In a recent video, Cyfrin CEO and security researcher Patrick Collins reverse-engineered the record-breaking $1.4 billion Bybit exchange hack. What started as a seemingly normal transaction became the largest cryptocurrency theft in history. Now, new information has come to light that changes our understanding of how this attack was executed.
Let’s explore the main insights from the videos.
In a recent video, Cyfrin CEO and security researcher Patrick Collins reverse-engineered the record-breaking $1.4B Bybit exchange hack. What started as a seemingly normal transaction became the largest cryptocurrency theft in history. The attack methodology reveals alarming trends concerning exchange and infrastructure security.
Let’s explore the main insights presented in the video.
Initially, it was believed that the Bybit exchange users' computers were compromised. However, recent information from the Safe team reveals a different attack vector: a developer machine at Safe was compromised, allowing attackers to inject malicious JavaScript into the Safe UI itself.
This changes our understanding of the attack flow:
Looking at the on-chain data, the attackers executed six transactions:
An analysis of the actual transaction that Bybit co-founder Ben Zhou linked reveals that it was just one of several malicious calls. Despite its devastating impact, the technical aspects of the transaction weren't particularly sophisticated.
The attackers used a DelegateCall to a malicious contract, with several critical warning signs that went unnoticed:
What makes this attack particularly concerning is that it targeted the development infrastructure of Safe itself. According to the latest information (as of writing), attackers:
This represents a sophisticated supply chain attack rather than a direct compromise of end-user devices.
This attack followed an almost identical pattern to recent attacks on WazirX Exchange and Radiant Capital. This suggests that the same threat actors are repeatedly using this technique successfully.
It's now believed that the Safe UI was the compromise point in all these cases rather than end-user machines, which explains the similar attack patterns.
Let’s clarify something vital. This hack was ultimately executed through social engineering.
Bybit used a 3-of-6 multi-sig wallet setup, meaning three different signers had to approve transactions without detecting the manipulation, and they were ultimately responsible.
However, Safe’s infrastructure was compromised, allowing the malicious code to change the call data. Bybit’s team trusted what they saw on their screens, and Safe’s engineering team trusted that their systems were secure.
“Don’t trust, verify” has become a blockchain mantra for a reason.
When the signers reviewed the transaction but did not verify the calldata on their physical hardware devices, everything appeared correct. This underscores the critical need for thorough transaction verification beyond what’s displayed on the screen.
To spell it out, the computers showed a spoofed transaction that tricked them, but their wallets showed the malicious transaction. They could have caught this on the hardware wallet, but as of today, calldata can be tricky to verify on a wallet.
An analysis of the signatures section confirms three distinct signatures on this malicious transaction.
Security researcher ZachXBT has traced this theft back to North Korean state-sponsored threat actors.
This represents a strategic shift in attack methodology. Rather than directly targeting smart contract vulnerabilities, these attackers have pivoted to compromising the human and operational elements of the security chain, which is often more effective.
Cyfrin has previously published detailed guidance on preventing exactly this type of attack. For organizations managing significant digital assets, several practices are essential:
The safe-tx-hashes script is a critical tool for preventing such attacks. It is a fork with fewer dependencies than the earlier repository, allowing users to verify the actual transaction they're signing independently of any potentially compromised interface.
For multi-sig wallet users, learning how to use this type of verification tool is now essential, not optional.
Organizations handling billions in assets must maintain the highest security standards. If key signers cannot independently decode and verify transaction data, they shouldn't be authorized to sign these transactions. Or, at minimum, at least one person on the team must always verify calldata and signatures before everyone has signed.
While some industry voices advocate for more human-readable transactions, this approach introduces vulnerabilities. As this hack demonstrates, the transaction data shown to users was manipulated before it even reached the hardware wallet. The signers saw legitimate-looking transaction details on their screens, but the actual data sent to their hardware wallets for signing was completely different and contained malicious operations.
As security researcher Tayvano bluntly notes, once sophisticated attackers gain access to devices, the security situation becomes… We’ll let you read the quote below for yourself.
Until more comprehensive solutions emerge, the fundamental principle remains: never sign wallet transactions without thoroughly understanding their actual operations.
So, all this highlights the urgent need for improved OpSec practices across the entire web3 ecosystem.
Cyfrin acknowledges both the Safe wallet team and Bybit exchange for their transparency in sharing information about this incident. This level of openness is essential for the entire industry to learn and develop better security practices.
For those looking to enhance their blockchain security skills, Cyfrin's Security & Auditing course on Updraft provides comprehensive training on identifying and preventing these types of attacks.
Stay safe out there, and always verify your transactions.
Author's note: This analysis is based on currently available information and direct examination of the on-chain data. Special thanks to ZachXBT, Tayvano, and the broader security community for their rapid response and analysis of this incident.
