Executive Summary:
- In one of the largest thefts in digital asset history, hackers gained access to an offline Ethereum wallet and stole $1.5 billion worth of digital assets, primarily consisting of Ethereum tokens.
- The recent incident with Bybit marks a new phase in attack methods, featuring advanced techniques for manipulating user interfaces. Rather than just targeting protocol flaws, the attackers used clever social engineering to trick users, which led to the compromise of a major institutional multisig setup.
- This past July, Check Point’s Threat Intelligence Blockchain system identified and published a concerning pattern where attackers manipulate legitimate transactions through the Safe Protocol’s execTransaction function.
- The recent hack highlights that multisig cold wallets are not secure if signers can be deceived or compromised, emphasizing the growing sophistication of supply chain and user interface manipulation attacks.
- The Bybit hack challenges previous beliefs about crypto security, showing that despite strong smart contracts and multisig protections, the human factor is often the weakest link. This incident highlights how UI manipulation and social engineering can compromise even the most secure wallets.
The Evolution of Protocol Exploitation
In one of the largest thefts in digital asset history, hackers gained access to an offline Ethereum wallet and stole $1.5 billion worth of digital assets, primarily consisting of Ethereum tokens. The recent incident with Bybit marks a new phase in attack methods, featuring advanced techniques for manipulating user interfaces. Rather than just targeting protocol flaws, the attackers used clever social engineering to trick users, compromising a major institutional multisig setup.
The incident represents a significant evolution of these attack patterns, introducing sophisticated UI manipulation techniques not previously seen. Instead of just exploiting protocol mechanics, the attackers employed advanced social engineering through manipulated interfaces, allowing them to compromise a significant institutional multisig setup.
On February 21st, Check Point Blockchain Threat Intel System alerted on a critical attack log on the Ethereum blockchain network.
The log indicated that the AI Engine identified anomality change with a transaction and categorized it as critical attack. It was indicated that the ByBit cold wallet got hacked, resulting in the theft of approximately $1.5 billion worth of digital assets, primarily in Ethereum tokens.
Check Point Research analysed the attack and explained how our Threat Intel Blockchain system was able to identify it.
Check Point’s Threat Intel blockchain system previously identified a concerning pattern where attackers exploited legitimate blockchain protocols through the Safe Protocol’s execTransaction function. Published in July 2024, the research provided a technical analysis of how the function operates within the Safe framework and documented cases where it was used in attack chains.
The research focused on understanding the technical mechanics of the Safe Protocol’s execTransaction function and its potential for misuse, highlighting the importance of understanding how legitimate protocol features could be leveraged unexpectedly.
Why This Attack is So Significant
This hack sets a new precedent in crypto security by bypassing a multisig cold wallet without exploiting any smart contract vulnerability. Instead, it exploited human trust and UI deception:
- Multisigs are no longer a security guarantee if signers can be compromised.
- Cold wallets aren’t automatically safe if an attacker can manipulate what a signer sees.
- Supply chain and UI manipulation attacks are becoming more sophisticated.
Recommendations for businesses
- Comprehensive Security Measures: Companies holding significant crypto assets must integrate traditional security products, such as endpoint threat prevention and email security, to prevent malware from infecting sensitive machines and spreading throughout the organization. This is crucial to safeguard against sophisticated attacks that exploit human vulnerabilities and user interface manipulation.
- Real-Time Prevention: The industry needs a paradigm shift from incremental security improvements to real-time prevention. Just as corporate networks and clouds use firewalls to inspect every packet, web3 requires real-time inspection of every transaction to ensure security. This approach can prevent malicious activities before they cause damage.
- Implement Zero-Trust Security:
-Every signer’s device should be treated as potentially compromised.
-Use dedicated, air-gapped signing devices for multisig approvals.
-Require signers to cross-verify transaction details via a second independent channel
Conclusion
The Bybit hack has shattered long-held assumptions about crypto security.
Even with airtight technical defenses, human error remains the biggest vulnerability. This attack highlights how tactics like UI manipulation and social engineering can compromise even the most secure wallets.
Crypto security must evolve beyond just cryptographic trust—it must account for human vulnerabilities, advanced malware threats, and UI manipulation attacks. The industry needs to rethink how transactions are verified and how multi-layered, independent verification processes can prevent such catastrophic breaches in the future.