The recent Bybit hack of $1.5 billion has raised serious security concerns, with reports confirming the attackers used a highly sophisticated method to drain millions in crypto assets. Crypto analyst David Leung has provided a detailed breakdown of how the attack unfolded, revealing major lapses in Bybit’s security.
Arkham reports that the bybit 
bybit – Centralised ExchangeCrypto trading and Information 
hack happened through “Blind Signing,” a method that lets transactions be approved without seeing all the details. The attackers compromised Bybit’s ETH cold wallet, moving nearly $1.5 billion in assets into one wallet before spreading them across multiple wallets. Draining funds from the most secured platforms reveals the true nature of crypto assets since there are no uniform laws for international crimes it will be difficult for Bybit to recover the losses. In this context, Bybit has announced a 50,000 ARKM bounty for the attackers further investigations are on.
Let’s see what happened and how to stay protected.
Now that we know who's behind the @Bybit_Official attack. Let's look at how the hack actually worked.
At a high level, the hack involved the 4 broad group of events:
1. Attacker deployed a trojan contract and a backdoor contract.
2. Attacker tricked signers of the upgradeable… pic.twitter.com/5repcdcsDB
— David | crypto/acc (@dhkleung) February 21, 2025
How the Attack Happened
The hackers deployed a trojan contract along with a backdoor contract, setting up a trap for Bybit’s upgradeable multisig wallet. They tricked the wallet’s signers into authorizing a seemingly harmless ERC-20 token transfer. However, this transaction contained a delegate call, a function that allowed them to alter the contract’s core logic. Instead of a simple transfer, the attackers used the trojan contract to replace the wallet’s master contract with their own backdoor contract, giving them full control.
Once in control, the hackers executed commands to sweep all available ETH, mETH, stETH, and cmETH tokens from the wallet. Interestingly, the backdoor contract was built to do just two things—transfer ETH and ERC-20 tokens to an address of their choosing. This allowed them to quickly drain the funds before Bybit could react.
Security Red Flags Ignored
Leung further pointed out several red flags that should have halted the transaction. First of all, the transfer was directed to an unlisted contract that wasn’t ERC-20 compliant, involved zero tokens, and used a delegate call, which modifies contract logic. These loopholes should have triggered a compliance check, yet the transaction was still approved. The fact that these security measures failed suggests the attackers had inside knowledge of Bybit’s operations.
Could This Have Been Prevented?
David emphasized that stronger pre- and post-signing security checks could have prevented the attack. If independent security layers had reviewed the transaction, they could have identified the suspicious elements before approval. The hack highlights the growing sophistication of crypto attacks and the urgent need for better security protocols in the industry.
Never Miss a Beat in the Crypto World!
Stay ahead with breaking news, expert analysis, and real-time updates on the latest trends in Bitcoin, altcoins, DeFi, NFTs, and more.
