Skip To Content
Menu

Expert Commentary, Industry Insights

The Flaw in “Secure” Systems: How Bybit’s Attack Exploited Blind Trust

5 min. read

Bybit’s recent attack has exposed a critical flaw in how many exchanges approach security. The real-time transaction manipulation that took place wasn’t just an unfortunate event—it was a direct consequence of mispurposed security architectures that sophisticated attackers are all too ready to exploit.

The attack combined blind signing vulnerabilities on Ledger devices with highly-targeted malicious UI manipulation made possible by a compromise of a Safe{Wallet} developer machine, effectively deceiving users into approving malicious transactions. It didn’t have to happen.

With nation-state-sponsored groups like Lazarus continually evolving, enterprises must shift their security mindset to proactive, nation-state-resilient infrastructure. 

What Happened?

A security model is only as strong as its weakest link. In Bybit’s case, two seemingly secure solutions—Ledger and Safe{Wallet}—merged to create a dangerous vulnerability. The attack exploited a standard hardware wallet and multisig wallet UI configuration that is inadequate for today’s enterprise and advanced threat needs. 

1. UI Manipulation in Safe{Wallet}

  • The attacker compromised a Safe{Wallet} developer machine, used it to access the production environment, targeting Bybit’s account 
  • Using that access, the attacker remotely modified Safe{Wallet}’s UI and injected  a malicious Javascript code to alter Bybit’s Safe{Wallet} UI. The malicious code targeted Bybit’s wallet, and was designed to act only on two specific wallets.
  • Users saw a legitimate transaction on-screen but were unknowingly approving a manipulated transaction at the protocol level
  • Once signed, the transaction replaced the smart contract wallet’s logic, to DPRK-deployed code allowing them to control the funds
  • That control was then used to empty the entire wallet into a different DPRK-owned wallet

2. Blind Signing on Ledger Devices

  • Because Ledger requires blind signing when interacting with smart contracts, victims had no way to verify the true transaction details before approving it
  • The combination of these two attack vectors created a near-perfect deception

The Hidden Risk of “Best-in-Class” Tools

The attack on Bybit highlights two critical security breakdowns: 

The first is the infiltration of Safe{Wallet}’s production environment via a compromise of a Safe {Wallet} developer machine. Foundationally, a single developer’s clear and direct access to production is dangerous – and must be mitigated with zero-trust security processes, including: 

  • Deep code reviews and sensitive code approvals. 
  • Execution of highly-sensitive code (like transaction approval flows, key management) via a trusted environment
  • Rigorous internal and external audits

The second is the structurally weak security patchwork commonly adopted in the market. Using separate smart account wallets alongside hardware signing solutions leaves crucial blind signing gaps, with users approving transactions they can’t fully verify. 

  • Ledger’s blind signing limitations mean users are approving transactions they can’t fully verify.
  • Wallet web UI reliance is dangerous—if Javascript is manipulated, the entire security model collapses.
  • Without a policy engine configured to enforce address and amount logic, costly mistakes are inevitable. 

For signers to operate with clarity and trust at such high stakes businesses they need an end-to-end security solution, with true enterprise-level security enforced at every checkpoint. 

Why Nation-State-Resilient Infrastructure is Required

As attack methods grow more sophisticated, a piecemeal approach to security is simply inadequate. Lazarus and other high profile attackers are the reason Fireblocks was founded. The platform’s multi-layer security has been engineered to provide end-to-end authenticity and security to protect against these exact attacks. Enterprise organizations must use the most robust security protections.

Secure design

  • Sensitive code execution inside secure enclaves to ensure trusted execution & system integrity
  • Hardware key management and storage via secure enclaves 
  • Distributed MPC wallet infrastructure for superior signing security over alternative Multi-Sig solution used by Safe{Wallet} and other wallet providers

Governance 

  • Enterprise policy & governance engine configured for amount, source, destination, and user access, and enforced outside of the device 
  • Multi-device approval – initiation from web console, approval via mobile with right controls
    • System Integrity checks
    • TEE-based key management
    • Face ID + PIN for sensitive operations

Operational intelligence

  • Native action decoding to authorize transactions with full clarity and mitigate hidden malicious transactions 
  • DeFi threat detection to automatically identify suspicious smart contracts, phishing websites, and compromised dApps
  • Secure transfer environment on the Fireblocks Network – automatically authenticating deposit addresses across your connected counterparties

Don’t Trust, Verify

A provider’s security posture must be validated regularly with rigorous internal and external audits. At Fireblocks, we believe the only standard is the one that exceeds the industry standards across:

  • SOC 2 Type II and ISO certifications (27001, 27017, 27018, and 22301) to ensure that its security, data privacy, and business continuity controls meet the highest global benchmarks. 
  • CCSS Level 3 QSP certification, the most stringent standard for cryptocurrency security, reinforcing its commitment to safeguarding digital assets. 
  • External penetration testing, independent code reviews, and comprehensive risk assessments provide continuous validation of its security infrastructure. 
  • Rigorous audits tailored for regulated financial institutions, including NIST Risk Assessment and BeFin compliance

While others patch security gaps, Fireblocks eliminates them entirely. By deploying MPC-based security, transaction policy enforcement, and real-time transaction verification, Fireblocks provides the only end-to-end security model that defends against attacks like Bybit’s—before they happen.

Join Fireblocks’ VP of Security & Trust, Shahar Madar, for a live AMA tomorrow, breaking down what went wrong, what it means for the industry, and how enterprises can stay ahead. Register here.

About Us

Fireblocks is the world's most trusted and proven digital asset infrastructure company, empowering organizations of all sizes to build, run and grow their business on the blockchain. With the industry's most secure, scalable and comprehensive platform, we streamline custody, tokenization, payment, settlement, and trading operations across the largest ecosystem of exchanges, custodians, banks, payment providers and stablecoin issuers in the world. Over 2,000 organizations - including BNY, Galaxy, and Revolut - trust Fireblocks to secure more than $7 trillion in digital asset transactions across 100 blockchains and 250+ million wallets. Learn more at fireblocks.com.

Topics

  • Best Practice
  • Security
  • Wallets
Ready for a deeper dive?

Get a Fireblocks Platform Demo

Find out how Fireblocks helps your digital asset business to grow fast and stay secure.

g2 & 4.5/5 stars