The Bybit Hack: A Wake-Up Call for the Financial Industry

The following is a guest editorial courtesy of Anna Stylianou, an independent anti-financial crime consultant and co-founder and owner of AML Cube.

On February 21, 2025, Bybit, a major cryptocurrency exchange, suffered a security breach leading to the theft of approximately $1.5 billion in digital assets. This incident was not a result of traditional security failures such as compromised passwords or network infrastructure but instead was a highly sophisticated technical exploit that manipulated the transaction approval process.

How the Attack Worked

1. Hackers compromised the credentials of a Safe wallet developer which provided them with unauthorized access.
2. The attackers injected malicious JavaScript code into the Safe{Wallet} user interface (UI). This code was specifically designed to target Bybit’s cold wallet transactions.
3. The attackers manipulated the transaction information displayed to Bybit’s employees, making it appear as if they were approving a legitimate transaction. In reality, this manipulation resulted in the transfer of 401,000 ETH from Bybit’s cold wallet to the attackers’ addresses.
4. The stolen assets were routed through a complex web of intermediary wallets to obfuscate the trail and hinder tracking efforts.

The hack is linked to the Lazarus Group, a North Korean state-sponsored cybercriminal organization.

The Limitations of Multi-Signature Security

One of the most concerning aspects of this hack is that Bybit’s multi-signature (multi-sig) security measures failed to prevent it. Multi-sig requires multiple approvals before a transaction is executed, theoretically making unauthorized transfers more difficult. This incident demonstrates that multi-sig security is ineffective when the approval process itself is compromised at the interface level.

Lessons for CFD Brokers and Other Entities

For CFD brokers, this attack serves as a warning about the vulnerabilities that extend beyond traditional hacking methods. When an attacker can manipulate what an authorized user sees, even the most secure authentication measures become ineffective. Here’s what brokers and other entities should do to strengthen their defenses:

1. Independent Transaction Verification: Implement a separate system for verifying transactions outside the main UI. If Bybit had a secondary method to validate transaction details, such as a hardware device displaying raw transaction data, this attack might have been caught in time.
2. Segregation of Duties: Introduce additional operational security measures where different teams approve and validate transactions.
3. Third-Party Risk Management: CFD brokers often rely on external trading and payment platforms. Ensuring third-party vendors adhere to strict security protocols and regularly auditing their systems can help prevent similar attacks.
4. Employee Training: While this attack did not exploit employees directly, human error remains one of the biggest security risks in financial firms. Regular cybersecurity training can help staff recognize threats such as phishing, social engineering, and UI manipulation, reducing the likelihood of similar incidents.

The financial landscape will continue to see increasingly sophisticated cyber threats, particularly from state-sponsored groups and highly organized crime syndicates. As attackers refine their techniques, firms must stay ahead by proactively enhancing their security frameworks. The Bybit hack is not just a lesson from the past – it is a warning about the future of financial crime.