Bybit Hack: What Actually Happened & How We Move Forward

It’s been a really chaotic week. Bybit fell victim to a brilliantly orchestrated attack—credit where it’s due—resulting in the largest crypto theft to date. While the total value—$1.5 billion—is shocking, what’s more concerning is how the breach was executed: the reports shared by CEO Ben Zhou revealed the attack was initiated from a vulnerability in their supply chain, pointing a finger at the multisig wallet software platform Safe{Wallet}.

What actually happened?

1. The attacker gained access to a Safe{Wallet} developer’s computer.
2. This computer had the privileges to update the Safe user interface (app.safe.global).
3. Exploiting this access, the attacker injected malicious JavaScript into Safe’s UI.
4. The malicious Javascript targets only the signers of the Bybit wallet, changing the content of the transaction during the signing process.

At the time of the hack, there were approximately 39 million Safe wallets holding $55 billion in assets (according to Safe’s Dune dashboard). Theoretically, the attackers could have targeted all Safe wallets, but doing so would have risked early detection before the high-value target was successfully attacked.

Attacking Bybit via Safe{Wallet} becomes clear when you consider the alternative. To compromise Bybit directly, attackers would have needed to control three separate signing devices—a far more complex and risky approach. By instead targeting Bybit’s supply chain through the Safe{Wallet} interface, the attacker only had to compromise one developer device, effectively bypassing multiple layers of security.

This is not the first time a ‘secure’ wallet service has been compromised. Many of us will remember the Ledger hack that tricked users into signing transactions that drained their wallets. Supply chain attacks targeting systems widely accepted as secure—like Ledger and Safe—demonstrate that no safeguard is infallible.

What are the learnings, and how might FailSafe ensure you’re not the victim of a supply chain attack?

1. Defense In Depth. FailSafe—as the name implies—is built to default systems to a safe state through layered defenses. No matter how secure a system may seem, given enough time and resources, it can be hacked. Adopting a multi-layered security approach is essential.
2. Minimize Attack Surface. Bybit was targeted because it was an attractive target—holding one of the largest ETH reserves in a single Safe wallet and executing frequent high-value transactions. Lazarus came knocking. Reducing your attack surface and overall appeal as a target is critical. Instead of consolidating assets in one cold wallet, distribute them across multiple wallets. This diversification, as I discussed with crypto.news recently, minimizes risk by ensuring no single breach can devastate your entire fund.
3. FailSafe’s Intelligent Co-Signer
   Utilize FailSafe’s intelligent co-signer to perform rigorous verifications of both transaction and signer data. In the case of the Bybit transaction, FailSafe would have rejected it for several reasons (refer to the diagram below):
   • Secure UI Enforcement: The co-signer ensures that all transactions are signed exclusively through FailSafe’s self-hosted, secure UI. Any transaction signed outside this environment is automatically rejected, regardless of key possession.
   • Transaction Verification and Simulation: Each proposed transaction is verified and simulated to confirm it doesn’t attempt to breach access controls—such as unauthorized upgrades or changes in ownership—and that it adheres to customer-defined policies, like transaction thresholds.
   • Device Health Checks: The service conducts health checks on all signing devices, verifying that they are recognized, operating from approved IP ranges, and within designated time windows.
4. Eliminate Single Points of Failure. In the case of Safe{Wallet}, one admin had sole authority to push code to production. Implementing multi-approval processes and enforcing separation of duties are essential to prevent any one compromised account from undermining the whole system.
5. Invest in Human Risk Management. Attackers often target human and operational vulnerabilities rather than just coding errors. Time and again, projects have been compromised due to a lack of vigilance. Beyond technological defenses, companies must invest in comprehensive training, enforce strict access controls, and establish robust monitoring systems to mitigate insider risks.

It’s time for crypto to grow up. With billions now lining the pockets of Kim Jong Un’s nuclear missile program—a tangible threat to global security—regulators must impose the strict rules for blockchain enterprises. This isn’t about stifling innovation; it’s about protecting investors, users, and the world from inadvertently funding dangerous agendas.

Aneirin Flynn

CEO, FailSafe