Extractor
|
Blog
|
Insights
|
How Could the Bybit Hack Have Been Prevented?

How Could the Bybit Hack Have Been Prevented?

Date:
Mar 20, 2025
Time to read:
00 minutes
Table of contents
Facebook
LinkedIn
Telegram
Twitter

On February 21, 2025, Bybit, one of the world's leading crypto exchanges, faced the unthinkable: a devastating hack resulting in the loss of more than $1.4 billion worth of Ethereum. The event stunned the crypto community and raised urgent questions about the industry's security practices.

How the Hack Unfolded

The disaster began with what should have been a routine transaction - Bybit planned to transfer 40,000 ETH from cold storage, typically one of the safest asset storage methods, into a hot wallet for liquidity purposes.

Root Cause

Attackers secretly injected malicious JavaScript into Safe{Wallet}'s AWS-hosted resources two days before the hack. 

This malicious script manipulated the transaction details shown to authorized users, deceiving them into approving a dangerous transaction without their knowledge.

Minutes after executing the theft, hackers replaced the malicious code to erase evidence, indicating an attempt to avoid detection.

How It Happened

The hackers tricked Bybit’s team into unknowingly approving a hidden command. This allowed attackers to redirect control of Bybit’s wallet, giving them complete access to drain funds.

However, hackers intercepted this transfer by exploiting vulnerabilities within Bybit's wallet interface. Instead of 40,000 ETH, around 401,000 ETH were diverted into an unknown wallet, rapidly becoming one of the most significant heists in crypto history.

Could Extractor Have prevented this Hack?

Hindsight often reveals clear paths to prevention. In Bybit's case, real-time transaction monitoring and advanced anomaly detection tools, such as Extractor, could have made the difference. Extractor’s on-chain analytics and monitoring technology could have immediately flagged the abnormal increase in transferred funds and suspicious destination wallets.

But the most interesting part here is how, the Safe Multisig Monitor, developed by Extractor, would have played a vital role in this process. 

This monitor provides constant tracking and validation of multisig transactions and identifies any discrepancies between transaction hashes and signatures and Safe transaction types. According to the simulated Bybit transaction analysis, the monitor detected a critical transaction hash mismatch between expected and submitted values, which triggered immediate alerts. 

In a nutshell, Safe Multisig Monitor triggers in such cases like:

  • the list of signers for a Safe Multisig contract is retrieved
  • a new confirmation signature has been submitted for a safe transaction
  • Safe Multisig transaction has been fully confirmed and executed
  • the computed Safe transaction hash does not match the expected hash
  • the submitted signature does not match the expected signer

Bybit Hack and Safe Multisig Monitor Simulation

The whole backtest was simulated with nonce 71 (exploited transaction). All submitted transaction signatures are valid and signed with the same safe tx hash. 

When calculated with the provided inputs, the safe tx hash (provided by API) is mismatched with the expected one (generated by code,  implemented in Safe Multisig detector based on Open Zeppelin Safe Util logic: safe_hashes.sh). 

As a result, Extractor’s Safe Multisig Monitor has triggered a critical alert. Also, the transaction is using a delegate call operator, which raised a high alert regarding the submitted signatures and transactions.

So, we can tell that implementing event one this Monitor with verification steps would have created an essential protective barrier that could significantly decrease or avoid this disastrous loss.

Lessons Learned

The Bybit incident is a sobering reminder that even industry leaders aren't immune to cyber threats. As crypto continues its rapid expansion, exchanges must adopt smarter, proactive security practices - leveraging powerful monitoring platforms like Extractor - to protect themselves and maintain trust with users.

For a complete list of available Monitors and Detectors, including how Extractor can be integrated into your security stack, visit our Documentation.

The future of crypto security isn’t just about stronger walls - it’s about smarter sentinels watching the gates.

Stay Ahead of Crypto Regulations & Threats
Subscribe to our news and updates
Subscribe
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Read next

Insights
Feb 17, 2025

Crypto Transaction Monitoring: 2025 Guide

Compliance News
Feb 4, 2025

What is DLT Regulation and How to Comply in 2025

FAQ

What is a Hacken Extractor?

Hacken Extractor is an advanced security and compliance monitoring solution for Web3 projects, designed to protect smart contracts on leading Layer-1 and Layer-2 networks. Our platform provides real-time attack detection, compliance monitoring, incident response, and customizable protection features to help keep your project secure and aligned with regulatory requirements.

Which networks does Hacken Extractor support?

Hacken Extractor supports a wide range of major blockchain networks to provide comprehensive security and compliance monitoring. Currently, we support 17 networks, including Ethereum, Optimism, Binance Smart Chain (BNB), Gnosis, Polygon, Fantom, Arbitrum One, Linea, Base, Blast, zkSync, Scroll, Avalanche, Stellar, ICP, VeChain, and Telos. We are continuously expanding our supported networks to meet the evolving needs of the Web3 ecosystem.

Why is blockchain regulatory compliance crucial?

Regulatory compliance in crypto is essential for fostering trust, transparency, and credibility in the market. By adhering to these standards, businesses can prevent financial crimes, like money laundering or fraud, and ensure user safety. Meeting all regulatory compliance requirements—such as MiCA, DORA, FATF, and ADGM—protects your business from potential legal actions and fines.

At Hacken Extractor, our on-chain monitoring and protection system is designed to help you stay compliant with regulatory frameworks, providing a solid foundation for sustainable growth and wider adoption of your crypto services.

Why should I use crypto compliance software?

Crypto compliance software simplifies the process of staying on top of regulations by helping you monitor activity, spot fraud, and strengthen security. Key benefits include meeting current and future regulatory standards and protecting your infrastructure from scams and hacks.

With rapid changes in crypto regulations, a compliance solution like Hacken Extractor keeps your business adaptable and secure, helping you avoid penalties, build user trust, and maintain safety and compliance.

Is Hacken Extractor suitable for compliance with MiCA and DORA regulations?

Yes, Hacken Extractor is fully equipped to support Web3 projects in complying with the EU’s MiCA and DORA regulations. By incorporating continuous compliance monitoring, we help projects stay ahead of regulatory requirements, ensuring security and compliance in a dynamic regulatory environment.

Can Hacken Extractor create a custom solution for my project?

Yes, Hacken Extractor can develop custom security detectors and monitoring solutions tailored to your specific needs. Our platform is flexible and customizable, allowing us to address the unique security and compliance challenges each project may face.

How can I start using Hacken Extractor?

To get started with Hacken Extractor, simply reach out through our “Book a Demo” form on our website. Our team will guide you through a tailored demo session, discuss your project’s specific needs, and provide all the details needed for a smooth onboarding process.

BlogDocumentation
Launch app
Prepare yourself meeting all regulatory compliance requirements including Mica, DORA, FATF and ADGM with our on-chain monitoring and protection system.