Bybit Hack Explained

The Bybit Hack: What Happened & How to Keep Your Crypto Safe

By Cold Wallet Direct | Coldwalletdirect | 29 Mar 2025

In February 2025, Bybit suffered one of the largest crypto exchange hacks in history, losing nearly $1.5 billion in ETH from its cold wallet. While early rumors suggested a flaw in Ledger hardware wallets, the truth is very different.

The hack was actually a supply chain attack on Bybit’s Safe Wallet multisig system, not a direct breach of Bybit’s private keys or seed phrases. In other words, no seed phrase was stolen—instead, Bybit’s security team unknowingly approved a fraudulent transaction.

So, how did this happen? And more importantly, how can you make sure this doesn’t happen to you? Let’s break it all down.

How Did Hackers Steal $1.5 Billion from Bybit?

This was not your typical phishing scam or brute-force attack. Instead, the hackers used an advanced supply chain exploit to manipulate Bybit’s Safe Wallet, a popular multisig Ethereum wallet. Here’s how they pulled it off:

Step 1: Hacking the Safe Wallet Interface

Bybit used Safe Wallet (formerly Gnosis Safe) to manage its Ethereum holdings. However, a Safe Wallet developer’s credentials were compromised, giving attackers access to the wallet’s source code repository.

Once inside, the hackers injected malicious JavaScript code into the Safe Wallet user interface (UI). This meant that anyone using Safe Wallet—including Bybit’s security team—was unknowingly interacting with a tampered version of the software.

Step 2: Manipulating Transactions

When Bybit’s team initiated a routine transaction, the hacked Safe Wallet UI altered the details in real-time. The transaction looked normal, but in reality, the funds were rerouted to a hacker-controlled address.

Step 3: Blind Signing the Attack

Bybit’s security team used Ledger hardware wallets to approve the transaction. However, because Safe Wallet didn’t display full transaction details on Ledger devices, the team blindly signed what they thought was a legitimate transfer.

This was the fatal mistake. The compromised Safe Wallet UI tricked them into signing a fraudulent multisig transaction, allowing hackers to drain Bybit’s wallet.

Step 4: Moving the Stolen Funds

With the fake transaction approved, the hackers quickly transferred 401,347 ETH (worth $1.5 billion) to multiple wallets. To cover their tracks, they:

  • Used chain-hopping techniques (swapping crypto between different blockchains)

  • Converted ETH into Bitcoin and privacy coins to obscure transactions

  • Leveraged decentralized exchanges (DEXs) and mixers to launder funds

Was Ledger Involved?

No, Ledger itself wasn’t compromised. The attack was entirely on Safe Wallet’s UI, not on any hardware wallet system.

However, Ledger’s lack of transaction visibility contributed to the problem. When Bybit’s security team used Ledger to approve transactions, they couldn’t see the full transaction details—Safe Wallet’s UI didn’t display them properly.

What Went Wrong?

✔️ The Safe Wallet UI was compromised
✔️ Bybit’s security team blindly signed a fraudulent transaction
❌ No Ledger seed phrases or private keys were stolen
❌ Ledger itself was not hacked

Safe Wallet has since acknowledged the issue and is working on better transaction verification measures. It has also temporarily paused Ledger integration to prevent future blind-signing exploits.

Who Was Behind the Attack?

According to cybersecurity experts and the FBI, the hack was likely carried out by the Lazarus Group, a North Korean state-sponsored cybercrime syndicate. They have been responsible for multiple billion-dollar crypto heists, including the $620M Ronin Network hack in 2022.

The attack followed a well-planned social engineering strategy:

  • They first hacked a Safe Wallet developer’s credentials

  • They injected malicious code into the wallet’s UI

  • They waited for Bybit’s security team to unknowingly sign a malicious transaction

Bybit has been actively working to recover the stolen funds from the recent $1.4 billion hack. So far, they have been able to trace about 77% of the stolen crypto, meaning a significant portion is still within reach. However, $900 million has already been funneled through ThorChain, making it harder to track. Another $172 million remains completely untraceable, having been moved through platforms like ExCH and OKX Web3 Proxy.

To aid in fund recovery, Bybit and its partners have launched a bounty program, paying out $2.18 million in USDT to investigators who have helped trace and freeze stolen assets.

While some progress has been made, the majority of the stolen funds are still in motion, making full recovery uncertain and ultimately very unlikely.

How to Protect Your Crypto from Hacks Like This

Even major exchanges like Bybit aren’t immune to sophisticated attacks. But here’s how you can protect your own crypto:

1. Never Blindly Sign Transactions

This was the critical mistake in the Bybit hack. If you use a hardware wallet, always verify transaction details before signing. Better yet, if you don't know about signing smart contracts..... don't mess with them at all.

2. Store Your Crypto in a Secure Hardware Wallet

Leaving funds on an exchange is risky. Use a secure hardware wallet and self-custody your assets whenever possible. If you need one, check out Ledger or Trezor, keep your keys offline and do not sign any smart contracts.

3. Verify Addresses & Smart Contracts

Always double-check wallet addresses before confirming a transaction. Hackers often change addresses mid-transaction, just like they did in the Bybit hack.

4. Enable Multi-Factor Authentication (MFA)

Most hacks start with compromised passwords. Always use MFA on exchanges and wallets to add an extra layer of protection.

5. Keep Software & Firmware Updated

Bybit’s hack involved a software vulnerability in Safe Wallet. To avoid similar risks, always keep your wallet and firmware updated to patch potential security holes.

Final Thoughts

The Bybit hack was a wake-up call for the entire crypto industry. It proved that even cold wallets aren’t invincible if you blindly sign transactions.

The good news? Bybit’s seed phrase was never compromised, and no Ledger wallets were hacked. The bad news? Blindly signing transactions without full visibility remains a major security risk.

If you hold crypto, take security seriously:
Use a reliable hardware wallet
Store your private keys separately from your wallet and never online
Stay informed about potential vulnerabilities

Stay safe out there!

Cryptocurrency Bitcoin (BTC) Ethereum DeFi ETH Bybit Exhange

How do you rate this article?

20
Cold Wallet Direct
Cold Wallet Direct

I am a crypto security expert with a deep understanding of blockchain security, hardware wallets, and private key management. With years of experience in the crypto space, I specialize in helping individuals and businesses protect their digital assets.

Coldwalletdirect
Coldwalletdirect

ColdCryptoWallet Blog is your go-to resource for secure crypto storage solutions. We provide expert reviews, buying guides, and security tips to help you choose the best hardware wallets. Stay informed on the latest trends in crypto security and keep your assets safe.

Send a $0.01 microtip in crypto to the author, and earn yourself as you read!

20% to author / 80% to me.
We pay the tips from our rewards pool.
Game theory in Friendship Game theory in Friendship
planck's variable

planck's variable

16 hours ago
1 minute read

TouchDesigner Experiments: Video Eating Video TouchDesigner Experiments: Video Eating Video
karoshi31

karoshi31

10 hours ago
1 minute read

Beyond the Crypto Hype: How a Greek Engineer is Democratizing DNA Testing via Open Source Hardware Beyond the Crypto Hype: How a Greek Engineer is Democratizing DNA Testing via Open Source Hardware
Chriss Gkesios

Chriss Gkesios

13 Jun 2026
2 minute read