The high-level details of the Bybit hack remain largely unchanged from the hours following the initial announcement and Ben Zhou’s livestream explanation. An attacker — demonstrated by ZachXBT to be the Lazarus Group — tricked the signers for a Bybit multi-sig cold wallet into approving a transaction that transferred control of the Safe multi-sig contract to them. This was accomplished by masking the transaction details in the Safe user interface, allowing the attacker to insert a backdoor function that they used to drain an estimated $1.4 billion from the wallet.

Initially, most theories and signs pointed to Bybit’s infrastructure being compromised by the attacker. If the signers’ devices were infected with malware, this malware could have performed the critical modifications to the Safe UI. However, this wasn’t the case.

Later forensic investigations revealed that the attack was made possible by a social engineering attack targeting a Safe developer. With this access, the attacker injected malicious JavaScript into the Safe UI code hosted on AWS. When the Bybit signers went to approve a transaction, they downloaded and used this malicious version of the interface instead of the legitimate one.

This malicious code was designed to look for a specific type of transaction, such as the routine transfers of ETH between Bybit’s cold and hot wallet. When a matching transaction was found, the code executed, modifying the transaction to include a delegatecall instruction in the multi-sig proxy contract that effectively performed a malicious upgrade to the attacker’s contract. This malicious version of the transaction was what was sent to the signers’ Ledger hardware wallets for approval and then on to the blockchain for execution.

After the malicious version of the transaction was signed, the JavaScript malware restored the original version within the Safe UI. This was intended to cover their tracks and minimize the risk of detection. Additionally, the malicious JavaScript hosted on Safe’s AWS instance was replaced with a clean version moments after the attack. However, the malicious version is still visible on Wayback Machine.

The unfolding story of the Bybit hack upended many initial theories and suggested countermeasures. It also demonstrated that the incident was the result of a sophisticated and carefully planned operation by the Lazarus Group.

The newly available details of the hack underscore the importance of preventative security controls designed to mitigate the risks associated with “blind signing”, which is when multi-sig signers approve a transaction without a full understanding of its purpose and functionality. To learn more about the details of the hack and best practices on how to prevent it, check out our video with Halborn’s Co-Founder Steven Walbroehl and blockchain analytics company Merkle Science where we unpack the Bybit hack.