Crypto’s largest heist part 1: The billion-dollar blind spot

Standing at the window of Bybit‘s Singapore headquarters, a block from the shimmering banks of Marina Bay, Ben Zhou thought it would be a routine night. The co-founder and CEO of the upstart digital asset exchange had grown accustomed to the hum of nocturnal operations—scheduled transfers, system checks, and maintenance tasks.

Crypto never sleeps, or so the saying goes.

In the 24/7 world of digital finance, a late-night transaction was hardly cause for concern. So when an Ethereum cold wallet multi-signature transfer was submitted shortly after midnight, no alarms went off. A cautious operator might have double-checked the wallet address, and another might have verified the transaction data. In theory, a multi-signature wallet provides layers of security, requiring multiple approvals before moving funds—a digital fortress against unauthorized access.

Bybit’s environment had always seemed well-guarded.

But by the time the sun rose a few hours later, it was clear that the fortress had been torn wide open. Over 400,000 ETH and various staked derivatives, totaling more than $1.4 billion, had vanished.

“Bybit ETH multisig cold wallet just made a transfer to our warm wallet about 1 hr ago,” Zhou posted on X. “However, the signing message was to change the smart contract logic of our ETH cold wallet. The hacker took control of the specific ETH cold wallet we signed and transferred all ETH in the cold wallet to this unidentified address.”

From an outsider’s perspective, the immediate puzzle was how a multi-signature wallet, a widely touted and commonly implemented security measure, could fail decisively. Later analysis suggested that the culprit was a sophisticated ‘blind signing’ or ‘UI masking’ exploit.

In essence, the attack was an elaborate technological sleight of hand.

The hackers manipulated what the wallet signers saw on their screens. Instead of revealing the actual malicious code, the user interface displayed a perfectly legitimate facade. The signers, believing they were authorizing a routine transfer, had, in fact, approved changes to the underlying smart contract that governed their cold storage wallet, effectively handing control of more than $1.4 billion in digital assets to the attackers.

As the news broke, speculation ran wild.

Had Lazarus Group, the North Korean state-sponsored hacking collective, done it again? Already, there were rumors they had tested infiltration methods on smaller platforms in the weeks leading up to the Bybit fiasco, though official confirmation would come only later. Others wondered whether an inside job was at play. After all, how else could a cunning infiltration break not just one but multiple signers?

On-chain sleuth ZachXBT, revered in crypto circles for unmasking fraud and tracing illicit transactions, quickly identified the hackers’ addresses. He found connections to wallets previously implicated in high-profile exploits, including attacks on Phemex and BingX.

His findings revealed what many feared: the unmistakable fingerprint of Lazarus.

In crypto, major hacks are hardly a novelty, but the scale of the Bybit breach has rattled even the most stalwart industry veterans. Because this was no ordinary hack, it was a display of ingenious subterfuge, a mask-and-misdirect maneuver carried out with surgical precision, orchestrated by one of the world’s most sophisticated state-sponsored hacking groups.

But while the industry reeled, Bybit did something unusual: it kept withdrawals open. Even as panic spread across social media, the exchange refused to freeze customer funds. Historically, hacked exchanges have slammed the brakes on all transactions, fueling speculation and eroding user confidence.

Bybit, however, took a different stance.

“If this hack was conducted through penetrating our internal systems, such as any part of the withdraw system or one of our hot wallet was breached, we would’ve halted all withdraws until we find the root cause of the problem,” Zhou explained on X.

Zhou’s handling of the crisis has been notably direct, and Bybit’s response has drawn praise from industry leaders, including former Binance CEO Changpeng ‘CZ’ Zhao.

“Ben did a good job maintaining transparent communication and calmness in dealing with a challenging situation,” Zhao posted on X. “That shows a sharp contrast to other less transparent CEOs.”

As word of the fiasco spread, the question of Why Bybit? lingered.

Once considered among the more secure and forward-thinking centralized exchanges, Bybit had grown swiftly during the last crypto bull market. With headquarters in Singapore, a city known as much for its stringent financial oversight as its polished skyline, it projected an aura of measured innovation.

However, security researchers remind us that, no matter how advanced the technology is, most attacks succeed by exploiting human trust. Even multi-signature wallets, hailed as a gold standard in digital asset security, ultimately depend on fallible human operators.

Beyond Bybit’s glass-walled meeting rooms, the city carried on as usual, its tropical sun casting long reflections across Marina Bay. But inside Bybit’s offices, it was anything but normal.

The billion-dollar hunt had begun.

Watch | Certihash Sentinel Node: Improving cybersecurity with blockchain