The $1.5 Billion Bybit Crypto Hack

The biggest heist in history just happened. On February 21, state-backed North Korean hacking group Lazarus pulled off a raid on cryptocurrency exchange Bybit, making off with $1.5 billion worth of Ethereum, a sum so huge that it’s roughly equivalent to 5% of the secretive nation’s entire GDP.

This record-breaking Bybit crypto hack should worry any organization that uses JavaScript (and there are very few that don’t) because compromised JavaScript made it possible. Let’s break down what happened.

Anatomy of the Heist

The victim was cryptocurrency exchange Bybit, which serves approximately 60 million users worldwide. One of Bybit’s key security measures was using multisig wallet technology, specifically from Safe{Wallet}, to protect digital assets.

As the name suggests, multisig requires multiple private keys to authorize a transaction. Unlike a standard single-signature wallet, where only one key is needed to sign and send funds, a multisig wallet adds an extra layer of security by distributing control among several parties or devices.

How Multisig Wallets Work

In simple terms:

Imagine a safe that needs two or more keys to open, with each key held by a different person. All (or a specified number) of those keyholders must agree to unlock it.
In a multisig setup, you might have a “2-of-3” configuration: three private keys exist, but any two are enough to approve a transaction. This could involve three people, or one person holding keys across separate devices.

This design provides several security benefits:

Enhanced security: If one key is compromised, funds remain safe because attackers need additional keys.
Shared control: Organizations can ensure no single person can move funds unilaterally.
Backup protection: If one key is lost, funds can still be accessed with the others (depending on the configuration).

Bybit Crypto Hack: How the Attack Happened

In the Bybit hack, the attackers didn’t break the smart contract code itself. Instead, they tricked the human signers into approving malicious transactions. According to initial reports, the hackers likely used compromised JavaScript to create a fake user interface (UI) that deceived signers into authorizing the fraudulent transfers.

The hackers reportedly gained access by compromising a machine belonging to a developer involved with Safe{Wallet}, which gave them access to the infrastructure hosting the wallet’s front end. They then replaced a legitimate JavaScript file with malicious code specifically designed to activate during Bybit’s next transaction and target the company’s multisig cold wallet (an offline wallet disconnected from the internet).

Similar to formjacking attacks, the fake UI displayed legitimate-looking transaction details (including correct addresses) to the signers, including Bybit’s CEO, while secretly altering the underlying smart contract logic to redirect funds to the attackers.

The compromised machine had access to Safe{Wallet}’s infrastructure—specifically, an AWS S3 or CloudFront account hosting the wallet’s UI. Given that Safe{Wallet} is open-source, security experts believe the attackers likely targeted a contributor working on the codebase, possibly through phishing or malware—tactics commonly employed by the Lazarus Group.

Key Takeaways and Security Implications

While not a typical supply chain attack, the Bybit crypto heist still fundamentally relied on attackers injecting malicious code into a connected system. This approach bears similarities to other attacks where threat actors have hidden malicious JavaScript in unexpected places, such as within image files or product page comments.

Malicious JavaScript injections have been behind numerous cyberattacks, including those targeting financial institutions in 2024. As the most popular scripting language on the web, JavaScript often becomes the weak link that malicious actors exploit in web skimming attacks and other cyber threats.

Several factors make JavaScript particularly attractive to attackers:

Cross-platform compatibility
Ease of use
Large support community
Ability to be obfuscated (disguised to hide its true purpose)

Protecting Against Similar Attacks

Organizations can implement several measures to reduce their vulnerability to JavaScript-based attacks:

Implement continuous website monitoring to detect unauthorized script changes
Use subresource integrity (SRI) checks to verify that resources fetched by a document match what the server intended
Adopt content security policies (CSP) to restrict which scripts can execute on your site
Conduct regular security audits of third-party dependencies and scripts
Train employees to recognize signs of phishing or social engineering attempts

The Bybit hack demonstrates that even the most sophisticated security measures can be compromised when attackers find creative ways to exploit human trust and technological vulnerabilities. As digital assets grow in value, robust, multi-layered security approaches become increasingly essential.