What Happened?
The attack was a highly coordinated breach that drained 401,000 ETH from Bybit. The attackers exploited Safe{Wallet}, a third-party service used by Bybit for multi-signature transactions. Instead of breaking into Bybit’s own wallets, they targeted the external service to manipulate transactions.
How Did the Hack Happen?
The breach involved several stages:
|
Stage |
Description |
|
Vulnerability Exploit |
Hackers found a flaw in Safe{Wallet}’s JavaScript files hosted on AWS S3. |
|
Code Injection |
They injected malicious code into the wallet infrastructure. |
|
Transaction Hijacking |
The script altered transaction details during the signing process. |
|
Phishing & Social Engineering |
Possible early access to credentials through targeted employee scams. |
The attackers waited for large transfers from Bybit’s cold wallets. When these transactions were signed, the malicious script silently redirected the funds to their own wallets.
Why Is This Vulnerability Dangerous?
The hack revealed how third-party tools can become weak links in crypto security. Despite multi-signature protections, attackers managed to:
- Manipulate signed transactions.
- Bypass internal security without needing private keys.
- Evade detection until massive funds were already stolen.
This shows that even robust security systems can be compromised through external service vulnerabilities.
Who Is Behind the Hack?
Sources show that the Lazarus Group, a North Korean cybercrime gang, carried out the Bybit hack. The group has had a history of previous high-profile crypto robberies, including the $85 million Phemex hack.
How Did Bybit Respond?
Bybit took immediate action to protect users:
- Secured remaining funds.
- Assured users that all losses would be covered with 1:1 asset backing.
- Strengthened wallet security and API protections.
- Partnered with Chainalysis and Arkham to trace stolen funds.
Could This Have Been Prevented?
Experts suggest the hack could have been avoided with:
- Regular audits of third-party tools.
- Independent transaction verification systems.
- Real-time suspicious activity alerts.
- Minimizing reliance on external wallet infrastructure.
What Does This Mean for Crypto Security?
The Bybit hack serves to remind us that third-party services pose a significant risk. Both service providers and users need to demand more transparency and independent security audits.
The Bybit 2025 hack raises the issue of end-to-end security across the entire crypto system. While Bybit’s timely response calmed users, the hack exposed vulnerabilities that affect the entire industry. Exchanges must fortify defenses and thoroughly vet third-party services to protect users from future attacks.