$1.4 Billion Bybit Hack Raises Concerns Over Safe’s Transaction Security

Largest Crypto Heist in History Linked to Lazarus Group

The cryptocurrency world was rocked today as Bybit suffered a massive security breach, losing approximately $1.4 billion in Ethereum (ETH). This marks the largest exploit in crypto history, sending shockwaves through the industry.

According to blockchain research platform Arkham, renowned on-chain investigator ZachXBT provided evidence linking the attack to North Korea-affiliated Lazarus Group. Further analysis suggests that the breach might have been years in the making.

How the Bybit Hacker Moved 400,000 ETH

The attacker executed a well-planned and sophisticated theft, withdrawing approximately 400,000 ETH from Bybit’s cold storage. The stolen funds were then split into multiple wallets to obscure the transaction trail.

Bybit CEO Ben Zhou pointed to a vulnerability in the user interface (UI) of the company's multisignature (multisig) wallet, which was provided by Safe (formerly Gnosis Safe)—a widely trusted wallet infrastructure used by major Ethereum organizations.

“It appears that this specific transaction was musked, all the signers saw the musked UI which showed the correct address and the URL,” Zhou stated. In this context, "musked" refers to transaction payloads being obfuscated or spoofed, misleading the signers into approving a fraudulent transaction.

Mysterious Transaction Hashes: A Security Red Flag

Further blockchain forensic analysis has uncovered an unusual anomaly: two identical transaction hashes appearing five years apart on two different networks—Ethereum (2019) and Base (2024).

Crypto security firm Groom Lake noted that Ethereum transaction hashes are 64 characters long and should be mathematically unique. Recreating an identical hash across different networks should be impossible.

Groom Lake researcher Apollo speculated that this could indicate:

• A way to make a single transaction valid across multiple networks

• A potential reuse of wallet signatures or transaction data across chains

If either of these possibilities is true, it could signal a critical flaw in how crypto transactions are secured and validated.

Safe Denies Connection to the Bybit Hack

Despite concerns, Safe has dismissed any direct link between this anomaly and the Bybit exploit.

“The transaction in question is the deployment of the singleton contract,” a Safe spokesperson told Blockworks. “It was deployed without EIP-155 to support cross-chain compatibility. Replaying this deployment does not pose a security risk.”

Understanding EIP-155 and Replay Attacks

Ethereum Improvement Proposal EIP-155 was introduced in 2016 as a defense against replay attacks, a technique where an attacker reuses signed transactions on multiple networks.

Before EIP-155, a signed transaction on Ethereum Mainnet could be replayed on any Ethereum-compatible chain because the signature remained valid. EIP-155 resolved this issue by including a chain ID in signed transactions, ensuring they are only valid on their intended network.

This means that even if an attacker gains access to a private key, they cannot reuse an old transaction across different chains.

Was the Hack a UI Exploit Instead?

If Safe’s assessment is correct, then the Bybit hack may not be a result of a smart contract vulnerability. Instead, it could be due to:

• UI manipulation, where hackers spoofed transaction details to deceive signers

• Compromised wallet infrastructure, allowing attackers to modify contract approvals

These tactics resemble past high-profile exploits, such as:

• Radiant exploit (December 2023)

• WazirX breach (March 2024)

As a precaution, Safe has taken down its main user interface, though it reassured users that no exploit was found in the official frontend.

“We remain confident there’s no exploit in the official Safe {Wallet} frontend, but if you need to transact, you can still manage your Safe using alternative interfaces,” the Safe team wrote on X.

What This Means for Institutional Crypto Security

While Safe insists its core smart contract security remains intact, this incident raises questions about how multisig transactions are reviewed and approved.

For institutions using multisig wallets, experts recommend:

• Verifying transaction payloads at the raw data level, not just relying on UI

• Implementing additional security layers, such as multi-factor authentication

• Regular audits of wallet approvals to detect unauthorized changes

For now, the hacker remains the fourteenth-largest ETH holder in the world, making their next move highly anticipated. The crypto security community is closely tracking their wallet activity as investigations continue.

FAQ

1. What makes the Bybit hack the largest in crypto history?

The Bybit exploit resulted in the loss of $1.4 billion in ETH, surpassing previous high-profile crypto hacks.

2. How did the hacker steal funds from Bybit?

The attacker exploited a vulnerability in Bybit’s multisig wallet UI, deceiving signers into approving a fraudulent transaction.

3. What is Safe, and why is it being questioned?

Safe is a widely used Ethereum multisig wallet provider. Bybit’s multisig wallet, powered by Safe, may have been compromised through UI manipulation rather than a smart contract flaw.

4. What is EIP-155, and why is it important?

EIP-155 is an Ethereum security measure that prevents replay attacks by ensuring transactions are only valid on the intended blockchain network.

5. How can institutions protect their multisig wallets?

Institutions should manually verify transactions, use multi-layered security measures, and audit approvals regularly to prevent unauthorized changes.

This case serves as a stark reminder that even the most trusted crypto security solutions are not infallible. The industry now watches closely as investigators work to trace and recover the stolen funds.