The root of the Bybit transaction was a malicious transaction designed to modify the smart contract logic of the exchange’s multi-signature wallet. This change transferred ownership of the wallet to the attacker, allowing them to transfer the funds that it contained.

This malicious transaction was masked within another, benign transaction that was sent to the wallet’s signers for approval. In the masked UI, this transaction showed a transfer from the project’s cold wallet to a hot wallet with the correct address and a Safe URL.

Once this transaction was approved and digitally signed by the project’s team members, the hidden malicious code handed over control of the cold wallet to the attacker. From there, the attacker was able to transfer the assets held within the cold wallet to their own account, stealing an estimated $1.4 billion from the CEX.

Bybit quickly moved to reassure users that only the single cold wallet was affected and other assets were safe. It also stated that it had sufficient reserves in place to restore any losses to customers from the incident.

The Bybit incident demonstrates the sophistication of modern DeFi hackers. In this case, the attacker likely infected the signers’ computer with malware or tricked them into visiting a phishing link, resulting in them approving a transaction with masked malicious content. This allowed the attacker to defeat the protections provided by the project’s multi-signature wallet and steal an estimated $1.4 billion from the protocol.

This hack reflects the July 2024 hack of the WazirX CEX for $235 million. Like Bybit, the team had security best practices in place, but the attacker snuck in a malicious transaction disguised as a benign one.