This hack of the Bybit exchange resulted in $1.4 billion worth of ether, making it the biggest crypto-exploit in history.
ZachXBT is credited by the research platform Arkham with submitting definitive evidence linking this hack to Lazarus Group, which has ties to North Korea. A second piece of information suggests the attack could have been planned for years.
The hacker split 400,000 ETH into dozens other wallets after transferring it from Bybit’s Cold Wallet. Bybit’s CEO Ben Zhou pointed to an exploit in the user interface (UI) of the company’s multisignature wallet, provided by Safe — a wallet provider used by a variety of large organizations in the Ethereum world.
“It appears that this specific transaction was musked, all the signers saw the musked UI which showed the correct address and the URL,” Zhou said. “Musked” The transaction payload is obfuscated, or spoof.
Groom Lake crypto-security firm claims that Safe multisig wallets were deployed in Ethereum 2019 as well as Base layer-2 2024, with identical hashes. Ethereum’s 64-character alphanumeric hashes make it mathematically impossible to deploy the same transaction hash on two different smart contracts.
According to Apollo, a pseudonymous researcher from Groom Lake, the same hash of a transaction appearing on Ethereum and Base could indicate that an attacker may have found a method for making a transaction valid across multiple networks or could even be using crypto wallet signatures.
Safe does not see a connection between this exploit and any other.
“The transaction in question is the transaction deploying the singleton contract,” A spokesperson for Safe told Blockworks. “It was deployed without EIP-155 to support easy cross-chain deployments. Replaying the singleton creation doesn’t pose any security risk.”
EIP-155, or Ethereum Improvement Proposal 1505, was first introduced as a measure of security in 2016. It aims to protect against transaction replay attacks on different chains. Before EIP-155, if a transaction was signed on one Ethereum-based network — e.g. Ethereum mainnet — it could be replayed on another Ethereum-compatible chain because the signature remained valid.
EIP-155 fixed this problem by adding a Chain ID to all signed transactions. This ensures that a transaction meant for Ethereum will not be valid on other chains like Base. The attacker will not be able to reuse previous signed transactions even if the private key of an attacker is compromised.
Alternatively, the hack could have resulted not from a flaw in Safe’s smart contracts, or a type of replay attack, but rather a UI manipulation or wallet infrastructure compromise — where signers unknowingly authorized contract modifications.
It would be in the same category as the Radiant Exploit of December 2023 or the WazirX Breach from March 2024.
As a precaution, Safe’s main user interface has been taken offline.
“We remain confident there’s no exploit in the official Safe {Wallet} frontend but if you need to transact, you can still manage your Safe using these alternative interfaces,” The Safe team posted on X.
Safe has made a correct assessment, which reduces the chances of Smart Contracts being vulnerable to a security flaw.
“If it was, it won’t be Bybit,” Safe’s spokesperson implied that the company has larger goals to achieve. Safe secures more than $100 billion worth of digital assets in over seven million smart account.
This still poses a potential security threat, especially for large institutions who use multiple signatures.
The raw data should be used to verify the transaction payload, and not the UI.
During this time, the wallets of the attackers will be the focus of every industry security expert. Currently, the group or person responsible is the world’s fourteenth-largest ETH holder.
Updated on Friday, February 21, at 3:40 PM ET: Arkham has added its claim that Lazarus Group is behind the hack.
Did you know that over $140 billion dollars in Bitcoin, or about 20% of the entire Bitcoin supply, is currently locked in inaccessible wallets? Or maybe you have lost access to your Bitcoin wallet? Don’t let those funds remain out of reach! AI Seed Phrase Finder is here to help you regain access effortlessly. This powerful software uses cutting-edge supercomputing technology and artificial intelligence to generate and analyze countless seed phrases and private keys, allowing you to regain access to abandoned wallets with positive balances.
