Cybersecurity expert Cosine stated that the modus operandi appears to be similar to that of North Korean hackers, leading to the hacking of multiple signed wallets. He also provided a previous case of the Radiant Capital hack to explain the possible theft route.

(Bybit Hacked for a Staggering Amount! Over $140 Million Drained from Cold Wallet?)

Exposure of the Possible Attack Vector in the Bybit Hack Incident

Bybit was recently hacked, resulting in the theft of funds from its ETH cold wallet. Cybersecurity experts pointed out that the hacking method in this case may be similar to the $50 million hacker attack on Radiant Capital in October 2024, both involving the manipulation of the signing interface of a Multisig wallet, allowing the hackers to gain unauthorized access to transfer the funds. This type of attack is highly stealthy and difficult to detect, even after multiple layers of verification, posing a severe challenge to cryptocurrency exchanges and DeFi protocols.

Attack Mode: Controlling the Hardware Wallet Signing Process

According to the analysis of the Radiant Capital incident, the hackers primarily executed the attack through the following methods:

1. Infecting the developer's devices: The hackers used malware to infect the devices of three core Radiant Capital developers, thereby affecting the Multisig transaction workflow.
2. Tampering with the front-end display: When the developers used Gnosis Safe (now renamed Safe) to sign transactions, the hackers made the interface display normal transaction content, but the actual transactions sent were malicious requests.
3. Inducing repeated signing: The hackers simulated transaction failure error messages on the front-end, luring the developers to attempt signing multiple times, further collecting the necessary Multisig authorizations.
4. Ultimate theft of funds: Once the hackers obtained sufficient Multisig authorizations, they could execute asset transfers or changes to the smart contract ownership, ultimately moving the funds to addresses under their control.

This type of attack is difficult to detect because the hackers successfully deceived the front-end verification tools (such as Tenderly) and the signing mechanisms of the hardware wallets, making the transaction signing appear normal.

Did Bybit Encounter a Similar Attack Vector?

The Bybit hack incident is highly similar to the Radiant Capital attack, especially in terms of the normal display of the signing interface, but the underlying logic being tampered with. Bybit revealed that during the process of transferring assets from their ETH cold wallet to the hot wallet, the transaction content was altered by the hackers, ultimately resulting in the funds being transferred to an unknown address. This is analogous to the Radiant Capital attack, where the hackers manipulated the Safe interface to display erroneous information, leading the developers to inadvertently sign the malicious transactions.

Furthermore, on-chain data shows that after the Bybit hack, approximately $140 million worth of ETH and stETH were drained, with some of the assets already being liquidated, further confirming this was a highly planned and stealthy attack.

How Did the Hackers Successfully Bypass the Security Verification?

The key to the success of these attacks lies in "social engineering + signing fraud", where the hackers circumvented the existing security mechanisms through the following means:

• Exploiting errors in the Multisig environment: In the Radiant Capital incident, the hackers leveraged the error prompts in the Safe interface to make the developers repeatedly sign transactions, ultimately obtaining the necessary malicious signatures. Bybit may have also encountered a similar situation, allowing the hackers to acquire the critical signing privileges.
• Blind Signing of hardware wallets: In the Radiant Capital case, the hackers successfully made the developers' Ledger/Trezor hardware wallets sign the malicious transactions, while the developers saw normal transaction content on the interface. This indicates that even hardware wallets cannot completely avoid such attacks.
• Transfer of smart contract ownership: In the Radiant Capital case, the hackers ultimately gained control of the LendingPoolAddressesProvider (the lending pool address provider), allowing them to perform malicious operations on the protocol. If Bybit encountered a similar attack, the hackers may have already altered the smart contract ownership, making it difficult for the exchange to recover the funds.

How to Prevent Similar Attacks?

Experts suggest that to avoid such highly stealthy Multisig attacks, exchanges and DeFi projects should adopt the following preventive measures:

1. Strengthen multi-signature authentication: If any signer encounters an error or anomaly during the transaction process, the emergency review mechanism should be triggered immediately, rather than simply re-signing.
2. Independent device verification: Use an independent secure device to confirm transaction data, such as using the Etherscan Input Data Decoder to check if the transaction content has been tampered with.
3. Avoid blind signing: All critical transactions should be confirmed through the readable data display on hardware wallets like Ledger/Trezor, to avoid blind signing.
4. Error triggers audit mechanism: If a transaction fails multiple times, a full audit should be conducted immediately, rather than letting the user try to sign repeatedly.
5. Transaction delay and time lock (Timelock): For major transactions, a 72-hour delay should be implemented to allow the community and development team sufficient time for review.

DeFi security still faces major challenges

The Bybit hacking incident highlighted the risks of vulnerabilities in multi-signature and hardware wallet signing, and this type of attack is not an isolated case, as evidenced by the Radiant Capital incident. Even with the use of multi-signature, hardware wallets, and transaction simulation tools (such as Tenderly), hackers can still successfully deceive the system and steal large sums of funds.

This also serves as a reminder to all DeFi projects and exchanges that relying solely on technical tools is no longer sufficient, and more stringent manual review and verification mechanisms must be implemented. In the future, exchanges and DeFi protocols must be more cautious to avoid becoming the next target of attacks.