Bybit Hack: How a Supply Chain Attack on Safe{Wallet} Led to the Largest Crypto Theft in History

February 21, 2025 • 9 min read • Solari Systems Research

On February 21, 2025, the crypto industry witnessed its worst nightmare: $1.5 billion in ETH drained from Bybit's cold wallet in a single transaction. The attacker was not some anonymous hacker exploiting a Solidity bug. It was North Korea's Lazarus Group, and they did not need to find a smart contract vulnerability at all. Instead, they compromised the supply chain — specifically, a developer's machine at Safe{Wallet} — and turned the trusted multisig signing interface into a weapon.

This was not a smart contract exploit. It was a supply chain attack on crypto infrastructure, and it rewrites the threat model for every organization that relies on third-party signing interfaces to manage on-chain assets.

What Happened: The Attack at a Glance

To put the scale in perspective: the previous record for a crypto exchange hack was the 2022 Ronin Bridge exploit at $625 million — also attributed to Lazarus Group. The Bybit hack was nearly 2.5 times larger.

The Attack Vector: Supply Chain Compromise

The Bybit hack did not exploit a vulnerability in the Safe{Wallet} smart contracts, Bybit's own code, or the Ethereum protocol. The contracts themselves were sound. Instead, the Lazarus Group targeted the human and software supply chain that sits between the signer and the blockchain.

How the Attack Unfolded

Why This Attack Was So Dangerous

The Bybit hack represents a paradigm shift in crypto security threats for several reasons:

1. Smart Contract Code Was Irrelevant

The Safe{Wallet} multisig contracts are among the most audited and battle-tested in all of DeFi. They hold over $100 billion in assets across the ecosystem. The contracts had no bugs. The attacker simply bypassed them by attacking the layer between the user and the contract — the frontend interface.

2. Multisig Did Not Help

Multisig wallets are considered the gold standard for institutional custody. The logic is simple: requiring multiple signers means a single compromised key cannot drain funds. But in this attack, every signer saw the same fraudulent interface. They all approved the same malicious transaction because they all trusted the same compromised frontend. The multisig worked exactly as designed — it faithfully executed the transaction that its signers approved.

3. Hardware Wallets Did Not Help

Hardware wallets protect private keys from extraction. They sign whatever transaction the user approves. The problem is that users typically verify transaction details on the software interface (the frontend), not by decoding raw transaction data on the hardware wallet's tiny screen. The Bybit signers had no practical way to detect that the transaction data being sent to their hardware wallets differed from what was displayed on screen.

The Technical Mechanism: delegatecall Hijacking

The malicious transaction used delegatecall to replace the Safe wallet's implementation contract. This is a well-known proxy pattern — Safe wallets are upgradeable proxies that delegate execution to an implementation contract. By changing the implementation, the attacker effectively replaced the wallet's entire logic.

// Simplified view of the attack mechanism
// The malicious transaction called the proxy's fallback:

// 1. Original Safe proxy delegates to legitimate implementation
fallback() external payable {
    address impl = getImplementation();  // Safe's verified code
    delegatecall(impl, msg.data);
}

// 2. Attacker's transaction changes the implementation pointer
// via a crafted delegatecall payload:
function setImplementation(address newImpl) internal {
    sstore(IMPL_SLOT, newImpl);  // Points to attacker's contract
}

// 3. Attacker's implementation has a simple drain function:
function sweepETH(address to) external {
    payable(to).transfer(address(this).balance);  // 401,347 ETH gone
}

The critical insight: this was not a bug in delegatecall. The proxy pattern is a standard, intentional design used by Safe and countless other protocols. The attack worked because the signers were tricked into authorizing a legitimate operation (changing the implementation) that they never intended to perform.

Lazarus Group: A Nation-State Threat Actor

The FBI formally attributed the Bybit hack to North Korea's Lazarus Group, also known as TraderTraitor. This was not a surprise — Lazarus has been the dominant threat actor in crypto theft since at least 2017:

• 2022: Ronin Bridge — $625M stolen
• 2022: Harmony Horizon Bridge — $100M stolen
• 2023: Atomic Wallet — $100M stolen
• 2023: Stake.com — $41M stolen
• 2025: Bybit — $1.5B stolen

Lazarus-linked thefts are estimated to have funded North Korea's weapons programs with billions of dollars. These are not opportunistic hackers — they are state-sponsored teams with years of operational experience, dedicated infrastructure, and sophisticated social engineering capabilities. Their supply chain attack on Safe{Wallet} demonstrates a level of patience and targeting that most private-sector security teams are not equipped to defend against.

Bybit's Response

Despite losing $1.5 billion, Bybit handled the crisis remarkably well:

• Remained solvent: Bybit confirmed that all client assets were backed 1:1 and that the exchange could absorb the loss even without recovering the stolen funds
• Transparent communication: CEO Ben Zhou went live within hours of the attack to confirm the breach and reassure users
• No customer losses: All withdrawals continued to process normally; no customer funds were affected
• Bounty program: Bybit offered bounties for information leading to the recovery of stolen funds or identification of the attackers

Lessons for the Industry

1. Audit the Entire Stack, Not Just Smart Contracts

A smart contract audit that only examines Solidity code covers perhaps 30% of the actual attack surface. The Bybit hack exploited JavaScript, build pipelines, and developer access controls. Comprehensive security reviews must encompass frontend code, CI/CD pipelines, dependency management, and developer operational security.

2. Verify Transactions at the Hardware Level

Signers must compare transaction data displayed on their hardware wallet with an independent source — not just the same frontend that constructed the transaction. This is operationally difficult but essential for high-value wallets.

3. Implement Transaction Simulation

Before signing, organizations should simulate transactions using independent tools (Tenderly, custom fork testing) to verify the expected outcome. If a "routine transfer" actually performs a delegatecall that changes a contract's implementation, simulation would catch it.

4. Treat Frontend Infrastructure as Critical

Developer machines, build servers, CDN configurations, and deployment pipelines are all part of the security perimeter. Organizations managing significant on-chain assets should apply the same rigor to frontend infrastructure that they apply to key management. See our top 10 smart contract vulnerabilities guide for more on securing the full stack.

5. Assume Nation-State Adversaries

If your protocol or exchange holds hundreds of millions of dollars, you are a target for nation-state actors. Security budgets and practices must reflect this reality. The era of treating crypto security as a purely technical problem is over — it is now an intelligence and counterintelligence challenge.

Supply Chain Attacks: A Growing Threat to Crypto

The Bybit hack is not an isolated incident. Supply chain attacks have been increasing across the crypto ecosystem:

• NPM package compromises — Malicious packages targeting crypto developers and wallet software
• Compromised browser extensions — Modified wallet extensions that redirect transactions
• DNS hijacking — Redirecting protocol frontends to phishing sites
• Build pipeline attacks — Injecting malicious code during the build/deploy process

These attacks share a common pattern: they target the trust boundary between the user and the blockchain. Smart contracts execute deterministically, but the interfaces humans use to interact with them are as vulnerable as any other software. As on-chain exploits become harder due to better tooling and auditing, expect attackers to increasingly target the off-chain layers.

Timeline

• Before Feb 21, 2025 — Lazarus Group compromises Safe{Wallet} developer's machine and injects malicious JavaScript into the frontend
• February 21, 2025 — Bybit cold wallet signers approve a routine-looking transaction; 401,347 ETH ($1.5B) drained via implementation swap
• February 21, 2025 — Bybit CEO Ben Zhou confirms the breach publicly within hours
• February 21, 2025 — Bybit confirms exchange remains solvent, all customer withdrawals processing normally
• February 26, 2025 — FBI publicly attributes the attack to North Korean Lazarus Group (TraderTraitor)
• March 2025 — Safe{Wallet} completes security overhaul of development infrastructure and deployment pipeline

Conclusion

The Bybit hack is a watershed moment for crypto security. At $1.5 billion, it is the largest exchange hack ever — and it happened not because of a bug in Solidity, not because of a flaw in the Safe{Wallet} contracts, but because a single developer's machine was compromised and the frontend was poisoned.

For security professionals, the lesson is clear: the attack surface extends far beyond the smart contract. Auditing Solidity is necessary but not sufficient. The frontend, the build pipeline, the developer's laptop, the CDN, the DNS configuration — every link in the chain is a potential point of failure. And when the adversary is a nation-state with functionally unlimited patience and resources, the bar for "good enough" security rises dramatically.

For the broader industry, the Bybit hack should serve as a call to invest in end-to-end transaction verification — tools and workflows that allow signers to independently confirm what they are actually signing, regardless of what any single interface tells them. Until that becomes standard practice, supply chain attacks will remain the most dangerous threat in crypto.