The cryptocurrency industry is still reeling from the largest digital asset heist in history, and on February 26, 2025, the picture of exactly how North Korean hackers pulled off the $1.5 billion Bybit exploit became significantly clearer. Two independent forensic reports—commissioned by Bybit and conducted by Sygnia Labs and Verichains—were released, providing granular detail on the attack vector that compromised one of the world’s largest exchanges.
The Exploit Mechanics
According to the preliminary findings published on February 26, the Lazarus Group executed a sophisticated supply chain attack targeting Safe{Wallet} (formerly Gnosis Safe), the smart contract infrastructure underlying Bybit’s Ethereum cold wallet. The attackers compromised a developer machine belonging to a Safe{Wallet} developer, injecting malicious code into the transaction interface. When Bybit’s multisig signers initiated what appeared to be a routine cold-to-warm wallet transfer, the manipulated UI displayed a legitimate-looking transaction. In reality, the underlying smart contract logic had been altered to redirect 499,000 ETH—worth approximately $1.5 billion at the time—to attacker-controlled addresses. This was not a brute-force breach of cryptography but a calculated social engineering and supply chain operation that exploited the human interface layer of multisig authentication.
Affected Systems
The primary target was Bybit’s Ethereum cold wallet, which used a Safe{Wallet} smart contract with multiple signers. The attack cascaded across several interconnected systems: the Safe{Wallet} development environment was compromised, the transaction signing interface was manipulated, and the resulting malicious transfer drained liquid staking derivatives including stETH, mETH, and ETH. The broader Ethereum ecosystem felt the shockwaves immediately. Within hours of the February 21 breach, Ethereum’s price dropped from roughly $2,700 to $2,331 by February 26, reflecting a 13.5% decline amid panic selling and massive withdrawal requests from Bybit users. Bitcoin also slid to $84,076, down over 13% on the week, as the broader crypto market recoiled from the security breach.
The Mitigation Strategy
Bybit CEO Ben Zhou confirmed that the exchange processed over 70% of withdrawal requests within 48 hours, aided by bridge loans and the company’s reserves exceeding $20 billion. The forensic reports recommended several immediate mitigations for exchanges using multisig wallets: implementing hardware-based transaction verification independent of the web interface, adopting multi-layer code review for all smart contract interactions, and deploying real-time anomaly detection on transaction parameters. The reports also highlighted the need for the industry to move beyond UI-based transaction approval toward cryptographic proof verification, where signers can independently validate the actual on-chain effect of any transaction before signing.
Lessons Learned
The Bybit exploit underscores a fundamental truth in crypto security: the strongest cryptography is meaningless if the interface layer between humans and smart contracts can be compromised. Supply chain attacks targeting developer infrastructure represent a new frontier in threats against decentralized finance. The Lazarus Group, which has stolen over $6 billion in crypto since 2017, continues to evolve its tactics, moving beyond exchange breaches toward attacking the foundational tools that the entire ecosystem relies upon. For projects building wallet infrastructure, the message is clear—security audits of smart contracts alone are insufficient. The entire development pipeline, from developer machines to CI/CD systems to deployment mechanisms, must be treated as a potential attack surface.
User Action Required
For users of Bybit and other exchanges, the immediate actions are straightforward. Monitor withdrawal processing times and ensure funds are accounted for. For those using self-custody wallets with multisig setups, verify that your wallet provider has implemented additional verification layers beyond the UI display. Consider using hardware security modules for transaction signing, and always cross-reference the actual transaction data on a blockchain explorer before approving any significant transfer. The era of trusting what you see on screen is over—verification must extend to the code beneath the interface.
Disclaimer: This article is for informational purposes only and does not constitute financial or security advice. Always conduct your own research before making investment decisions.
supply chain attack on the dev machine is the scariest part. you can audit the smart contract all day but if the signing interface is compromised you are toast
the fact that two independent forensics teams confirmed the same attack vector tells you Lazarus has been planning this for months. probably since the Safe rebrand
segfault_ exactly. you can verify the contract on etherscan, audit it 10 times, run formal proofs. none of it matters if the html your signers see is lying
dev machine compromise means someone clicked a phishing link or had malware on their laptop. years of planning reduced to one bad click
one bad click on a dev laptop and 1.5 billion gone. the opsec gap between what crypto promises and what teams actually practice is terrifying
Noel B. its always one bad click. the gap between billion dollar security budgets and human opsec will never close
segfault_ this is why people say dont trust, verify. except you literally cant verify the html that your multisig interface shows you. fundamental problem
499,000 ETH moved in a single transaction because the UI lied to the signers. This is a fundamental trust problem with multisig setups that nobody wants to address.
the UI showed a legitimate transaction hash and address. even experienced multisig signers couldn’t tell the difference. this is a trust crisis for hardware wallets too
North Korean state hackers with a $1.5B payout. That is straight up a sovereign-grade cyberattack on a private company. Insane.
the multisig signers did everything right. verified addresses, checked amounts. but the UI was showing them a different transaction than what actually executed on chain. you cant defend against that with human review alone
human review cant catch what the UI is actively hiding from you. the only real fix is signing raw transaction data not rendered interfaces
safe wallet rebranded from gnosis safe shortly before this attack. makes you wonder if the rebrand introduced new attack surface during the transition period