How the Bybit Hack Happened—and How to Prevent the Next One with Seraph

The Bybit hack exposed critical vulnerabilities in blind signing practices and front-end security. Here’s how the attackers orchestrated the breach:

Multi-signature wallets add a layer of security by requiring multiple approvals for transactions. However, they are only as strong as their weakest link. The attackers leveraged blind signing, where signers approve transactions without verifying their full details. Lazarus Group manipulated a routine transfer from Bybit’s cold wallets, sneaking in malicious smart contract changes that enabled the theft.

Bybit relied on Safe for its multi-signature wallets. The attack was made possible when Safe’s AWS-hosted user interface was compromised. A phishing attack on a Safe developer allowed attackers to inject malicious JavaScript into Safe’s front end, modifying transaction data before signers saw it.

The malicious code ensured that signers only saw the original transaction data while executing a modified, malicious version. This manipulation enabled the attackers to insert hidden sweepETH and sweepERC20 functions, allowing them to drain Bybit’s cold wallets undetected.

The attackers successfully stole ETH, stETH, cmETH, and mETH, laundering them through thousands of addresses across multiple blockchains. Crypto security analysts, including ZachXBT, later linked the attack to previous hacks on BingX and Phemex, confirming Lazarus Group’s involvement.

Bybit had strong security measures in place, including multi-sig wallets and hardware wallets. Yet, attackers still found a way in. Why? Because security gaps exist in transaction visibility and front-end trust.

Most proposed solutions, such as using dedicated hardware devices for signing, wouldn’t have prevented the attack. Since Safe’s UI was compromised, even an air-gapped, brand-new device wouldn’t have caught the malicious transaction.

The key takeaway? Crypto security needs more than just multi-sig and cold storage—it needs proactive transaction verification.

Halborn developed Seraph, a policy enforcement tool for smart contracts, to prevent exactly these kinds of attacks. Unlike traditional security measures, Seraph ensures that even signed transactions can be reverted if they violate security policies.

• Pre-execution Simulation: Every transaction is simulated before execution, allowing for detection of malicious modifications.

• Administrator Approvals: Transactions interacting with Seraph-protected functions require final approval from an admin, adding an extra layer of oversight.

• Immutable Policy Enforcement: If Seraph had been deployed on Bybit’s cold storage contract, the attempted modification would have triggered an alert, allowing the fraudulent transaction to be blocked before execution.

Seraph ensures that what you see is actually what gets executed. It protects against front-end compromises, malicious contract modifications, and blind-signed transactions. In an era where hackers constantly innovate, blockchain security must evolve with them.

The Bybit hack underscores the need for proactive, on-chain security solutions. Multi-sig wallets and hardware devices provide strong defenses, but without transaction-level audits and policy enforcement, they remain vulnerable to sophisticated attacks.

Download our full whitepaper to dive deeper into the Bybit hack and see how Seraph can protect your platform from similar threats.

Ready to secure your digital assets? Contact Halborn today for a demo of Seraph and learn how our transaction-level security solutions can safeguard your blockchain projects.