Major Crypto Exchange Bybit Attacked During a Multisig ETH Transfer
One of the largest crypto exchanges, Bybit, which had so far managed to avoid any major breaches, confirmed that an attacker stole ethereum (ETH) during a multisignature transaction today. According to preliminary estimates, more than 400,000 ETH (approximately $1 billion) has been stolen.
The company stated that it detected unauthorized activity involving one of its ETH multisignature cold wallets while attempting to transfer funds to a hot wallet. A cold wallet is an offline hardware device designed to store private keys for cryptoassets, while a hot wallet is typically a software wallet connected to the internet. Meanwhile, a multisig wallet requires more than one private key to authorize a transaction.
"Unfortunately, this transaction was manipulated through a sophisticated attack that masked the signing interface, displaying the correct address while altering the underlying smart contract logic. As a result, the attacker was able to gain control of the affected ETH cold wallet and transfer its holdings to an unidentified address," the company said.
According to Ben Zhou, the CEO of Bybit, it appears that this specific transaction was masked. All the signers saw a masked UI displaying the correct address, and the URL was from Safe, the so-called ownership layer.
"However, the signing message was actually modifying the smart contract logic of our ETH cold wallet," Zhou added, promising to share more updates later.
The CEO assured that “Bybit is Solvent even if this hack loss is not recovered, all of clients assets are 1 to 1 backed, we can cover the loss.”
According to Bybit, its security team, "alongside leading blockchain forensic experts and partners," is now investigating the incident. The company also welcomed assistance from other experts.
In any case, Bybit claims that all its other cold wallets remain "fully secure" and that "all client funds are safe," with operations continuing as usual.
Analysts at Arkham Intelligence report that the stolen funds have begun moving to new addresses, where they are being sold.