Overview of the Attack

The ByBit hack in February 2025, which resulted in the loss of 401,347 ETH, remains a major event in the crypto world. This article explains the hack in two parts: a simple overview and a technical dive into the vulnerabilities exploited. The attack combined social engineering, off-chain manipulation, and on-chain exploits, targeting ByBit’s process of transferring ETH from cold wallets to hot wallets via Safe{Wallet}’s frontend. The key players in this incident include ByBit employees, Safe{Wallet} employees, and the attacker.

ByBit Hack: How the Attack Unfolded

The hack began with the compromise of a Safe{Wallet} employee’s device. This allowed the attacker to manipulate Safe{Wallet}’s user interface, which went unnoticed by ByBit employees during routine ETH transfers. The attacker exploited this subtle manipulation to trick ByBit employees into approving malicious transactions.

Here’s an analogy: imagine a company that spends $20,000 monthly on supplies, requiring signatures from 3 of 6 authorized staff. Usually, they sign a legitimate document without second thoughts. But this time, a tampered document slips through. The attacker altered the document (Safe{Wallet}’s UI), ByBit employees unknowingly signed it, and the compromised system enabled the deception.

Technical Breakdown

The attack unfolded across three vectors:

• Vector 1: Compromised Device
  The attack began with a Safe{Wallet} employee’s machine being breached, giving the attacker control over the frontend ByBit employees used to approve transactions.

• Vector 2: Phishing
  ByBit employees, used to signing transfers via Safe{Wallet}’s UI, didn’t notice the signs of phishing. They approved the transaction as usual, unaware of the tampering.

• Vector 3: On-Chain Exploit
  The attacker manipulated the signed transaction to alter the implementation contract address of Safe{Wallet}’s proxy contract. This exploit leveraged Solidity’s 𝚍𝚎𝚕𝚎𝚐𝚊𝚝𝚎𝚌𝚊𝚕𝚕 function, enabling the attacker to swap the legitimate implementation with a malicious one. Once the switch was made, the attacker drained over 400,000 ETH from ByBit’s cold wallet.

For further technical details, refer to the full breakdown by NCC Group [1].

References

[1] NCC Group’s full technical breakdown on the ByBit hack.
[2] For a detailed breakdown of Solidity’s 𝚍𝚎𝚕𝚎𝚐𝚊𝚝𝚎𝚌𝚊𝚕𝚕 function and its potential as an attack vector, see the related documentation.