February 21, 2025 — a date that will be remembered as the day crypto witnessed the largest theft in its history, with Bybit losing $1.5 billion in a sophisticated heist.
While Bybit has survived, thanks to its massive reserves and quick response — this incident has exposed deep-rooted vulnerabilities in the way even the most "secure" crypto platforms operate.
Here’s a deep dive into what went wrong, and more importantly, what every crypto user, builder, and exchange can learn from it.
How Did the Bybit Hack Happen?
It's surprising because, on the surface, the Bybit hack occurred within an environment that looked to have strong security measures:
- Cold wallets for the bulk of funds
- Hot wallets topped up manually with multi-signature (multisig) protections
- Use of Safe{Wallet} multisig solutions, with transactions signed via Ledger hardware keys
So what happened?
1. Supply Chain Attack on Safe{Wallet}
Independent researchers suggest that attackers compromised a Safe{Wallet} developer machine — likely inserting malicious code into the Safe{Wallet} web interface. But here’s the genius (and dangerous) part:
The malicious code was silent — it only activated when Bybit's contract address was involved.
So, for any normal user, Safe{Wallet} functioned perfectly. But for Bybit employees, when topping up the hot wallet with $7M, what appeared on their screens wasn’t what got signed.
2. Blind Multi-Sig Signing
Since multisig signing on Ledger does not display recipient addresses, the Bybit team unknowingly signed off a malicious transaction. What they thought was a $7M transfer became a complete drain of a cold wallet — with assets redirected to hundreds of attacker-controlled wallets.
Once the hack was done, the malicious code auto-reverted, making it extremely hard to trace or prove the initial compromise.
Who Was Behind It?
- Lazarus Group (aka TraderTraitor, APT38, BlueNoroff, Stardust Chollima), a North Korean state-sponsored group, is officially blamed by the FBI.
- The same group was behind Ronin Bridge’s $540M hack, DMM Bitcoin’s $300M hack, and KuCoin’s $275M hack — all known for long-term, highly targeted intrusions.
This isn’t just a "one-off". It’s part of a systematic, sophisticated global operation.
Key Lessons for the Crypto Industry
1. Even Multisig Isn't Foolproof — UX Matters
We tend to think of multisig wallets and hardware devices as the final line of defense — but what if the interface feeding them bad data is already compromised? That’s what happened here.
- Ledger, used for Bybit’s multisig, did not show the recipient address when employees were approving transactions.
- So, employees had no way of knowing they were signing malicious transactions — the "security" of the hardware wallet became irrelevant.
Security is only as strong as the human-readable verification layer.
- Hardware wallets and multisig platforms must evolve to display full transaction details, including destination addresses, even for complex smart contract calls.
- Blind signing — where users approve "blobs" of data without understanding them — needs to become a thing of the past.
If users can't clearly see what they're signing, the system is broken — no matter how "secure" it looks.
2. Supply Chain Attacks Are the New Frontline
What’s terrifying is Lazarus Group didn’t hack Bybit directly.
Instead, they compromised Safe{Wallet}, a service provider integrated into Bybit’s security stack — and used that to inject malicious code that facilitated the theft.
This is part of a broader trend: attacking the trusted vendors, SDKs, or dependencies you rely on, rather than going after the main target directly.
- Audit every layer of your supply chain — including wallet providers, SDKs, and libraries.
- Continuously monitor for unexpected behavior from third-party tools — assume vendors can and will be compromised.
- Consider sandboxing or isolating critical vendor tools, especially if they touch high-value funds.
3. Social Engineering + The Long Game
This wasn’t just a clever exploit — it may have been months of setup:
- Lazarus is infamous for long-term campaigns involving fake job offers, malware-infected PDFs, and social engineering.
- It's very possible the Safe{Wallet} compromise itself was part of a months-long infiltration, laying dormant until the perfect moment.
- Security is not just code — it’s people.
- Train your teams to spot phishing attempts, social engineering, and suspicious behavior.
- Run regular phishing simulations, red team exercises, and security drills — security awareness should be an ongoing culture, not a one-time workshop.
- Finally, assume that vendors and partners will get compromised eventually — design your system to survive that.
What Regular Crypto Users Can Learn from This (Because You're Not Safe Either)
Sure, Bybit will probably compensate users and stay afloat. But what if this had been an exchange without deep pockets?
Think Mt. Gox, FTX, DMM Bitcoin — users might never see their funds again.
Here’s what individual investors and crypto builders should take away:
A. Self-Custody Best Practices
If you're not using self-custody — you don't own your crypto. Period.
But just holding your keys isn’t enough — you need to do it right. Here's how:
- Use hardware wallets with screens that display transaction details.
- Verify everything before you hit "confirm" — especially recipient addresses and amounts.
- Never sign "blind" transactions, where you don’t fully understand what’s happening.
- If your wallet just shows a blob of data and says "Confirm," stop and investigate.
- Buy hardware wallets ONLY from official manufacturers.
- Avoid Amazon, eBay, resellers, or second-hand devices — it's too easy for attackers to tamper with devices or firmware.
- Think of it like buying a parachute — you don’t want a cheap or tampered one.
- Manually verify recipient addresses on the hardware wallet screen.
- Don't trust the address shown on your computer or phone, especially if you’ve clicked on a link.
- Your hardware wallet’s display is your only trusted source.
B. Never Store Seed Phrases Digitally
If hackers get your seed phrase, they get everything — and they’re actively looking for them in your files, screenshots, cloud accounts, and notes apps.
Best practices:
- No screenshots. No notes apps. No Google Drive or iCloud backups.
- Seed phrases belong offline — period.
- Store them on paper (laminated if needed) or metal backups that survive fire, water, and physical damage.
- For extra safety, split the seed phrase into parts and store them in separate secure locations (e.g., 12 words in one location, 12 in another, if using a 24-word phrase).
- Never share your seed phrase with anyone — not even someone claiming to be tech support.
C. Diversify Your Storage
Don’t make the mistake of putting all your eggs in one basket. Crypto is like cash — you wouldn’t walk around with your entire life savings in your wallet.
Here’s how to break it down:
- Separate wallets for different purposes:
- Daily use wallet for regular transactions — only small amounts you’re comfortable losing.
- Long-term cold storage wallet — for significant holdings you rarely touch.
- Use different wallets for different tokens or activities:
- One for NFTs, one for DeFi, one for staking, etc. — so if one gets compromised, your whole portfolio isn’t drained.
- Don’t keep everything on an exchange.
- Exchanges are not banks — even if they seem safer or more convenient.
- Withdraw to self-custody whenever possible.
D. Dedicated Devices for Crypto
Most people use the same device for browsing memes, checking emails, and moving thousands of dollars of crypto— that’s a huge risk.
Every app you download, every website you visit, every attachment you open — is a potential attack vector.
Here’s what to do:
- If you can afford it, use a separate laptop or mobile device JUST for crypto.
- No random apps.
- No browsing the web.
- Crypto only.
- If a separate device isn’t possible:
- Create a dedicated user account on your computer for crypto activities.
- Set that account to low privileges, so if something goes wrong, it’s harder for malware to spread.
- Turn off browser extensions when using wallets.
- Especially avoid extensions like ad blockers, productivity tools, or anything unnecessary — some could be compromised.
- Keep software updated, but from trusted sources only.
- Malware often enters through outdated software — but also avoid downloading shady "updates."
If You’re a Developer or Building a Crypto Startup: How to Stay Ahead
A. Vet Vendors and Dependencies
- Thoroughly audit third-party tools, SDKs, and wallet integrations.
- Prefer open-source solutions with community visibility over closed-source.
- Implement continuous monitoring for any signs of compromise in vendor tools.
B. Security-Focused UX
- If you’re building wallets, dApps, or transaction signing flows:
- Ensure users see exactly what they're signing — destination addresses, amounts, contract details.
- Push for hardware wallet integrations that support rich transaction visualization.
- Avoid blind signing at all costs — even if it slows UX slightly, it's better than losing funds.
C. Plan for the Worst
- Build incident response plans for when breaches happen — because eventually, one will.
- Set up insurance or internal reserves to cover potential user losses.
- Launch bug bounty programs and red team testing — let friendly hackers find holes before malicious ones do.
Multi-Layered Audit Framework Is a Must
At QuillAudits, we've always advocated for a multi-layered security approach:
- AI-powered tools to catch known vulnerabilities and patterns.
- Human-led audits to analyze business logic and detect advanced attack vectors.
- Ongoing monitoring to spot suspicious activities in real time.
The Bybit hack is a textbook case where AI alone couldn't have helped — it needed human scrutiny of business logic, transaction flows, and third-party dependencies.
Final Thoughts
Bybit’s hack is a wake-up call — no one is too big or too secure to be attacked.
- For individuals, self-custody with discipline is essential.
- For exchanges and protocols, it's time to rethink dependencies, multisig usability, and transaction visibility.
- And for everyone in crypto — security is a journey, not a destination.
The choice is clear: Either level up security, or face the next Lazarus attack.
