Bybit's $1.5B Hack: A Wake-Up Call for Crypto Security – And How Hypernative Guardian Would Have Stopped It

Updated on February 26, 2025: In our original article we mentioned that the attack was carried out by UI spoofing of the multisig signing process. New information indicates that attackers compromised the Safe developer machine, not Bybit devices, which resulted in the attack. We have updated the article to reflect this information.

‍

‍

On Feb. 21, a Safe developer machine was compromised resulting in an attack that tricked multisig signers into authorizing a wallet implementation upgrade containing malicious code, resulting in a hack of Bybit for $1.5B sending shockwaves through the industry, highlighting the ever-present and evolving threats facing digital asset security.

‍

This sophisticated attack, which exploited a vulnerability in the multisig signing process, serves as a stark reminder that even seemingly robust security measures can be compromised. At Hypernative, we understand the urgency and complexity of these challenges, and we're here to demonstrate how our new product, Guardian, offers the critical protection needed to prevent such devastating losses.
‍

‍

The Anatomy of a Sophisticated Attack

Official statements, along with insights from developers and blockchain analysts, paint a picture of the probable attack flow:

‍

• Safe Developer Machine Compromise: The attackers had managed to gain access to this machine which affected an account operated by Bybit.
  ‍
• Malware and Targeted Attacks: This manipulation likely involved malware installed on the signers' devices, allowing the attackers to alter the displayed information while the actual signed transaction would change the smart contract logic of the multisig wallet.
  ‍
• Smart Contract Compromise: The altered transaction granted the attackers control of the wallet, by changing its implementation, enabling them to drain its holdings.
  ‍
• Rapid Asset Movement: The stolen assets, including ETH, stETH, cmETH, and mETH, were quickly transferred and exchanged through various addresses, demonstrating the attackers' efficiency and intent to obfuscate the trail.

‍

This attack underscores the inherent vulnerabilities in multisig setups, particularly when relying solely on traditional security measures. The fact that the attackers successfully targeted individual signers highlights the need for a more comprehensive, proactive security approach.
‍

‍

How Hypernative Would Have Prevented the Bybit Hack

The Bybit hack demonstrates that relying solely on multisig security and standard device security is not enough. The attackers successfully bypassed these measures by exploiting a fundamental weakness: the inability to verify the true intent of the transaction before it's signed.

‍

This is precisely where Hypernative Guardian comes into play.

‍

Guardian is designed to provide real-time, pre-transaction security, analyzing the true intent and impact of every transaction before it is executed, inspecting risks according to a user-defined granular policy. Here's how it would have stopped the Bybit hack:

‍

• Pre-Transaction Intent Analysis: Guardian, powered by Hypernative’s battle-tested ML Engine and a granular detection policy, simulates and inspects the flow of every transaction, regardless of what the UI displays. It would have detected the discrepancy between the displayed transaction and the actual action of changing the multisig wallet's smart contract logic.
  ‍
• Multisig Integration: Guardian employs the Safe Guard module to inspect the Safe transaction and revert execution if it is anomalous or not specifically approved. This integration runs onchain and as such cannot be bypassed - all transactions run through it.
  ‍
• Anomaly Detection, Alerting, and Automated Actions: Guardian would have immediately flagged the suspicious transaction and alerted Bybit's security team, allowing them to intervene before the funds were lost, or with pre-configured actions made any onchain event happen immediately to mitigate the threat.
  ‍
• Real-time Risk Assessment: Guardian provides a continuous risk assessment across 50+ chains, enabling organizations to proactively identify and mitigate potential threats before they materialize.
  ‍
  
  

Key Takeaways and the Future of Crypto Security

The Bybit hack serves as a critical wake-up call for the entire crypto industry. It highlights the need for:

‍

• Enhanced Security Measures: Moving beyond traditional security approaches and adopting proactive, real-time monitoring solutions like Hypernative Guardian.
  ‍
• Increased Vigilance: Emphasizing the importance of continuous monitoring and anomaly detection.
  ‍
• Collaborative Investigation: Encouraging collaboration among exchanges, security firms, and blockchain analysts to trace and recover stolen funds.
  ‍
• User Education: Reinforcing the importance of secure device usage and awareness of phishing and social engineering attacks.

‍

At Hypernative, we are committed to providing cutting-edge security solutions that protect digital assets from evolving threats. With Guardian, we empower exchanges, wallets, asset managers, and financial institutions to safeguard their assets.
‍

If you are interested in learning more about how Hypernative Guardian can secure your operations, please contact us today