Key takeaways

  • The Bybit attack exploited predictable behaviors and habitual transaction approvals, proving that cybersecurity isn’t just about technology but also about human vigilance.
  • The attack bypassed Bybit’s multisig security by injecting malicious code, highlighting the importance of independent transaction verification.
  • The hacker moved funds rapidly, emphasizing the need for instant alerts, automated responses and emergency protocols in case of breaches.
  • The breach occurred through a compromised third-party wallet interface, proving that exchanges must rigorously vet and monitor external tools.

The Bybit hack shook the crypto landscape, revealing vulnerabilities beyond technology. It exposed how hackers exploit security lapses, human errors and predictable behaviors. While most discussions focus on technical flaws, the real story lies in habits, vigilance and understanding how attackers think and operate.

This article goes beyond standard security practices to uncover what went wrong, why even “secure” systems fail and how crypto exchanges and everyday traders can adopt smarter security practices

If you run an exchange or just use one, these insights could be the key to protecting your assets or falling victim to the next attack.

Why the Bybit hack happened and what It exposed

The Bybit hack involved three attack vectors: phishing and social engineering, manipulation of the multisig wallet and obfuscation of the transaction trail.

The hack stemmed from a sophisticated social engineering attack that exploited a vulnerability in the Safe multisignature (multisig) wallet interface. The attacker tricked Bybit’s signers into approving a transaction that transferred control of the Safe multisig contract. 

This was achieved by injecting malicious JavaScript into the Safe UI, obfuscating transaction details and embedding a backdoor function. The attacker gained unauthorized access and modified the Safe UI code hosted on AWS (Amazon web services). 

Once the altered transaction was approved and signed via the hardware wallets, the malicious JavaScript restored the original transaction details, concealing the manipulation. To further evade detection, the attacker replaced the compromised Safe UI code with a clean version on AWS. Despite these attempts to erase evidence, traces of the malicious code remained accessible through the Wayback Machine.

Series of events in Bybit hack

Did you know? ZachXBT provided conclusive evidence attributing the Bybit hack to the Lazarus Group, a North Korean cybercriminal organization, subsequently claiming the bounty offered by Arkham Intelligence. His detailed analysis included test transactions, interconnected wallet tracing, forensic graph visualization and precise timing records. 

How the Bybit hack exposed the misconception of cold wallet security

As the Bybit hack unfolded, it challenged the long-held belief that cold wallets are the safest way to store digital assets. Multisig cold wallets have been seen as more secure than those controlled by a single individual. However, Bybit’s incident update labeled the breach as an “Unauthorized Activity Involving ETH Cold Wallet,” inaccurately implying that the cold wallet itself was to blame.

Bybit used SafeWallet, a web-based application connected to the internet. True cold wallets are hardware devices entirely offline, making them immune to cyber threats. In this case, the SafeWallet’s user interface was hosted on an AWS S3 bucket, with credentials that had been leaked months prior. This compromised UI became the attackers’ entry point.

Cold wallets are not meant for fast transactions; they require bridging between offline storage and the internet. While they can range from paper wallets to specialized hardware, their security weakness lies in that bridging process.

Bybit likely chose Safe for its convenience, allowing executives remote access. Yet, calling it an actual cold wallet is misleading — it lacked the fundamental offline security that defines cold storage.

Bybit attack flow

Lessons learned from the Bybit hack

The Bybit hack offers some critical lessons for protecting funds on crypto exchanges, emphasizing the need for robust preventative measures.

The danger of routine in security habits

Frequent transfers from cold wallets to hot wallets for business operations can create risky security habits. When such transactions become routine, multisig participants may develop a false sense of security, treating approvals as mere formalities rather than critical security steps. This behavioral lapse played a key role in the Bybit hack.

Over time, the executives handling large fund transfers grew complacent. The hacker exploited predictable patterns in their behavior, using social engineering to bypass security measures. While technical vulnerabilities contributed, the real issue was human oversight — signers approved transactions without thorough verification.

The Bybit incident underscores the need for stricter multisig approval protocols. Industry leaders must reassess security workflows to ensure routine processes don’t become exploitable weaknesses.

Human vulnerability exploited in AWS S3 bucket security breach

The security breach of the AWS S3 bucket originated from a social engineering attack. Despite robust system defenses, the attacker exploited human vulnerability by tricking a SafeWallet developer into clicking a malicious link or opening the malware-infected file. The attacker successfully gained access by leveraging a developer’s trust. 

Crypto exchanges must prioritize employee training regarding phishing, as it is a crucial factor of cybersecurity. Staff members, particularly those with access to sensitive funds, must maintain heightened vigilance against suspicious emails and requests.

Did you know? Following the security breach, Ben Zhou, the CEO of Bybit, reported that nearly all, precisely 99.994%, of the more than 350,000 withdrawal requests were successfully processed within a 10-hour timeframe.

Supply chain attack vectors could be a key factor in breach

Bybit's cryptocurrency management relied on SafeWallet, a third-party wallet interface for transferring crypto, which brings the incident into the purview of a supply chain attack. The incident underscores the importance of vetting and continuous monitoring for external tools or code interacting with an exchange’s funds. 

Exchanges must implement robust integrity checks to detect unauthorized code modifications and strictly adhere to the principle of least privilege. Every executive should be given only limited access, depending on their role. Regular, comprehensive security audits of vendors and software dependencies are essential for mitigating such vulnerabilities.

Beyond the UI: Independent transaction verification for crypto security

Bybit’s executives getting tricked into approving multisig highlights a failure in verifying the actual transaction details. The UI displayed that the transaction was going to a safe address, but it wasn’t. This highlights the need for an independent system to verify transactions, regardless of what appears on the screen.

Secure signing devices that display the actual destination address and amount can prevent this kind of UI spoofing. Users will know the real transaction destination and value, protecting them from unexpected loss. 

Necessity of immediate response in crypto breaches

With Bybit, the hacker executed the plan quickly. Within minutes, they moved funds to dozens of wallets, and within a couple of hours, assets were swapped and moved across chains. By the time Bybit realized and reacted, a voluminous amount had disappeared.

Exchanges need real-time monitoring and alarms for unusual activity. For instance, an unexpectedly large transfer from cold storage or changes to critical smart contracts should trigger immediate red flags and even automatic halts to prevent further damage. An effective emergency response plan, such as freezing all transfers at the first sign of a breach, can limit the extent of the damage.

Also, incorporating a Risk-Based Approach (RBA) is essential for prioritizing responses based on the risk level of different activities and assets. Exchanges can use RBA to assess potential threats more effectively and implement varying levels of security measures based on transaction size, asset type or access rights. Real-time alerts combined with RBA ensure that high-priority risks are addressed first, enabling a more flexible and dynamic approach to ongoing security challenges.

Did you know? Hacken, an independent blockchain security firm, issued an updated proof-of-reserves (PoR) report, confirming that Bybit successfully rectified the ETH discrepancy in client assets within a 72-hour.

Defend against the hackers’ playbook

The Bybit hack followed a “common playbook” of North Korean hackers. Deploy social engineering to get in and complex laundering to get out. Lazarus Group, the architect of the Bybit hack, has been known for using similar methods like phishing employees, installing malware, stealing, chain-hopping and mixing to launder money.

Crypto enterprises need to thoroughly study previous attacks to strengthen defense. If hackers are known to use certain techniques, organizations should analyze them and implement specific countermeasures. For example, they can train employees to be extra cautious with any request related to wallet software. 

Crypto hacks by the Lazarus group from 2017 to 2025

Transparency and collaboration: Key to effective damage control

Bybit’s swift cooperation with blockchain analysts and law enforcement helped freeze some funds and reassure users. Bybit immediately announced it would cover customer losses and engaged experts to track the stolen crypto.

In the event of a hack, transparency and collaboration can significantly reduce the impact. Exchanges should collaborate with blockchain analysis firms, other exchanges and law enforcement to freeze stolen assets as hackers attempt to cash out. By sharing intelligence on hacker addresses and laundering patterns, the crypto community enhances the chances of recovery and makes it harder for criminals to profit.

How crypto exchanges can protect themselves from hackers

The crypto industry must adopt robust security measures:

  • Multi-layered approach to cybersecurity approach: Effective cybersecurity relies on a multi-layered approach, encompassing various key security measures and strategies.
  • Endpoint security solutions: Starting with endpoint security solutions, organizations must protect devices from malware and unauthorized access through threat detection and monitoring tools.
  • Filtering network traffic: Firewalls act as crucial barriers, filtering network traffic based on security rules, while network security safeguards infrastructure through segmentation and intrusion detection.
  • Regular software updates: Maintaining software updates and patches is essential for minimizing vulnerabilities and complementing robust antivirus software to shield against malware and ransomware.
  • Access control: Cloud security ensures data protection through encryption and access controls, and access control itself restricts sensitive information via role-based permissions.
  • Attack surface management: Attack surface management (ASM) proactively identifies and reduces potential entry points that hackers could exploit. This includes monitoring third-party integrations, securing APIs and ensuring up-to-date software patches.

Security practices for individual users to keep funds safe in a crypto exchange

Individual users must take proactive steps to safeguard their funds. From strengthening passwords to recognizing phishing attempts, these security measures can significantly help in protecting their holdings in a crypto exchange:

  • Use strong security: Protect exchange accounts with a unique password and 2FA (two-factor authentication). Never share 2FA codes or private keys. Avoid phishing by verifying URLs before logging in and ignoring suspicious links in emails or texts.
  • Use cold storage: Store large holdings in a hardware wallet or offline storage. Keep only necessary funds on exchanges to minimize risks.
  • Keep software updated: Regularly update devices, apps and browser extensions to fix security flaws. Use antivirus tools and avoid suspicious sites to prevent malware.
  • Monitor account activity: Enable email/text alerts for logins and withdrawals. Review transaction history and use withdrawal whitelisting for added security.
  • Diversify holdings: Spread crypto across multiple platforms or wallets. Choose exchanges with a strong reputation to reduce potential losses.
  • Stay informed: Follow crypto news and exchange updates to stay ahead of threats. Keep track of news related to scams.

Bybit’s wake-up call: Rethinking crypto exchange security post-hack

As the Bybit hack has shown, the security of crypto exchanges is not just a technological issue but also a human one. Even the most advanced security measures can be undermined by human error. As cybercriminals develop more sophisticated tactics, organizations must go beyond technical defenses and adopt a comprehensive security strategy.

Key measures for crypto exchanges include regular employee training to recognize phishing attempts, continuous monitoring to detect anomalies in real-time and proactive threat intelligence sharing within the industry. Exchanges and end-users must stay vigilant and adapt to emerging cybersecurity threats to better defend against this constantly evolving landscape.