Daily Maverick
Dailymaverick logo

Business Maverick

Business Maverick, World

Bybit’s $1.4-billion heist is a stark reminder of the vulnerabilities in cryptocurrency security systems

Bybit’s $1.4-billion heist is a stark reminder of the vulnerabilities in cryptocurrency security systems
Yeshiel Panchia
By Yeshiel Panchia
4 Mar 2025
Facebook
1
The hackers didn’t attack Bybit’s blockchain directly. They hijacked the very process Bybit relied on to protect itself, slipping into the final approval layer where transactions are signed off — and rewriting the rules in real time.

The $1.4-billion stolen from Dubai-based exchange Bybit last month — the largest known cryptocurrency theft to date — has exposed just how vulnerable even the most secure digital vaults can be. The breach targeted Bybit’s cold wallets, the very part of its infrastructure designed to be untouchable, forcing the industry to confront a harsh truth: security technology means little when human processes can still be hijacked.

Founded in 2018, Bybit is one of the largest cryptocurrency exchanges globally, serving millions of users across multiple jurisdictions. Like most major exchanges, Bybit secures a significant portion of customer funds in cold wallets — offline storage designed to act as a firewall against online attackers. But the idea that cold storage offers ironclad protection collapsed in February when hackers managed to bypass those very safeguards.

Funds were siphoned out of Bybit’s cold wallet and pushed into a hot wallet, where they could be moved and laundered through a series of transactions designed to scramble the money trail.

The anatomy of a heist


The attack itself combined old-school cyber intrusion with blockchain-level manipulation. Oded Vanunu, chief technologist at Check Point Software, explained how the operation unfolded in an interview with Daily Maverick.

“The first phase was that the attackers were targeting what we call their target technology,” Vanunu said. “They did reconnaissance, they did intel gathering, and they understood that the person at Bybit was using some kind of platform to approve transactions and multi-sig platforms.”

That platform was Safe Global — the very system Bybit used to approve its largest transactions. Once the attackers compromised internal credentials, they injected malicious JavaScript directly into the Safe Global interface.

“What happened is that they replaced the JavaScript that was supposed to do a regular signing flow,” Vanunu said. “Once the user was submitting the UI and saying ‘Okay, I approve it,’ the JavaScript that was running was malicious.”

That injected code altered the transaction at the point of approval, redirecting the funds while keeping the interface looking normal to Bybit’s internal staff.

“The malicious JavaScript was just — think about it — doing privilege escalation,” Vanunu said. “It provided the attacker control to send a transaction on behalf of Bybit, to escalate privilege to the CEO level.”

In short, the hackers didn’t attack Bybit’s blockchain directly. They hijacked the very process Bybit relied on to protect itself, slipping into the final approval layer where transactions are signed off — and rewriting the rules in real time.

Vanunu confirmed that this was no opportunistic smash-and-grab, but rather a calculated, slow-burn campaign. 

“They did reconnaissance. They did intel gathering. These wallets were obviously being monitored beforehand,” Vanunu said.

Monitoring and missed signals


The level of organisation involved reflects a broader reality that exchanges and regulators have been slow to accept: cybercrime is no longer a loose collection of opportunists. It’s an industry.

“You’ve got to understand these organisations like what they are — a business,” Vanunu said. “They’ve got a CEO, a CTO and customers.”

This particular campaign bears all the hallmarks of Lazarus Group, the North Korean state-backed APT (advanced persistent threat) responsible for some of the largest crypto thefts on record. Vanunu and his team have been tracking activity consistent with this method since mid-2024.

“In July last year, we saw campaigns that were using the same trick — tricking the Safe protocol,” Vanunu said. “We saw them spoofing sender IDs and preparing malicious smart contracts months before the Bybit attack itself.”

That raises uncomfortable questions for Bybit and for Safe Global itself. If this technique was already detected and documented, why was Bybit’s cold wallet infrastructure still exposed to it?

Cold wallets are meant to exist outside of direct online reach, but Bybit’s signing process — routed through Safe Global — created a hidden vulnerability. Every step in that process was a potential doorway for attackers, and once the attackers found one, the cold wallet was only as secure as the weakest internal login.

By Tuesday, 18 February 2025, the infrastructure for the Bybit breach was already set. 

“They started to fund the attack wallets so they could be ready to execute,” Vanunu said.

The laundering machine


As at publication, more than 70% of the stolen funds have already been moved across thousands of wallets, probably passing through a combination of mixers and chained transactions to obscure their origins. This is standard Lazarus procedure — laundering money at a scale few other criminal groups can match.

It’s a well-oiled machine: hijack the transaction, spread the funds, wash them through mixers, and ultimately exit into fiat currency through a series of complicit or poorly monitored exchanges.

For Bybit, recovering the stolen assets is now secondary to understanding how its most trusted security process became a liability.

A warning for every investor


The Bybit heist reinforces what many in the industry quietly know: no exchange is unbreachable. Cold wallets and multi-sig protections create layers, but the moment an insider is compromised — or the infrastructure around those protections is weakened — the vault becomes just another door.

Vanunu’s advice for investors is blunt: minimise funds held on exchanges. Self-custody should be the default for serious holders, with hardware wallets isolated from any online processes. And every single interface between storage and transaction approval should be treated as hostile until proven otherwise.

“We would not be surprised if some state sponsor was involved,” Vanunu said. “Because once you use the exploit, once you know the vulnerability is there, if you can pull out like $1.5-billion and then do mixing and chaos on the network, then you can take out like $700-million.”

For South African investors, this is not some distant offshore event. Crypto exchanges operating locally often lean heavily on international platforms and tools — many of them tied into the very same ecosystems that Lazarus and others are now actively exploiting.

The Bybit hack is not just a crime story. It’s a systems failure — a case study in how blockchain’s decentralised promise is undermined by the very centralised platforms meant to secure it. The gap between security theory and operational reality has never been wider.

And in that gap, organised cybercrime is thriving. DM

Categories:

Tags: