The Bybit Hack: A Lesson in Deception

On February 21, 2025, Bybit’s multisig cold wallet appeared to make a routine transfer to its warm wallet, a less secure storage for daily use. The wallet used a 2-of-3 multisig setup, meaning two out of three authorized signers had to approve the transaction. The user interface (UI) showed a legitimate destination address, and the URL tied back to Safe, a trusted multisig provider. But it was a deception.

Hackers—possibly North Korea’s Lazarus Group, notorious for crypto heists—exploited a "blind signing" flaw in hardware wallets. Unable to fully decode the transaction, these devices displayed only its hash, masking a change that handed control of the wallet’s smart contract to the attackers. In minutes, they siphoned off 400,000 ETH, worth $1.46 billion. This wasn’t a multisig failure but an operational one: the keys weren’t stolen, the signers were misled.

The Bybit breach echoes earlier attacks like the $50 million Radiant Capital hack and the $230 million WazirX exploit in 2024, both of which also leveraged blind signing and social engineering to bypass multisig defenses. These incidents underline a harsh truth: even top-tier tools falter without airtight human processes.

Safe: The Go-To Multisig Standard and Its Resilience

On Ethereum and other EVM-compatible blockchains, Safe has emerged as the most widely used multisig wallet solution—and Bybit relied on it for its cold storage. Safe’s smart contracts are battle-tested and formally verified using tools like the Certora Prover, a system that mathematically proves the code behaves as intended, catching bugs or exploits before they’re deployed. This rigorous verification has made Safe’s core logic incredibly resilient; its smart contracts have withstood years of real-world use without a major breach at the protocol level. But that strength has shifted the battlefield. Hackers, finding the code tough to crack, now target the teams behind the wallets with Web2-style attacks—think phishing emails, fake websites, and social engineering—to exploit human error rather than technical flaws.

Why Multisig Matters (and Why It’s Not Foolproof)

Multisig wallets are a big step up from single-key wallets, where one compromised key means game over. If your phone gets hacked or you lose your private key, a single-key wallet’s funds are gone. Multisig spreads that risk across multiple parties or devices, so losing one key doesn’t spell disaster. It’s why exchanges like Bybit use them for cold storage and why crypto teams use them to manage treasury funds.

But the Bybit hack shows that multisig isn’t a silver bullet. It relies heavily on operational security—the practices and habits of the people using it. If signers can be fooled into approving a bad transaction, the extra keys don’t matter. The attackers bypassed the technical safeguards by targeting the human element, a classic move in cybersecurity known as social engineering.

Operational Security: Your First Line of Defense

So, how do you use a multisig wallet without falling into the same trap? Operational security (OpSec) is about building layers of protection around your processes, not just your tech. Here are some practical steps, inspired by the Bybit incident, that balance safety and usability:

1. Verify Transactions Beyond the UI  

   The Bybit signers trusted the interface they saw, but it lied. Always check the raw transaction data—the actual code being signed—before approving anything. It’s technical, but even non-experts can learn to compare the destination address and amount in the raw data with what’s expected. If they don’t match, don’t sign.

Use a script like Safe Multisig Transaction Hashes or its online version.

2. Isolate Signing Devices  

   Have a “cold device” that you only use for signing transactions. This sounds like a stretch, but this device should only access the multisig wallet UI, and should prevent access to other websites. If you need more context, research, etc. use your normal computer. This reduces the chance of hackers getting access to your signing device and contaminating the front-ends.

3. Spread Signers Across Locations and People  

 If all your signers work in the same office or use the same network, a single breach could hit everyone. Distribute keys across different individuals in different places. For a 2-of-3 setup, imagine one key with you, one with a trusted partner in another city, and one in a secure offline backup. This makes collusion or simultaneous attacks much harder.

4. Test Small Transactions First  

Before moving millions, send a tiny amount—like 0.01 ETH—to the same destination using the same process. Confirm it arrives safely. This won’t stop every attack, but it can catch sloppy mistakes or suspicious behavior early.

5. Educate Your Team  

The Bybit hack relied on signers not recognizing the deception. Train everyone involved to spot phishing emails, fake websites, or unusual requests. A simple rule: if a transaction feels urgent or unexpected, pause and double-check with the team out-of-band (like a phone call, not email).

6. Timelock Your Stuff 

Zodiac Delay Modifier module is avaialbe for the Safe multisig. Enabling it will put any transaciton behind a timelock, so you have some extra time to review each transaction before it gets executed. 

7. Diversify signing devices

To prevent supply chain attacks, diversify the hardware and software wallets that the signers use. Try to use the new generation with larger screens, like Gridplus, that have enough space to show fuller transaction data on the hardware device.

For software wallets, consider using a mobile phone. Mobile operating systems are more difficult for attackers to break into. You can hardware wallets like Ledger nano X with a mobile phone.

Beyond Bybit: A Broader Warning

The Bybit hack isn’t an isolated fluke. In 2024 alone, North Korean hackers stole $1.34 billion across 47 crypto heists, per Chainalysis. They’re not guessing passwords—they’re exploiting operational gaps. Other attacks, like the $600 million Ronin hack in 2022, also leaned on social engineering to compromise multisig setups. As crypto grows, so will the sophistication of these threats.

For non-technical users, this might feel overwhelming, but the core idea is straightforward: don’t trust blindly. Multisig wallets are powerful, but they’re only as strong as the people and processes behind them. For technical folks, it’s a call to dig deeper—verify transaction hashes, use air-gapped systems, and maybe even explore emerging alternatives like multi-party computation (MPC), which splits keys in a way that avoids reconstructing them entirely.

The Bottom Line

The Bybit hack proves that operational security is the backbone of multisig wallet safety. The technology worked as designed—multiple signatures were required—but the attackers outsmarted the humans holding the keys. Whether you’re safeguarding personal savings or a company treasury, take it slow, spread the risk, and question everything you sign. In crypto, vigilance isn’t just a virtue—it’s a necessity.