Preventing The Bybit Breach: FailSafe Stops Malicious Multisig Exploits

In the last few hours, the Bybit hack has sent shockwaves across the blockchain and cybersecurity community, with attackers siphoning off nearly 401,347 ETH—approximately $1.5 billion.

The FailSafe team has collected sufficient evidence to believe that North Korean threat actor TraderTraitor is responsible, following similar sophisticated tactics that resulted in the loss of $308 million from DMM Bitcoin exchange, $50 million from Radiant Capital, and $235 million from WazirX.

Anatomy of The Breach

• The Context: Bybit uses a Safe multisig wallet for storing assets, which requires multiple signers to approve a transaction. Signers of the multisig wallet approve transactions via Safe’s user interface (UI) on their devices.
• The Preparation: The devices (computers) responsible for signing transactions were likely compromised, enabling the attackers to manipulate Safe’s signing UI. The signers believed they were signing a legitimate and routine transfer, but were actually authorizing an upgrade of the Safe multisig wallet to use a malicious contract.
• The Exploit: The malicious contract re-routed funds to addresses controlled by the attackers. Authorities and investigation tools are currently tracing the flow of funds in an attempt to freeze or recover the stolen assets.

The Vulnerabilities Responsible

From our analysis, there are two key weaknesses the attackers were able to exploit:

1. Lack of Employee Vigilance: TraderTraitor employs sophisticated social engineering techniques (such as impersonating recruiters on LinkedIn) to introduce malware into company systems. We are certain that the postmortem report will reveal that a Bybit employee unknowingly introduced malware onto a Bybit device, allowing the attackers to perform surveillance and prepare for the attack as long as they needed to.
2. Lack of Transaction Security: A lack of risk and security checks on the proposed transaction resulted in the “blind signing” of the transaction. Multiple alerts should have been triggered based on the fact that the proposed transaction exhibited none of the routine transfer behaviors:
   • Involving 0 token transfers
   • Interacting with an unlisted contract
   • Calling a delegate call operation

In all cases, FailSafe offers technical solutions that would have offered early warning and prevented the transaction from being proposed to the blockchain.

FailSafe: Protecting Blockchain Enterprises with Defense-In-Depth

Employee Vigilance: Phishing Simulation & Training

The best solutions are sometimes the simplest: to overcome human vulnerability, there’s no running away from training and education. Humans are often both the first and last line of defense in any organization, yet they can be vulnerable to social engineering. We’ve helped elite blockchain teams build a culture of vigilance through targeted, realistic phishing simulations designed to mirror the tactics used by advanced persistent threat actors like TraderTraitor. Contact us today for a demo on helping your team recognize and deflect sophisticated cyber threats.

Stopping The Malicious Transaction: Intelligent Co-Signing for Safe Multisigs

FailSafe’s Attestation Service is designed to add an extra layer of security directly into the transaction process. Here’s how it works:

Enhanced Transaction Validation: Our service integrates with any Safe multisig to serve as an intelligent co-signer. It has the ability to veto transactions if risk is detected, even in the scenario that all signing keys of the multisig are compromised.

Automated Threat Detection: The Attestation Service is not a passive observer. It leverages real-time threat intelligence, device recognition, and geolocation data to detect anomalies. For instance, if a transaction request is initiated from an unrecognized device or an unexpected location, the service will flag it and veto the transaction.

Operational Security Checks: In scenarios involving privileged operations—such as modifying contract implementations or transferring native currencies—our attestation service enforces strict operational security practices. This includes:

• Geolocation Verification: Ensuring all signers are coming from expected IP ranges.
• Device Intelligence: Checking that transactions are initiated from recognized devices, and enforcing additional two-factor authentication if necessary.
• Threat Intelligence: Monitoring for any anomalous transaction patterns among the signers.
• Thresholds: Identifying transaction limits or behaviors outside of the norm.
• Time-Based Restrictions: Confirming that transactions occur within permitted time windows.

How FailSafe’s Multi-Layered Defense Outperforms Traditional Approaches

FailSafe’s approach directly addresses the problem of compromised devices and unverified transaction contents by embedding security within the signing process itself.

From Blind Signing to Informed Signing: Instead of relying on human verification at the final step, FailSafe’s Attestation Service acts as an automated co-signer that validates every aspect of the transaction. This proactive measure effectively closes the blind signing loophole.

Real-Time Response and Automated Rejection: In cases where suspicious activity is detected, our system can immediately reject the transaction, regardless of how many manual approvals have been collected. This level of automated threat prevention is critical in stopping sophisticated attacks before they can execute.

Defense in Depth: Our strategy doesn’t solely focus on one aspect of the transaction process. By combining geolocation checks, device intelligence, threat detection, and time-based restrictions, we create a robust, multi-layered defense that makes it exponentially harder for attackers to succeed.

By integrating advanced operational security measures into the heart of the Safe multisig transaction processes, FailSafe empowers organizations to protect their assets against even the most sophisticated attacks. The future of secure transactions lies in proactive, intelligent defense mechanisms that not only react to threats but actively prevent them. Let’s work together to ensure that history does not repeat itself.

Stay safe, stay informed, and choose FailSafe for comprehensive blockchain security. Get in touch today for protection from tomorrow’s attacks.