Bybit’s $1.4B Hack: The Biggest in History

Bybit’s $1.4B Hack: The Biggest in History

Yesterday, Bybit CEO Ben Zhou announced they had been compromised, with 401,000 ETH stolen ($1.4B). This marks the third major hack in six months attributed to Lazarus, North Korea’s state-backed hacking group, which has stolen over $3B to date. Bybit follows WazirX ($234M) and Radiant ($51M) as the latest victim.

The Attack Pattern: Exploiting Safe-Based Security

All three hacks targeted ETH and used Safe’s multisig smart contract. Safe allows organizations to store funds in a smart contract with predefined spending rules. A typical multisig setup requires multiple signers (e.g., 3 out of 5) to authorize transactions.

To breach these Safe-based wallets, attackers have two primary methods:

1?? Hacking Safe’s infrastructure

2?? Compromising authorizers’ endpoints and tricking them into signing malicious transactions.

How the Bybit Hack Happened

While the exact details are unclear, it likely mirrors the Radiant and WazirX breaches. Lazarus compromised the computers of transaction authorizers. Victims believed they were approving legitimate transactions, but in reality, they signed a fraudulent one.

In Bybit’s case, they were transferring funds and instead of authorizing a simple transfer, they unknowingly signed a transaction that swapped Safe’s implementation for a backdoored version.

The compromised contract (0x96221423681a6d52e184d440a8efcebb105c7242) manipulated the calldata, redirecting control to the attacker’s malicious contract. Game over.

Preventing Future Attacks: Institutional-Grade Security

These hacks are not inevitable. Enterprises must strengthen security with B2B custody solutions designed for institutional needs. Ledger Enterprise (https://enterprise.ledger.com/) provides a dedicated custody platform with built-in governance rules:

? Device access control

? Multi-level transaction approvals (e.g., CFO sign-off for large transfers)

? Whitelisting to ensure wallets can only send to approved destinations

? End-to-end security, with verification on secure hardware devices, and Clear Signing

Even if Lazarus compromised every laptop in an organization, final approval on a secure screen would prevent unauthorized transactions. Unlike on-chain multisig, Ledger Vault’s governance is enforced off-chain, eliminating this attack vector.

Tradelink: Mitigating Exchange Risk

Ledger Enterprise also offers Tradelink, an off-exchange trading platform that reduces counterparty risk.

For Individuals: The Case for Self-Custody

These attacks highlight the importance of self-custody. While exchanges are useful for trading, they should not be used for long-term storage. To stay secure:

?? Use a hardware wallet

?? Manage backups properly

?? Always verify transactions before signing

?? Never blind-sign transactions, especially on Ethereum

Ledger is working to provide Clear Signing for the entire ecosystem, but that requires support from partners for proper integration. We encourage you to review our Clear Signing page and see how you can help push for all smart contracts to have Clear Signing. Since it is not currently available for all Ethereum smart contracts, blind signing remains an option, but at your own risk. EIP-712 transactions are clear-signed on Ledger devices for Safe smart contracts, but embedded calldata transactions and proxies are not yet fully supported. This is coming soon.

Introducing “Transaction Check”: A Game-Changer for Security

Even with clear signing, users must determine if a transaction aligns with their intent. Ledger’s upcoming “Transaction Check” feature will:

? Simulate the transaction before it is sent to the device

? Display a clear-signed transaction with a risk assessment

This world-first security feature could save millions (or even billions) in losses over the coming years. Stay tuned.