ByBit: Frontend Spoofing / Blind Signing — Malicious Safe Multisig Implementation Upgrade
North Korea's Lazarus Group deceived ByBit's multisig signers into approving a malicious Safe implementation upgrade that installed a hidden drain function — executing the largest theft in crypto history at $1.43 billion.
Summary #
ByBit suffered a Centralised Exchange (CEX) — Ethereum cold wallet (Safe multisig) on 2025-02-21, resulting in a loss of approximately $1.4B.
What happened #
North Korea's Lazarus Group deceived ByBit's multisig signers into approving a malicious Safe implementation upgrade that installed a hidden drain function — executing the largest theft in crypto history at $1.43 billion.
Linked factors #
- RD-F-006 — causal : Audit-deploy gap — alternate field name [via dashboard_risk_factors/Code newly deployed/upgraded?: Yes — attacker deployed and installed malicious Safe implementation contract]
- RD-F-101 — illustrative : Large governance proposal queued — RT signal would have fired [via realtime_signals/Governance/admin action (Y/N): Y — the exploit *was* a governance/implementation action (Safe upgrade) disguised as a routine transfer]