The Cobo security team conducted an in-depth analysis of the Bybit theft, revealing the deep-seated systemic problems exposed therein, and explored how to build a security protection system that matches the scale of assets in this rapidly growing industry.
Recently, the cryptocurrency exchange Bybit suffered a major security incident that caused a loss of $1.5 billion. The shocking thing about this incident is not only the huge amount of loss, but also the fact that the attack method revealed the fundamental flaws hidden in the current digital asset custody system.
According to the analysis of the Cobo security team, the problems revealed by this incident go far beyond the superficial technical loopholes. Today, when the scale of digital asset management has reached trillions of dollars, traditional security thinking and protection systems are facing unprecedented challenges. This requires us to conduct a comprehensive reflection and reconstruction from security infrastructure to security management processes.
Attack process
On February 21, 2025, the cryptocurrency exchange Bybit suffered a carefully planned attack: the cold wallet operator saw a seemingly regular hot wallet transfer request on the Safe{Wallet} page. However, this seemingly normal operation actually concealed the manipulation of the Safe{Wallet} implementation contract, which ultimately led to the attacker gaining control of the entire cold wallet.
Blockchain analysis shows that the attack is related to the North Korean hacker group Lazarus Group. This is another successful attack by the group on the Safe{Wallet} platform. Previously, Radiant Capital and WazirX also suffered similar attacks in 2024, with losses of 50 million and 235 million US dollars respectively.
Key vulnerabilities exposed
From the perspective of attack methods, hackers fully exploited the loopholes in multiple links such as the human-computer interaction interface, hardware wallet display and risk control mechanism, showing an extremely professional attack level. The following is a detailed analysis of the main security risks exposed by this accident:
Hot end equipment was compromised
According to the latest reports, attackers have successfully hacked into the Bybit operator’s devices and tampered with the Safe{Wallet} front-end interface, which resulted in:
The interface seen by the Bybit cold wallet operator did not match the actual signature content. The transaction data was tampered with before reaching the hardware wallet. The operator unknowingly approved the malicious contract upgrade.
Bybit said they performed routine operations on the Safe{Wallet} page and conducted all necessary reviews.
Meanwhile, Safe{Wallet} has confirmed that its investigation did not find any intrusion into the Safe{Wallet} codebase, malicious code implanted into dependent packages, or unauthorized access to infrastructure. Although the user interface showed the correct transaction details, a malicious transaction with a valid signature was ultimately executed on the chain. This suggests that the problem may have originated from a security vulnerability on the Bybit side, rather than a problem with the Safe{Wallet} platform itself.
Hardware wallet blind signing risks
Most current crypto hardware wallets have significant limitations when processing complex transactions:
Insufficient parsing capabilities: Unable to fully parse and display detailed transaction data of multi-signature wallets such as Safe{Wallet};
Lack of verification mechanism: It is impossible to verify whether the signature content is consistent with the content displayed on the front end;
Insufficient risk warnings: There is a lack of clear warning mechanisms for potentially dangerous operations.
These limitations force operators to perform "blind signing" operations, that is, authorization without fully understanding and verifying the actual content of the transaction. In the Bybit incident, it was this weakness that was exploited by the attacker, who misled the operator into performing a disastrous authorization operation through a carefully constructed false interface.
Lack of independent risk control measures
Subsequent analysis found that although Bybit has adopted a multi-signature mechanism, since multiple signatories rely on the same infrastructure and verification process, once one of the links is breached, the entire security system may be breached. This highlights the importance of building a multi-layered defense system, especially the key role of the last line of defense. These seemingly basic measures that can become the last lifeline include:
Set up an address whitelist: Only allow transfers to pre-authenticated addresses, which can effectively prevent funds from flowing to unknown addresses controlled by attackers;
Tiered approval mechanism: A stricter manual review process is initiated for transactions exceeding a certain amount, and an independent team is introduced to conduct cross-verification;
Abnormal monitoring system: Establish real-time monitoring of high-risk operations such as contract upgrades and permission changes, and issue an immediate warning once an abnormality is found;
Cooling-off period system: Set a 24-48 hour observation period for sensitive operations to allow time for discovering and correcting errors.
Although these measures may seem to reduce operational efficiency, they can often become the last line of defense for digital asset security in the face of professional hacker attacks. As this attack has proven, in the field of digital asset custody, it is better to be prepared than to cram at the last minute.
Cobo's security proposition: multi-level security solution
To build a truly reliable system, security hardening needs to be implemented at multiple levels:
In the face of such professional attack methods, a single security measure is obviously not enough. The security of digital assets requires the establishment of a three-dimensional defense system. The Cobo expert team recommends starting from the following two dimensions:
Horizontal enhancement measures (distributed control):
Horizontal security enhancement emphasizes the introduction of multiple independent parties to manage and use private keys, and the adoption of technical solutions such as MPC or multi-signature to achieve mutual checks and balances and avoid single point failure risks.
The core of this solution is not only to increase the number of signatories, but more importantly to ensure the independence of each party in terms of technical implementation. For example, the hardware wallets, operating software, risk control checks, geographical distribution, etc. used by each party should be independent.
In this incident, although Bybit introduced multiple signatories, most of the full-link solution they used was provided by Safe{Wallet}. Once this solution was hacked or had problems, the entire multi-signature solution was easily bypassed.
Vertical enhancements (strengthening the security of each signer):
Vertical security enhancement emphasizes that each signatory should have complete and independent transaction verification capabilities. This means that each signatory needs to build its own complete technology stack, including an independent user interface, risk control system, and private key management hardware and software equipment.
The hardware wallet blind signing problem exposed in the Bybit incident was caused by the lack of vertical capacity building. If each signatory has complete transaction parsing and verification capabilities, such security vulnerabilities can be effectively prevented. In addition, each signatory can introduce risk control rules such as blacklists, manual confirmation, or AI scanning, which are also high-input and output enhancement measures in the vertical direction.
Cobo's custom security solution for Safe multi-signature wallet
The Bybit incident not only exposed specific operational loopholes, but also revealed the architectural flaws of the current digital asset custody system. These problems cannot be solved by a single product or process, but require the entire industry to rethink and build from the underlying architecture. To establish a truly safe and reliable digital asset custody system, we need to upgrade simultaneously from three dimensions: hardware facilities, software architecture, and interoperability standards.
1. Safe Wallet’s co-signature mechanism
The Bybit incident exposed the fundamental flaw in traditional multi-signature security - without an independent transaction verification layer, attackers can manipulate the interface, contract logic, and transaction data to deceive signers.
Cobo has launched a co-signature service for Safe{Wallet}, which makes up for the security shortcomings of traditional multi-signature schemes by introducing an independent third-party verification mechanism.
Customers can delegate a signer's authority in Safe{Wallet} to Cobo for custody, thereby obtaining:
- Enable multi-party approval process;
- Equipped with independent risk control;
- Implement strict transaction review rules, including:
This innovative security architecture can effectively prevent similar incidents like the Bybit incident and provide more reliable asset security for institutional clients.
2. Promote cooperation with hardware wallet manufacturers and launch signature review tools for hardware wallets
Traditional hardware wallets have shortcomings in displaying transaction details, which makes users vulnerable to risks such as interface tampering, phishing attacks and blind signing.
To address these challenges, the crypto industry can introduce the following solutions:
Implement EIP-712 message decoding in Safe{Wallet} to ensure full visibility of transaction details Provide real-time risk assessment without frequent firmware updates
Cobo is promoting in-depth cooperation with major hardware wallet manufacturers to build an independent third-party signature review channel while retaining its original security solutions. Specific implementations include:
· Deploy Cobo signature review tools to fully analyze data before transaction signing · Provide real-time transaction simulation function · Establish a safer and more timely transaction review mechanism
3. Promote the establishment of an industry-level security ecosystem
The new generation of digital asset custody system needs to establish unified industry standards, including transaction verification specifications, security component interoperability standards and risk control assessment systems. At the same time, it supports third-party security service access through open platforms to form a complete security ecosystem. This standardized and open architecture design will greatly enhance the security protection capabilities of the entire industry.
The future of digital asset security
In this incident, hackers exploited a seemingly minor operational loophole to cause a loss of $1.5 billion. However, this is not just a problem of single-point protection negligence. In an industry that manages trillions of dollars in assets, hackers are extremely professional and motivated to attack, and any minor loophole may be magnified into a fatal threat.
This means that we need to fundamentally re-examine the system architecture of digital asset security and build a basic protection system:
Horizontally, break the isolation of the current security modules and build a network of mutual verification and checks and balances.
· Vertically, from a single operation link to the entire business process, a complete protection chain from the underlying infrastructure, the middle verification layer to the upper risk control layer is established. Each layer must be able to independently detect and block anomalies to form multiple barriers.
This kind of systematic thinking requires us to go beyond the simple multi-signature mechanism and establish a truly multi-dimensional protection system. In this system, each transaction must undergo multiple layers of independent verification, each operation must have a complete traceable record, and any anomalies must be discovered and handled in a timely manner.
Recently, the cryptocurrency exchange Bybit suffered a major security incident that caused a loss of $1.5 billion. The shocking thing about this incident is not only the huge amount of loss, but also the fact that the attack method revealed the fundamental flaws hidden in the current digital asset custody system.
According to the analysis of the Cobo security team, the problems revealed by this incident go far beyond the superficial technical loopholes. Today, when the scale of digital asset management has reached trillions of dollars, traditional security thinking and protection systems are facing unprecedented challenges. This requires us to conduct a comprehensive reflection and reconstruction from security infrastructure to security management processes.
Attack process
On February 21, 2025, the cryptocurrency exchange Bybit suffered a carefully planned attack: the cold wallet operator saw a seemingly regular hot wallet transfer request on the Safe{Wallet} page. However, this seemingly normal operation actually concealed the manipulation of the Safe{Wallet} implementation contract, which ultimately led to the attacker gaining control of the entire cold wallet.
Blockchain analysis shows that the attack is related to the North Korean hacker group Lazarus Group. This is another successful attack by the group on the Safe{Wallet} platform. Previously, Radiant Capital and WazirX also suffered similar attacks in 2024, with losses of 50 million and 235 million US dollars respectively.
Key vulnerabilities exposed
From the perspective of attack methods, hackers fully exploited the loopholes in multiple links such as the human-computer interaction interface, hardware wallet display and risk control mechanism, showing an extremely professional attack level. The following is a detailed analysis of the main security risks exposed by this accident:
Hot end equipment was compromised
According to the latest reports, attackers have successfully hacked into the Bybit operator’s devices and tampered with the Safe{Wallet} front-end interface, which resulted in:
The interface seen by the Bybit cold wallet operator did not match the actual signature content. The transaction data was tampered with before reaching the hardware wallet. The operator unknowingly approved the malicious contract upgrade.
Bybit said they performed routine operations on the Safe{Wallet} page and conducted all necessary reviews.
Meanwhile, Safe{Wallet} has confirmed that its investigation did not find any intrusion into the Safe{Wallet} codebase, malicious code implanted into dependent packages, or unauthorized access to infrastructure. Although the user interface showed the correct transaction details, a malicious transaction with a valid signature was ultimately executed on the chain. This suggests that the problem may have originated from a security vulnerability on the Bybit side, rather than a problem with the Safe{Wallet} platform itself.
Hardware wallet blind signing risks
Most current crypto hardware wallets have significant limitations when processing complex transactions:
Insufficient parsing capabilities: Unable to fully parse and display detailed transaction data of multi-signature wallets such as Safe{Wallet};
Lack of verification mechanism: It is impossible to verify whether the signature content is consistent with the content displayed on the front end;
Insufficient risk warnings: There is a lack of clear warning mechanisms for potentially dangerous operations.
These limitations force operators to perform "blind signing" operations, that is, authorization without fully understanding and verifying the actual content of the transaction. In the Bybit incident, it was this weakness that was exploited by the attacker, who misled the operator into performing a disastrous authorization operation through a carefully constructed false interface.
Lack of independent risk control measures
Subsequent analysis found that although Bybit has adopted a multi-signature mechanism, since multiple signatories rely on the same infrastructure and verification process, once one of the links is breached, the entire security system may be breached. This highlights the importance of building a multi-layered defense system, especially the key role of the last line of defense. These seemingly basic measures that can become the last lifeline include:
Set up an address whitelist: Only allow transfers to pre-authenticated addresses, which can effectively prevent funds from flowing to unknown addresses controlled by attackers;
Tiered approval mechanism: A stricter manual review process is initiated for transactions exceeding a certain amount, and an independent team is introduced to conduct cross-verification;
Abnormal monitoring system: Establish real-time monitoring of high-risk operations such as contract upgrades and permission changes, and issue an immediate warning once an abnormality is found;
Cooling-off period system: Set a 24-48 hour observation period for sensitive operations to allow time for discovering and correcting errors.
Although these measures may seem to reduce operational efficiency, they can often become the last line of defense for digital asset security in the face of professional hacker attacks. As this attack has proven, in the field of digital asset custody, it is better to be prepared than to cram at the last minute.
Cobo's security proposition: multi-level security solution
To build a truly reliable system, security hardening needs to be implemented at multiple levels:
In the face of such professional attack methods, a single security measure is obviously not enough. The security of digital assets requires the establishment of a three-dimensional defense system. The Cobo expert team recommends starting from the following two dimensions:
Horizontal enhancement measures (distributed control):
Horizontal security enhancement emphasizes the introduction of multiple independent parties to manage and use private keys, and the adoption of technical solutions such as MPC or multi-signature to achieve mutual checks and balances and avoid single point failure risks.
The core of this solution is not only to increase the number of signatories, but more importantly to ensure the independence of each party in terms of technical implementation. For example, the hardware wallets, operating software, risk control checks, geographical distribution, etc. used by each party should be independent.
In this incident, although Bybit introduced multiple signatories, most of the full-link solution they used was provided by Safe{Wallet}. Once this solution was hacked or had problems, the entire multi-signature solution was easily bypassed.
Vertical enhancements (strengthening the security of each signer):
Vertical security enhancement emphasizes that each signatory should have complete and independent transaction verification capabilities. This means that each signatory needs to build its own complete technology stack, including an independent user interface, risk control system, and private key management hardware and software equipment.
The hardware wallet blind signing problem exposed in the Bybit incident was caused by the lack of vertical capacity building. If each signatory has complete transaction parsing and verification capabilities, such security vulnerabilities can be effectively prevented. In addition, each signatory can introduce risk control rules such as blacklists, manual confirmation, or AI scanning, which are also high-input and output enhancement measures in the vertical direction.
Cobo's custom security solution for Safe multi-signature wallet
The Bybit incident not only exposed specific operational loopholes, but also revealed the architectural flaws of the current digital asset custody system. These problems cannot be solved by a single product or process, but require the entire industry to rethink and build from the underlying architecture. To establish a truly safe and reliable digital asset custody system, we need to upgrade simultaneously from three dimensions: hardware facilities, software architecture, and interoperability standards.
1. Safe Wallet’s co-signature mechanism
The Bybit incident exposed the fundamental flaw in traditional multi-signature security - without an independent transaction verification layer, attackers can manipulate the interface, contract logic, and transaction data to deceive signers.
Cobo has launched a co-signature service for Safe{Wallet}, which makes up for the security shortcomings of traditional multi-signature schemes by introducing an independent third-party verification mechanism.
Customers can delegate a signer's authority in Safe{Wallet} to Cobo for custody, thereby obtaining:
- Enable multi-party approval process;
- Equipped with independent risk control;
- Implement strict transaction review rules, including:
· Transfer address blacklist and whitelist management;
Smart contract interaction address control;
Parameter-level contract interaction access control.
This solution is not intended to replace the existing hardware wallet + Safe{Wallet} multi-signature system, but as an independent security enhancement layer, it complements the existing solution. Since Cobo only holds a single signature authority, customers always maintain ultimate control over their assets, which ensures improved security and avoids the transfer of asset control.Smart contract interaction address control;
Parameter-level contract interaction access control.
This innovative security architecture can effectively prevent similar incidents like the Bybit incident and provide more reliable asset security for institutional clients.
2. Promote cooperation with hardware wallet manufacturers and launch signature review tools for hardware wallets
Traditional hardware wallets have shortcomings in displaying transaction details, which makes users vulnerable to risks such as interface tampering, phishing attacks and blind signing.
To address these challenges, the crypto industry can introduce the following solutions:
Implement EIP-712 message decoding in Safe{Wallet} to ensure full visibility of transaction details Provide real-time risk assessment without frequent firmware updates
Cobo is promoting in-depth cooperation with major hardware wallet manufacturers to build an independent third-party signature review channel while retaining its original security solutions. Specific implementations include:
· Deploy Cobo signature review tools to fully analyze data before transaction signing · Provide real-time transaction simulation function · Establish a safer and more timely transaction review mechanism
3. Promote the establishment of an industry-level security ecosystem
The new generation of digital asset custody system needs to establish unified industry standards, including transaction verification specifications, security component interoperability standards and risk control assessment systems. At the same time, it supports third-party security service access through open platforms to form a complete security ecosystem. This standardized and open architecture design will greatly enhance the security protection capabilities of the entire industry.
The future of digital asset security
In this incident, hackers exploited a seemingly minor operational loophole to cause a loss of $1.5 billion. However, this is not just a problem of single-point protection negligence. In an industry that manages trillions of dollars in assets, hackers are extremely professional and motivated to attack, and any minor loophole may be magnified into a fatal threat.
This means that we need to fundamentally re-examine the system architecture of digital asset security and build a basic protection system:
Horizontally, break the isolation of the current security modules and build a network of mutual verification and checks and balances.
· Vertically, from a single operation link to the entire business process, a complete protection chain from the underlying infrastructure, the middle verification layer to the upper risk control layer is established. Each layer must be able to independently detect and block anomalies to form multiple barriers.
This kind of systematic thinking requires us to go beyond the simple multi-signature mechanism and establish a truly multi-dimensional protection system. In this system, each transaction must undergo multiple layers of independent verification, each operation must have a complete traceable record, and any anomalies must be discovered and handled in a timely manner.
