Bybit breach: How hackers stole $1.5 billion without breaking blockchain security
Check Point research shows that social engineering, not smart contract flaws, enabled one of crypto’s largest thefts.
In one of the most significant cryptocurrency thefts to date, hackers infiltrated an offline Ethereum wallet and stole approximately $1.5 billion in digital assets, primarily Ethereum tokens. The attack, which targeted the cryptocurrency exchange Bybit, has raised new concerns about the vulnerability of even the most secure storage methods. While cold wallets and multisignature (multisig) authentication have long been considered gold standards in digital asset security, the latest breach demonstrates that human error and interface manipulation can render these defenses ineffective.
The breach was detected on February 21 by Check Point’s Blockchain Threat Intelligence system, which flagged an anomaly in a transaction log on the Ethereum network. Check Point’s researchers quickly determined that the hack was the result of a sophisticated attack that exploited vulnerabilities beyond smart contract logic. Instead of directly breaching blockchain protocols, the attackers manipulated user interfaces and executed an advanced form of social engineering, deceiving key signers into approving fraudulent transactions.
According to Check Point’s analysis, the attack leveraged a technique first documented in July 2024, when its researchers identified a pattern of exploits using the Safe Protocol’s execTransaction function. This function, designed to enable secure multisig transactions, was weaponized by attackers who subtly altered legitimate transaction requests. By manipulating the interface that signers relied upon to verify transactions, they successfully tricked key custodians into unwittingly authorizing the massive transfer of funds.
"The attack on Bybit is not surprising—last July, we uncovered the exact manipulation technique that attackers exploited in this record-breaking heist," said Oded Vanunu, Chief Technologist & Head of Products Vulnerability Research at Check Point Research. "The most alarming takeaway is that even cold wallets—once considered the safest option—are now vulnerable. This attack proves that a prevention-first approach, securing every step of a transaction, is the only way to stop cybercriminals from carrying out similar high-impact attacks in the future."
This incident marks a turning point in cyber threats against digital assets. Previous major hacks typically exploited vulnerabilities in smart contract code or weaknesses in private key management. By contrast, the Bybit attack underscores the growing sophistication of social engineering tactics, which bypass technical security measures by targeting human oversight. Check Point’s analysis emphasizes that no level of cryptographic security can fully protect against deception if signers are misled about the transactions they are approving.
The implications of this attack extend far beyond Bybit. Check Point researchers warn that the growing trend of supply chain and UI manipulation attacks represents an existential threat to the security of digital assets. As attackers refine their methods, companies holding significant crypto assets must rethink their security strategies. Traditional cybersecurity measures such as endpoint threat detection, email security, and real-time transaction verification must be integrated into crypto asset protection.
Check Point’s findings suggest that a fundamental shift is needed in how security is approached in Web3 environments. Instead of relying solely on smart contracts and cold storage, firms must implement zero-trust principles, requiring independent transaction verification and air-gapped signing devices. Without these safeguards, even the most well-protected wallets remain susceptible to manipulation.
