Bybit’s cold wallet for ETH uses a multisig system, which means that any transaction requires more than one signature to be approved. This system is usually considered very secure. However, hackers were able to trick the people responsible for signing into approving a malicious change to the wallet’s smart contract, using a UI spoofing or transaction masking attack.
How did the hack happen? Step by step ■
1️⃣ The cold wallet needed to transfer funds.
Bybit needed to transfer some ETH from its cold wallet to the warm wallet (used for daily operations).
Typically, this requires the approval of multiple people via a multisig system using the Gnosis Safe platform (now known as Safe).
---
2️⃣ Hackers created a fake interface to trick signers.
Hackers were able to manipulate the user interface that the Bybit team uses to approve transactions.
Instead of showing them the details of the real transaction, they were shown a fake transaction that looked 100% legitimate.
Even the website link looked official (@safe from Gnosis Safe), which made it seem completely legitimate.
✅ What did the Bybit team see when signing?
A transaction showing ETH being sent to Bybit's warm wallet.
All the information seemed correct and natural.
❌ What actually happened in the background without their knowledge?
Instead of sending funds, the transaction was changing the cold wallet's smart contract code.
This change gave the hacker complete control over the wallet, allowing him to transfer all the funds to his own wallet.
---
3️⃣ Bybit team signed the fake transaction without knowing
Since the user interface was fake and looked legitimate, all signers believed they were agreeing to a normal money transfer.
But in reality, they agreed to modify the wallet's code, allowing the hacker to take full control of it.
---
4️⃣ The hacker became the new owner of the wallet and stole all the money.
Once the signatures are complete, the hacker is now in sole control of the cold wallet.
He transferred all the ETH in it to his personal wallet.
Bybit no longer has access to its cold wallet.
---
Why is this hack so dangerous?
🔴 This is not a traditional hack, but a sophisticated attack that relies on optical illusion and psychological manipulation. Here are the reasons why it is one of the most dangerous hacks in the history of cryptocurrencies:
1️⃣ The cold wallet was supposed to be completely secure.
Typically, cold wallets are not connected to the internet, making them immune to direct hacks.
But in this case, it was hacked without stealing the private keys, just by tricking the team responsible for signing the transactions.
2️⃣ Multisignature was not enough for protection.
Even with multiple people reviewing the transaction, the hacker was able to fool them all.
This means that having multiple signatures does not necessarily mean security, if all signers are fooled!
3️⃣ UI Spoofing is a new and dangerous threat.
This breach was not due to a technical glitch, but rather to a change in the way data was displayed to users.
This shows that people can be the biggest weakness in any security system.
4️⃣ There is no direct network hacking or leakage of private keys.
The hacker did not breach Bybit's servers or steal sensitive data.
All he did was trick the signing team into agreeing to transfer ownership of the wallet to him.
---
What does this breakthrough mean for the future of trading platforms?
🎯 This hack shows that technical security alone is not enough, and systems must be protected from social engineering and optical illusion.
🎯 All platforms should start updating their systems to address these new threats.
🎯 Users should be more aware that even secure systems can be hacked in unconventional ways.
💡 Conclusion:
This is not just a hack of a trading platform, it is a hack of the way we think about digital security.
