The recent Bybit hack, which resulted in the theft of over $1.5 billion worth of assets, exposes the vulnerabilities inherent in even the most secure digital asset storage solutions.

Bybit has released a forensic review confirming that its internal security systems were not compromised. The investigation attributed the attack to a breach within Safe{Wallet}’s infrastructure. Attackers compromised a Safe{Wallet} developer’s credentials, enabling them to inject malicious JavaScript into Safe{Wallet}’s AWS S3 bucket. This allowed them to manipulate the UI and deceive Bybit’s signers into approving unauthorized transactions.

As attackers grow more advanced, traditional assumptions about cold storage, multi-signature wallets, and private key management need urgent reassessment.

The Cobo security team dissects what went wrong and, more importantly, how institutions can reinforce their custody security against such breaches.

How the Attack Happened

On February 21, 2025, Bybit’s cold wallet operators observed a transaction on their local Safe{Wallet} page that appeared to be a legitimate token transfer to a hot wallet address. After verifying it, they proceeded to sign the transaction. However, the transaction was actually a manipulation of Bybit’s cold wallet Safe{Wallet}’s implementation contract, resulting in the attacker obtaining the Safe{Wallet}’s ownership.

Blockchain investigators have linked this attack to North Korea’s Lazarus Group. The forensic review further revealed that the attackers used the compromised credentials to modify Safe{Wallet}’s infrastructure, manipulating its UI to deceive Bybit’s operators.

Blockchain investigators have linked this attack to North Korea’s Lazarus Group, known for its advanced cyber operations and previous exploits targeting digital asset platforms.

The Bybit incident is part of a larger pattern of increasingly sophisticated attacks on major cryptocurrency platforms based on Safe{Wallet}. Recent similar cases include:

• $50 million hack on Radiant Capital (October 2024): A second major breach for the platform in the same year, exposing weaknesses in its security framework.

• $235 million hack on WazirX (July  2024): One of the largest crypto exchange breaches in India, allegedly linked to North Korean hacking groups. 

Key Vulnerabilities Exposed

1. Hot-End Device Compromise

Ongoing reports suggest that the attackers compromised Bybit’s operators’ devices and tampered with the Safe{Wallet} UI. This would mean:

🔴 What operators saw on their screens was not what was actually signed.

🔴 Transaction data was manipulated before it reached the hardware wallet.

🔴 Bybit’s operators unknowingly approved a malicious transaction due to UI manipulation, reinforcing concerns around blind signing risks.

Bybit has stated that they performed normal operations on the Safe{Wallet} page and conducted all necessary reviews.

Safe{Wallet} has sconfirmed that their investigation found no breach of the Safe{Wallet} codebase. However, forensic analysis revealed that attackers altered Safe{Wallet}’s infrastructure, injecting malicious JavaScript into its AWS S3 bucket. This manipulation deceived Bybit’s operators into approving unauthorized transactions. While Bybit’s internal security remained intact, the incident highlights the risks of blind signing in transaction approvals.

2. Blind Signing on Hardware Wallets

Many hardware wallets do not adequately parse and display detailed transaction data for multi-signature wallets like Safe{Wallet}. This forces operators into blind signing, where they approve transactions without fully verifying their contents. Bybit’s operators were deceived by a counterfeit interface showing legitimate details while signing malicious transactions.

3. Lack of Risk Control Measures

Bybit’s security could be significantly strengthened by implementing basic yet effective risk controls tailored to cold wallet’s use cases, such as address whitelisting to restrict unauthorized transfers.

Cobo’s Perspective: A Multi-Pronged, Multi-Layered Security Approach

Security enhancements must be implemented from multiple angles and at multiple levels to create a truly resilient system:

Horizontal Enhancements (Distributed Control):

• Increasing the number of Safe{Wallet} signers or introducing an MPC signer to eliminate single points of failure.

• Ensuring operational independence of signers using different hardware wallets, UI portals, and even geographic distribution.

While Bybit had multiple signers, their entire security stack relied on Safe{Wallet}’s solution. In this case, once the UI was compromised, the multi-signature mechanism was effectively bypassed.

Vertical Enhancements (Strengthening Each Signer’s Security):

• Using independent front-end UIs.

• Deploying separate risk control systems.

• Strengthening hardware wallet firmware to better parse transaction details.

• Adding manual verification or even AI-based risk assessments.

Cobo’s Solution to Enhance {Safe}Wallet based Multi-Sig Security

1. Co-Signing for Safe{Wallet} – The Missing Layer of Security

The Bybit hack exposed a fundamental flaw in traditional multi-signature security—without an independent layer of transaction validation, attackers can manipulate UI interfaces, contract logic, and transaction data to deceive signers. 

An institutional-grade co-signing service for Safe{Wallet} provides an independent layer of security, acting as a crucial last line of defence by:

• Enabling multi-party approval workflows with robust, independent risk controls.

• Enforcing strict transaction review rules, including:

  • Blacklists/whitelists for transfer addresses.

  • Smart contract interaction address controls.

  • Granular parameter restrictions on transactions.

Importantly, these security enhancements do not interfere with customer asset ownership. The co-signing entity holds only one signer key, meaning institutions retain full control over their Safe{Wallet}. This missing safeguard layer could have stopped the Bybit hack.

2. Closing the Security Gap: Pre-Signing Verification for Hardware Wallets

Traditional hardware wallets lack display full transaction visibility, exposing users to potential UI manipulation, phishing attacks, and blind signing. To address these challenges, the industry can introduce: 

• Safe{Wallet} EIP-712 message decoding for full transaction visibility.

• Real-time risk assessments without requiring frequent firmware updates.

Cobo is advocating for this transformation by collaborating with hardware wallet providers to establish an independent third-party verification layer, ensuring transactions are validated before they are signed.

The Future of Digital Asset Security

The Bybit hack highlights the need for enhanced security in multi-signature setups and transaction validation. While the forensic review indicates that Safe{Wallet}'s smart contracts were unaffected, the attack underscores the importance of securing developer access credentials and reducing reliance on blind signing.

Institutions must:

• Implement both horizontal and vertical security measures.

• Strengthen transaction verification and risk assessment mechanisms.

• Reduce reliance on a single UI or transaction pipeline.

The digital asset industry must adopt a security-first approach, where multi-layered defenses, independent verification mechanisms, and cutting-edge transaction analysis become the standard.

True security means every transaction is intentional, transparent, and resistant to manipulation.

Institutions must act before the next major attack—not after.