Bybit’s $1.4 billion attack triggered an expected response. Security and infrastructure companies all claimed that their technologies could have stopped the attack.
The FBI has confirmed the hack was the work of North Korea’s Lazarus Group, which targeted Bybit’s Safe{Wallet} setup. A key detail disclosed yesterday is that it was a Safe developer’s machine — and not Bybit’s infrastructure — that was compromised, allowing attackers to inject malicious code into the transaction signing interface.
Bybit’s signers were blindly approved a fraudulent payment, draining the largest Ethereum wallet.
Taylor Monahan, a security researcher at the University of Washington, said that given blind-signing’s history in cryptography industry this attack could have been predicted. As she pointed out: “There is NO org in this space that is taking security seriously enough to protect against a dedicated, persistent, motivated adversary like Lazarus.”
The following are some key findings:
Safe{Wallet}’s UI was compromised — Bybit’s interface showed an expected transaction, but signers unknowingly approved a completely different transaction.
Blind signing on Ledger devices was the final failure — Bybit’s final signer, Ben Zhou, admitted he didn’t verify the transaction fully on his Ledger hardware wallet before approving it.
The attack targeted human oversight — Lazarus didn’t need to exploit smart contracts or break cryptographic security; it simply took advantage of trust in the UI.
CZ, the former CEO of Binance, criticized Safe’s response. He raised critical questions such as why a developer’s computer had access to Bybit’s transaction processing. Why did Ledger’s signature process not prevent this from happening? What security lessons can the industry learn?
All of these questions are important and will require some time to answer.
The rush of businesses is on
Companies flood the market with claims that their products would have prevented every hack. Some address the specific issue — secure transaction verification — while others hijack the narrative for marketing.
- OISY, a Dfinity onchain wallet
ClaimThe weakest links are browser extensions and the private key management. OISY gets rid of them because it runs on-chain.
Reality: The attack had nothing to do with browser extensions or private key exposure — it was blind signing. OISY might have an innovative architecture but it does not solve the root cause of this hack.
- Impossible Cloud Network (decentralized cloud storage)
ClaimCloud services centralized (such as AWS) are the cause of this exploit.
RealityBybit was not hacked by AWS, despite the fact that decentralized cloud storage reduces attack surfaces. The issue was Safe’s UI manipulation and blind signing — not the particular choice of cloud hosting provider.
- Cubist Signing Security (hardware backed)
ClaimThe exploit would not have happened if strict signature policies had been enforced, like pre-approved email addresses, delays in governance and multifactor authentication.
RealityThis really is important. Bybit’s signing restriction would have prevented Lazarus from tricking it to blindly sign a malicious transaction.
- Fireblocks is a security policy and transaction enforcement tool based on the MPC.
Claim: Bybit’s security model was fundamentally flawed — Ledger’s blind-signing requirement combined with Safe’s UI vulnerability left it open to attack. Fireblocks says that the MPC infrastructure, its policy engines and their real-time verification of transactions would have reduced this risk.
RealityIt is true that this claim has some validity. Fireblocks’ policy enforcement would have prevented arbitrary approvals, requiring predefined transaction rules that block unexpected transactions — even if signers get tricked.
Taylor Monahan said it best in her sassy, feisty manner. “Fancy multisig, semi-custodial, MPC, blah blah blah product…make your attack surface LARGER, not smaller.”
The most important lesson to learn is that UI Trust is the largest security gap. Bybit’s attack wasn’t about smart contracts, decentralization or private key security — it was about blind trust in a compromised UI.
Verify, not trust. You will defeat the whole purpose of hardware wallets. Any solution that fails to acknowledge this is irrelevant.
When billions of dollar are on the line, it doesn’t matter if you haven’t got:
- The strictest transaction signature policies
- Hardware wallets must be verified for all transactions
- Government delays and multiple-layer approvals
As Lazarus continues evolving, the crypto industry must stop chasing trendy fixes and focus instead on hardening transaction security — because apparently the next $1.4 billion hack is just one blind signature away.
Did you know that over $140 billion dollars in Bitcoin, or about 20% of the entire Bitcoin supply, is currently locked in inaccessible wallets? Or maybe you have lost access to your Bitcoin wallet? Don’t let those funds remain out of reach! AI Seed Phrase Finder is here to help you regain access effortlessly. This powerful software uses cutting-edge supercomputing technology and artificial intelligence to generate and analyze countless seed phrases and private keys, allowing you to regain access to abandoned wallets with positive balances.
