On Friday, North Korea’s state-sponsored elite hacking group Lazarus pulled off the largest-ever attack on a centralized crypto exchange, stealing over $1.5 billion worth of ETH and derivative ETH tokens from Bybit. Now, hours after the attack, Ethereum security researchers are working diligently to discover how it happened and whether others remain at risk.
In a post confirming that his exchange was hacked, CEO Ben Zhou noted that the attacker gained access to a Bybit Ethereum cold wallet. Exactly how it happened could have repercussions for the wider industry.
According to a post-mortem published shortly after the attack, Bybit first became aware of suspicious activity during a previously announced “routine” transfer from one of its multi-signature cold wallets to a hot wallet.
“Unfortunately, the transaction was manipulated by a sophisticated attack that altered the smart contract logic and masked the signing interface, enabling the attacker to gain control of the ETH Cold Wallet,” the company wrote. “As a result, over 400,000 ETH and stETH worth more than $1.5 billion were transferred to an unidentified address.”
From there, as Lazarus often does, the hackers split the funds into three separate distribution wallets and then further into dozens of additional addresses. In total, they drained 401,347 ETH worth $1.12 billion, 90,376 stETH worth $253.16 million, 15,000 cmETH worth $44.13 million and 8,000 mETH worth $23 million — and consolidated those tokens into ETH using decentralized exchanges.
Bybit noted the exchange is investigating the “root cause” of the issue, “with particular attention” given to a potential vulnerability in Safe{Wallet}, the self-custodial multi-signature wallet that hundreds of other protocols and exchanges use to increase security by increasing the number of signers needed to approve transactions.
According to the post-mortem, ByBit’s security team claims the Safe platform “may have been exploited during the transaction process.” About an hour after the hack, Zhou said in a since-deleted post on X that he wanted to be put in touch with some at Safe.
On X, Safe — a team spun out of Gnosis in 2022 — confirmed it is “working closely with Bybit on its ongoing investigation. It also noted that “out of caution,” Safe{Wallet} would temporarily pause “certain functionalities.”
“For security reasons, we won't be specific,” a team member told The Block when asked what functions were paused. Although the project’s front-end website is currently unusable, Safe said it has not “found evidence that the official Safe frontend was compromised.” The protocol also showed a 503 error message — indicating a server is down — when trying to interact with it on the backend.
“The investigation is still ongoing but from initial assessments, this is highly unlikely. In addition to the Safe investigation team, this has also been deemed as highly unlikely by ETH Security Teams on the ETHSecurity Community,” he continued.
Indeed, there’s growing consensus among Ethereum security researchers that Safe is secure and that Lazarus found a way to infect the Bybit multi-sig signers’ devices.
“SEAL is working with the Safe team closely. There's no indication that they or any of their infrastructure has been compromised but we are obviously making damn fucking sure,” Taylor Moynahan, security lead at Ethereum’s largest wallet, MetaMask, told The Block in a direct message.
SEAL 911 is a self-organized group of “white hats” who research vulnerabilities and track funds after exploits. They provide a Telegram bot where users can report breaches and be put in touch with SEAL’s rapid response team, often called the “war room.”
“This was most probable an infected machine(s) where the attacker was able to intercept and show a fake Safe page so they sign something different from what it was shown,” Odysseus, the pseudonymous founder of Ethereum security protocol Phalanx, said in a direct message. “They then leveraged the fact that hardware wallets don't show the signed action but just the signature hash.”
Said simply, Lazarus — in one way or another, either through phishing, infection via malware or a faulty Chrome plugin — was able to put a screen in front of the multi-sig holders that made it seem like they were interacting with a familiar platform that was actually a backdoor to drain their funds.
“The best way I can explain it is that the pixels you see on your screen come from somewhere else,” Moynahan said. “Maybe thats your hard drive, maybe thats a website, maybe that's a server somewhere. By compromising the user's device, or the website, or the server, they can make the pixels display things that are not an accurate representation of what's happening behind the scenes.”
While researchers aren’t yet clear on how the malicious payload was delivered (at this transaction hash), there is some circumstantial evidence suggesting the possibility that it was an inside job. To start, for Lazarus to take control of the cold wallet, they would have had to identify every multi-sig signer, infect each of their devices with malware and trick each user into thinking they were signing a different, legitimate transaction — all without raising an eye.
In recent months, there has been growing awareness of the risk of crypto and other tech firms unknowingly hiring North Korean developers. Lazarus, in particular, has been quite adept at planting insiders into organizations.
While this is all speculative, Odysseus notes that the Bybit attack follows a similar pattern to at least two other recent crypto exploits — the $50 million Radiant hack in October 2024 and the $230 million WazirX last July.
In December, the Radiant Capital team confirmed a North Korean hacker poising as an ex-contractor and sent a malicious zip file over Telegram that let them into their systems. On the day of the attack, the developers’ compromised laptops incorrectly showed that their Ledger and Trezor hardware devices were interacting with a familiar Safe{Wallet} front-end, all the while malicious transactions were signed in the background.
This “blind signature” — which makes it hard to know what a user is actually interacting with — enabled the transferOwnership action that gave control of the entire multisig to the hackers. This allowed them to update the lending pool contracts and drain $50 million from the Binance Smart Contract and Arbitrum chains.
Like in the Radiant attack, Lazarus apparently took their Bybit attack on a dry run two days ago using proxy addresses. Moynahan notes that they also likely “harvested” the signatures, enabling them to pull off this particular hack with greater precision by building the transaction in their wallet beforehand.
In particular, a researcher going by the name pcaversaccio noted Lazarus’ swapped out Bybit’s Safe implementation with a backdoor using the Ethereum function called “delegatecall” — a low-level command that lets one smart contract run code from another, designed for updating contracts, but also often abused by hackers. Lazarus’ code then rewrote a critical part of the original contract’s memory, giving them control.
“Its not a clever script either way though,” Moynahan said. “It's custom malware designed for this specific hack and these specific signers.”
Although Bybit CEO Zhou may be overreaching by implying a vulnerability with Safe, it remains important to investigate how the attack occurred. According to Safe, there were certain functions that the team could have put in place to prevent the attack. Namely, they could have enabled timelocks on its Safe wallets, which would have delayed any possible reconfigurations.
Odysseus points out that a hardware wallet is pointless if the transaction is signed on an internet-connected laptop or phone.
“These are highly targetted attacks, so in general, if the device (computer/phone) is compromised, then there is little anyone can do (apart from signing from a non-networked and non-compromised machine),” he said.
It’s a point echoed by Ido Ben Natan, founder of security solution Blockaid, who noted attacks that leverage both blind signing and malware are perhaps the fastest-growing threat in crypto.
“Companies need to understand that this is not another case of operational error — it’s an advanced, targeted attack, and a threat to both consumers and organizations,” he said. "The problem is that even with the best key management solutions, today most of the signing process is delegated to software interfaces that interact with dApps.”
Worse, while some crypto attacks theoretically make the entire industry safer — in that they act like “million dollar bug bouties” that uncover vulnerabilities that could be patched up elsewhere — these types of attacks don’t really contribute to anything behind North Korea’s wallets. They’re hard to see coming and are likely already being staged elsewhere.
Moynahan noted that “anyone signing multisigs with multiple millions or billions of dollars is at risk.” So, if every platform is a target, what is a user to do?
“Do not rely on anyone to not get malware'd,” she added. “They will get malware'd. They do get malware'd. Daily.”
Disclaimer: The Block is an independent media outlet that delivers news, research, and data. As of November 2023, Foresight Ventures is a majority investor of The Block. Foresight Ventures invests in other companies in the crypto space. Crypto exchange Bitget is an anchor LP for Foresight Ventures. The Block continues to operate independently to deliver objective, impactful, and timely information about the crypto industry. Here are our current financial disclosures.
© 2025 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.
免责声明:本文章仅代表作者个人观点,不代表本平台的立场和观点。本文章仅供信息分享,不构成对任何人的任何投资建议。用户与作者之间的任何争议,与本平台无关。如网页中刊载的文章或图片涉及侵权,请提供相关的权利证明和身份证明发送邮件到support@aicoin.com,本平台相关工作人员将会进行核查。
