Based on the information provided in the post from Bybit, the manipulation of the interface in the Bybit hack involved a sophisticated attack targeting their Ethereum (ETH) multisig cold wallet. Here’s a detailed explanation of how the interface was manipulated:
- The attack utilized a "masked" or "musked" transaction technique, as described by Bybit’s CEO, Ben Zhou. This technique deceived the wallet signers by altering the user interface (UI) they interacted with during the transaction signing process.
- The attackers manipulated the signing interface to display a legitimate-looking UI that showed the correct destination address (i.e., Bybit’s warm wallet) and used a trusted URL, such as one associated with Safe (a multisig wallet provider, @safe). This created a false sense of security, making the signers believe they were authorizing a standard transfer from the cold wallet to the warm wallet.
- While the UI displayed a seemingly correct transaction, the underlying signing message or smart contract logic was modified. Instead of executing the intended transfer, the signing action changed the smart contract logic of Bybit’s ETH cold wallet. This allowed the attacker to gain control of the wallet and transfer its holdings (approximately $1.4–$1.5 billion in ETH) to an unidentified address.
- The attack resembled a phishing or social engineering tactic, as described in, where hackers trick users into revealing or authorizing malicious actions through deceptive interfaces. In this case, the manipulation bypassed the security of the multisig wallet by exploiting the trust in the displayed UI and URL, tricking multiple signers into approving the malicious transaction.
- Multi-signature wallets, while secure, are not immune to hacking, especially through phishing attacks or vulnerabilities in smart contracts. The attacker likely exploited a flaw or lack of verification in the signing process, possibly by altering the calldata or transaction parameters to execute a different action than what was shown on the interface.
In summary, the interface was manipulated through a sophisticated phishing-like attack that masked the true nature of the transaction. The attackers presented a legitimate-looking UI to the signers, hiding the malicious alteration of the smart contract logic, which ultimately allowed them to hijack the cold wallet and steal the funds. This highlights the vulnerability of even secure systems like multisig wallets to advanced social engineering and UI deception techniques.
Here are the key takeaways from Bybit CEO Ben Zhou’s livestream:
- Confirmed a $1.1–$1.5 billion ETH hack, the largest in crypto history.
- A “masked” transaction altered the multisig cold wallet’s smart contract via a deceptive UI, showing a trusted address but executing a malicious transfer.
- Only one ETH cold wallet was affected; all other wallets and client funds are secure.
- Bybit remains solvent, can cover the loss, and client assets are “1:1 backed.” Secured an 80% bridge loan for ETH coverage.
- Withdrawals continue, though with a surge in requests; 70% processed, with compliance checks for large withdrawals.
- Security team and experts are investigating; seeking blockchain analytics help, with support from Justin Sun and OKX.
- Possible computer hacks of signers or a Safe system compromise (unconfirmed, under investigation).
- Committed to updates and transparency, conducted livestream to reassure users.
- Temporary crypto price dips, but Bybit’s stability minimizes broader effects.
Watch the Livestream by clicking the link below:
Noted tweets:
Bybit detected unauthorized activity involving one of our ETH cold wallets. The incident occurred when our ETH multisig cold wallet executed a transfer to our warm wallet. Unfortunately, this transaction was manipulated through a sophisticated attack that masked the signing…
— Bybit (@Bybit_Official) February 21, 2025
Bybit is Solvent even if this hack loss is not recovered, all of clients assets are 1 to 1 backed, we can cover the loss.
— Ben Zhou (@benbybit) February 21, 2025
We have reported the case to the appropriate authorities and we will send an update as soon as we have any further information. We have fortunately worked quickly and extensively with on-chain analytics providers to identify and demix the implicated addresses. These actions will…
— Bybit (@Bybit_Official) February 21, 2025
This hack goes down in history as the biggest crypto exchange hack, with over $1.4 Billion worth of Ethereum, snatched away from one of the biggest exchanges' cold wallets. At the time this article was posted, Ethereum's price is at $2641, down by 7.5% from before the attack.
