How was Ethereum Bybit hacked?

On February 21, 2025, Bybit, a prominent cryptocurrency exchange, experienced a significant security breach resulting in the theft of approximately $1.4 billion in Ethereum (400 ETH) and related tokens. The attack targeted Bybit's Ethereum multisignature cold wallet, which is typically considered more secure due to its offline status and requirement for multiple approvals for transactions. 

• : The hackers manipulated a transaction to appear legitimate by altering its user interface (UI), making it seem as though signers were approving a normal transfer. This technique is known as "musked" or spoofed transactions.

• : The attackers targeted Bybit's multisignature cold wallet, which requires multiple signatures to authorize transactions. They managed to trick signers into approving malicious transactions without realizing it.

• : The malicious transaction altered the smart contract logic of the wallet, allowing hackers to gain control over the ETH cold wallet and transfer funds out.

• : There is speculation that malware might have been used to infect devices belonging to multisig signers, enabling hackers to execute "blind signatures," where users unknowingly signed off on malicious transactions.

The hack has been linked to North Korea’s elite hacking group Lazarus, known for sophisticated cyberattacks on financial institutions and cryptocurrency platforms. However, this attribution remains speculative at this stage.

After gaining control over Bybit’s cold wallet:

• Hackers transferred approximately 401,346 ETH (worth about $1.12 billion), along with other tokens like stETH and mETH.

• They split these funds into multiple wallets before consolidating them using decentralized exchanges.

Bybit has assured customers that all other cold wallets are secure and withdrawals are proceeding normally despite this significant breach.

Are there any known vulnerabilities in Safe{Wallet} that could be exploited

There are no specific search results directly mentioning known vulnerabilities in Safe Wallet that could be exploited. However, the general landscape of cryptocurrency wallet vulnerabilities suggests several potential risks:

1. : While not specifically about Safe Wallet, multisignature wallets like those used by Bybit have been targeted in sophisticated attacks. These attacks often exploit human error or technical weaknesses in how signatures are managed.

2. : Common issues affecting cryptocurrency wallets include:

   • : As seen with BitcoinJS, insufficient entropy can make keys vulnerable to brute-force attacks.

   • : Many DeFi hacks stem from smart contract vulnerabilities.

   • : Attacks often target private key management and security practices outside blockchain protocols.

3. :

   • Regularly update software to ensure you have the latest security patches.

   • Use secure random number generators for key generation.

   • Implement robust access controls and non-repudiation measures to prevent unauthorized actions.

If you're concerned about Safe Wallet specifically, it's advisable to check their official communications or security advisories for any updates on potential vulnerabilities or mitigation strategies they recommend.

How did the hackers manage to infect the devices of the multi-sig signers

The hackers managed to infect the devices of multi-sig signers through sophisticated malware attacks. Here's a breakdown of how this might have occurred:

1. : The attackers likely used custom malware designed specifically for these hacks, as seen in both the Bybit and Radiant Capital incidents. This malware could have been delivered via phishing emails, infected software downloads, or compromised websites.

2. : Once installed on a device, the malware manipulated the user interface (UI) of tools like Gnosis Safe or Safe Wallet to display legitimate transaction data while actually sending malicious transactions for signature. This "blind signing" allowed hackers to obtain valid signatures without raising suspicion.

3. : Hackers exploited common issues like transaction failures due to gas fee fluctuations or synchronization delays. They induced signers to re-sign multiple times, obtaining multiple valid malicious signatures without detection.

4. : There is speculation that Lazarus might have had insider help in identifying all multi-sig signers and targeting them effectively. However, this remains speculative.

5. : The use of hardware wallets did not prevent these attacks because while they secure private keys well, they do not verify the content of transactions being signed; they only confirm that a signature is applied correctly.

To mitigate such risks:

• Implement robust security measures on devices.

• Use secure networks and avoid suspicious links/downloads.

• Regularly update software and use antivirus tools.

• Consider using additional verification steps beyond just signing transactions when possible.