The $1.5 Billion Heist: How Hackers Tricked a Crypto Exchange into Signing Its Own Heist!

On Feb 21, 2025, Bybit (a crypto exchange) detected unauthorized activity during a routine fund transfer process. A deeper investigation revealed something shocking: $1.5 billion had been transferred to an unknown wallet.

But this should have been almost impossible.

Bybit's wallet is protected by 'multi signature' security, meaning:

At least 2 out of 3 authorized personnel must approve the transaction.

Yet, somehow, the attacker bypassed this restriction. How?

This is the story of the biggest heist in cryptocurrency world known till date. Read on.

Attack Flow (simplified version) :

1. Attacker recons Bybit's infrastructure > Identifies that Bybit uses a 3rd party multisig platform provider (SafeWallet).

2. Attacker targets SafeWallet > Compromises a SafeWallet developer's device > Injects malicious JavaScript code into SafeWallet application hosted on AWS.

3. Here's the interesting part: This injected code executes ONLY when there's a transaction from a Bybit signer > Once activated, the malicious JS code can modify critical fields during a transaction.

4. Bybit's authorized personnel now accesses SafeWallet interface to perform routine transaction > the malicious code now manipulates the transaction details > Silently replaces the recipient address with attacker address but doesn't reveal this in UI.

5. Both the Bybit's signers, believing everything is normal, authorize the transaction > 1.5 billion $ worth of crypto stolen

Key Insights :

1. Hacking is like magic. What you see is not what is real. What was displayed to signers is not what was actually executed. This art of deception is at the core of many sophisticated attacks. The methods evolve, but the concept stays the same.

2. No defense is absolute. Bybit's wallet had strong security. Its not just a multisig wallet but a 'multisig cold' wallet. Cold wallets are usually kept offline until there is a need to access or transfer funds. Which means that for 99.9% of the time the wallet is not even connected to internet. Yet, this could not stop the attacker.

3. The easiest way to get past a locked door is to convince the owner to open it for you. The attacker knew that stealing multiple private keys was impractical—getting 2 or 3 would be nearly impossible. So they devised a plan so that the legitimate owners themselves execute the what the attacker wanted.

4. The payload was designed to activate only when certain conditions were met. This selective execution ensured that backdoor remained undetected. Two minutes after the malicious transaction is executed, the hacker even updated the SafeWallet code to remove the backdoor.

5. In a high-stakes game, your enemy might not attack you directly. The most dangerous weakness is the one you don’t see clearly and don't control directly. Assess your supply chain threats deeply.