Threat Research

The Bybit Incident: When Research Meets Reality

Checkpoint
The Bybit Incident: When Research Meets Reality

The Bybit hack represents one of the largest thefts in digital asset history, with approximately .5 billion stolen from a multisig cold wallet through sophisticated social engineering and UI manipulation. This incident underscores the vulnerability of human actions in the context of blockchain security, revealing that even advanced security protocols can be compromised by deceptive tactics. Affected: Bybit, Ethereum blockchain, digital asset industry

Keypoints :

  • Check Point alerted on a critical attack involving the Ethereum blockchain on February 21st.
  • The hack resulted in the theft of approximately .5 billion worth of digital assets, mainly Ethereum tokens.
  • The attack transitioned from exploiting protocol flaws to using advanced social engineering methods.
  • Bybit’s multisig cold wallet was compromised due to a manipulation of user interfaces.
  • Research highlighted vulnerabilities in the Safe Protocol’s execTransaction function used in the attack.
  • The incident challenged previous notions of crypto security, emphasizing the importance of the human factor.
  • The attack utilized a malicious contract that redirected funds through UI deception and compromised signatures.
  • This hack is a significant evolution of crypto attack methods, illustrating new techniques used by cybercriminals.

MITRE Techniques :

  • TA0001: Initial Access – The attacker possibly used phishing, malware, or supply-chain compromise to gain access to multisig signers’ devices.
  • TA0003: Collection – The attacker collected sensitive information by using a compromised UI that simulated legitimate transaction details.
  • TA0007: Execute – The attack was executed by leveraging a delegate call to a malicious contract that manipulated target contract behaviors.
  • TA0005: Credential Access – The attacker obtained the keys from the signers through deceptive means.
  • TA0009: Exfiltration – Funds were exfiltrated via the malicious contract, redirecting stolen assets to the attacker’s address.

Indicator of Compromise :

  • [Address] 0x47666fab8bd0ac7003bce3f5c3585383f09486e2
  • [Address] 0xbdd077f651ebe7f7b3ce16fe5f2b025be2969516
  • [Amount] 400,000 ETH (as part of the stolen assets)
  • [Contract Address] 0xbDd077f651EBe7f7b3cE16fe5F2b025BE2969516
  • [Loss Value] .5 billion (total estimated loss)

Full Story: https://research.checkpoint.com/2025/the-bybit-incident-when-research-meets-reality/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint