formerly Gnosis Safe) for its ETH cold-wallet management. Safe is a battle-tested multisig wallet platform, but like any software-based signing system, it depends on a trusted execution environment — and that environment was the target.
Attackers gained access to the laptop of a developer at Safe via a social-engineering campaign. The exact vector has not been publicly confirmed, but follows the established TraderTraitor playbook: staged recruitment conversations or technical challenges on LinkedIn or Telegram, ultimately delivering a payload to the developer’s machine. Once on the developer’s laptop, the attackers waited.
The genius — if it can be called that — of the Bybit attack was that it exploited a trust boundary that no one at Bybit had reason to question: the Safe UI itself. The signers did not sign the wrong transaction because they were careless. They signed the wrong transaction because the interface they trusted showed them a different transaction from the one they were actually authorizing.
What the signers saw: a routine ETH transfer to familiar Bybit addresses, with matching gas parameters and expected amounts.
What the Ethereum Virtual Machine processed: a DELEGATECALL to a new implementation contract controlled by the attackers — effectively handing over the keys to the entire cold wallet in a single, irrevocable on-chain operation.
The attack required no zero-day exploit in Safe’s contract code. It required only that an attacker-controlled piece of JavaScript run in the browser at the moment of signing — intercepting the transaction display, replacing the shown parameters with legitimate-looking values, while passing the real malicious payload to the hardware wallet for signing.
| What Signers Saw | What Was Actually Signed |
|---|---|
| Routine ETH transfer to Bybit warm wallet | DELEGATECALL upgrading Safe implementation to attacker contract |
| Familiar recipient addresses | Attacker-controlled contract address |
| Expected gas parameters | Identical gas parameters (masking the operation type) |
| Bybit internal transaction reference | Transaction granting unrestricted withdrawal capability |
Within hours of the drain, the 401,346 ETH was being distributed across dozens of intermediate wallets — a fan-out technique designed to fragment the on-chain trail before aggregation. Chainalysis and TRM Labs tracked the funds through a sophisticated multi-stage laundering process that has since become Lazarus’s standard playbook:
Total recovered or frozen by the industry-wide response: approximately $42 million — less than 3% of what was stolen. The remainder is believed to be partially laundered and partially still in transit through intermediate holding wallets.
CEO Ben Zhou’s decision to announce publicly within two hours, and to commit unconditionally to absorbing the full $1.5 billion loss, is widely credited with preventing a catastrophic bank run. The exchange faced $4 billion in withdrawal requests in the first 24 hours — and met every one of them, backed by emergency loans from major crypto institutions and overnight reserve transfers from partners. Cold-wallet balances were replenished to 1:1 backing within 72 hours.
“The decision to be transparent and immediate was not obvious in the moment. The instinct in a crisis is to contain. Ben made a different call, and it’s why the exchange is still operating.”
— Industry executive, speaking on backgroundThe Bybit hack exposed a structural weakness that exists across every multisig-based custody system that depends on a software UI for transaction visualization: the human signer cannot independently verify what they are signing if the visualization layer can be compromised.
The attack had a clear, exploitable pre-signature gap: no system was in place to independently verify that the transaction parameters shown to signers matched the transaction parameters being submitted to the network. A pre-signature monitoring layer — one that independently evaluates the actual transaction payload against expected parameters before the signing ceremony proceeds — would have detected the discrepancy between what the UI showed and what the EVM was about to execute. Web3Firewall’s transaction simulation capability, which dry-runs a transaction’s full execution path before it is signed, is precisely designed to catch this class of attack: the payload diverges from the display, and the simulation produces an unexpected outcome, triggering an escalation before any irreversible action is taken.
The Bybit attack worked because signers could not independently verify what they were signing. Web3Firewall’s pre-broadcast simulation dry-runs every transaction’s full execution path before signing — flagging any divergence between the displayed parameters and the actual on-chain outcome.
Real crypto news, market data, and analysis — free to your inbox every weekday at 7am.
No spam. Unsubscribe anytime. Sent to admin@coinhubtoday.com
The definitive source for cryptocurrency news, market data, press releases, and product reviews — trusted by professionals worldwide.
CoinHub Today is an independent media organisation and does not provide investment, financial, or legal advice. All content is for educational purposes only. Cryptocurrency investments involve substantial risk. Past performance is not indicative of future results. Always consult a qualified financial adviser before investing.