Attackers infiltrated Bybit Exchange’s Ethereum cold wallet infrastructure to steal $1.46 billion in digital assets through sophisticated interface manipulation and social engineering tactics.
The incident represents the largest theft from a centralized crypto exchange since Mt. Gox’s 2014 collapse, exposing critical vulnerabilities in institutional-grade multisignature (multisig) systems previously considered impenetrable.
Security firm TRM Labs attributes the attack with “high confidence” to North Korean state-sponsored hacking collective Lazarus Group, known for stealing over $3 billion in crypto assets since 2018.
Next-Generation Interface Manipulation
The breach occurred through a precisely planned attack on Bybit’s Ethereum multisig cold wallet during a routine transfer to operational warm wallets.
Attackers deployed advanced interface spoofing techniques that displayed legitimate transaction details to authorized signers while embedding malicious smart contract logic in the background.
This approach circumvented Bybit’s 3-of-5 multisig approval system by compromising three separate signing devices through what investigators describe as a “supply chain attack with social engineering components”.
Blockchain forensic analysts identified the malicious contract as a modified version of Safe Protocol’s execTransaction function, which Check Point researchers had flagged in July 2024 as vulnerable to interface manipulation attacks. The altered code enabled attackers to maintain the appearance of standard transaction flows while secretly redirecting wallet control permissions.
Bybit’s security team detected anomalous activity within 47 minutes of the unauthorized transfer, immediately isolating affected systems and initiating protocol-wide security audits. The exchange confirmed that only one ETH cold wallet cluster was compromised, with all other cold storage vaults and user funds remaining secure.
The exchange has partnered with Chainalysis, TRM Labs, and three unnamed blockchain analytics firms to trace the stolen funds across 12,438 wallet addresses. Preliminary analysis shows the attackers employing advanced obfuscation tactics including:
- Cyclic transactions through privacy mixer Tornado Cash
- Cross-chain swaps to Monero and Zcash
- Layered routing through decentralized exchanges
North Korean Lazarus Group
TRM Labs’ attribution to North Korean operatives stems from three key factors:
- Code Similarity: 78% match between the attack’s smart contract logic and Lazarus Group’s 2023 Harmony Bridge exploit
- Infrastructure Patterns: Use of Russian bulletproof hosting services historically favored by DPRK cyber units
- Funds Movement: Early test transactions mirroring 2022 Ronin Bridge heist patterns
The United Nations Office on Drugs and Crime estimates North Korea has stolen $1.7 billion in crypto assets since 2022, primarily financing its nuclear weapons program.
Attackers Broken Safe Protocol
Attackers exploited a vulnerability in Gnosis Safe’s execTransaction function first identified by Check Point researchers. The manipulated interface:
- Presented legitimate transaction details to signers
- Embedded malicious logic granting contract ownership
- Bypassed EIP-712 signature verification through parameter manipulation
This allowed simultaneous authorization of both the genuine warm wallet transfer and hidden contract ownership transfer.
As investigations continue, this breach serves as a crucial moment for digital asset security, proving that even the most robust technical safeguards remain vulnerable to human-factor exploitation.
Free Webinar: Better SOC with Interactive Malware Sandbox for Incident Response and Threat Hunting – Register Here