Authors

D'CENT Wallet Team

Hardware wallet security experts. Building secure crypto storage since 2018.

Key Answer: The Bybit hack of February 2025 — the largest crypto exchange theft in history at $1.5 billion — was caused by a supply chain attack on Safe{Wallet}'s front-end interface that enabled blind signing: Bybit's signers unknowingly authorized a transaction that transferred full wallet control to attackers. The latest Bybit news confirms that self-custody with a hardware wallet using clear signing (WYSIWYS) is the most direct way to ensure you always approve exactly what you intend — though hardware wallets do not protect against approval-based phishing if you confirm a malicious transaction, so verifying every detail on your device screen remains essential.

Key Takeaways

• Bybit lost approximately $1.5B in February 2025 — the largest exchange hack in history — through a supply chain attack on Safe{Wallet}'s front-end.
• The root cause was blind signing: signers approved transactions without being able to verify what they were actually authorizing.
• Regulatory clarity or institutional-grade cold storage setups cannot protect exchange customers from platform-level breaches.
• Self-custody means the exchange's security failures don't put your assets at risk — because your keys never touch their infrastructure.
• Clear signing (WYSIWYS) — seeing the exact recipient address, amount, and network on your device screen before signing — is the most direct lesson from this attack.

How Did This Happen? The Story Behind the $1.5B Loss

On February 21, 2025, Bybit detected an unauthorized transfer draining approximately 401,000 ETH — worth around $1.5 billion — from one of its Ethereum cold storage wallets.

Bybit's cold storage was protected by Safe (formerly Gnosis Safe), a widely-used multi-signature wallet requiring multiple authorized parties to sign each transaction. In theory, this is a robust setup. In practice, the attack bypassed it entirely.

According to Bybit's official incident report and subsequent analysis by SlowMist, the attack followed this sequence:

• Attackers compromised a Safe{Wallet} developer's environment — specifically an AWS S3 bucket used to serve the Safe front-end JavaScript.
• Malicious JavaScript was injected into the Safe web interface that Bybit's signers used to review and approve transactions.
• The UI looked completely normal — signers saw what appeared to be a routine transaction moving funds to a legitimate address.
• In the background, the tampered code replaced the transaction destination with attacker-controlled addresses, and modified the smart contract logic to grant full control of the wallet.
• Bybit's signers approved the transaction — not knowing they were signing something entirely different from what they saw on their screens.

Multiple security firms, including Chainalysis and Mandiant, attributed the attack to Lazarus Group, a North Korea-linked threat actor with a history of targeting cryptocurrency infrastructure.

The result: $1.5 billion gone in a single coordinated transaction.

Why Does the Bybit Hack Matter for Regular Crypto Holders?

You might be thinking: "This happened to a billion-dollar exchange, not a retail investor. What does this have to do with me?"

More than you might expect.

The structural problem here isn't unique to Bybit. Any time your assets live on an exchange, you are entirely dependent on:

• The exchange's internal security infrastructure
• Every third-party service the exchange integrates with (in this case, a wallet interface)
• Every developer in the supply chain who touches that infrastructure

When you hold crypto on an exchange, you don't hold crypto. You hold a claim against the exchange's ledger. If their systems are compromised — whether through a supply chain attack, an insider threat, a software vulnerability, or a regulatory freeze — your access to that claim is at risk.

The 2022 FTX collapse left an $8 billion shortfall in customer funds — though later bankruptcy proceedings recovered assets, holders couldn't access their funds for over two years. The Bybit hack of 2025 extracted $1.5 billion through compromised software. Different mechanisms, same structural exposure.

Self-custody with a cold wallet doesn't mean these threats disappear. It means the exchange's attack surface is no longer your attack surface — your keys never touch their infrastructure. For context on how regulatory clarity affects this risk picture, see our SEC 2026 Digital Commodity Rules guide.

The Root Cause: What Is Blind Signing and Why Is It Dangerous?

The Bybit hack was made possible because the signers couldn't verify what they were actually signing.

Blind signing occurs when a user approves a transaction by seeing only an abstract hash — a long string of characters like 0x3a7f…d9c2 — rather than the full, human-readable transaction details. You're essentially signing something you cannot read.

This is a widely recognized problem in Web3. When a wallet or signing interface shows you a hash and asks for approval, you have no reliable way to confirm:

• What address the funds are going to
• What smart contract function is being called
• What permissions you are granting

In Bybit's case, the interface was visually spoofed — signers saw a legitimate-looking destination address, but the underlying transaction data had been replaced. Even with the most careful signers in the world, the attack succeeded because verification happened at the software layer, which had been compromised.

Clear signing (also called WYSIWYS — What You See Is What You Sign) takes verification out of the software layer entirely. A device with clear signing shows you the actual transaction data — recipient address, exact amount, network — on its own independent, tamper-resistant screen. What you see on the device is what gets signed, regardless of what any connected software shows.

This is why the attack vector matters for individual holders: the lesson isn't "use a hardware wallet." The lesson is "use a hardware wallet that shows you exactly what you're signing, on a screen that can't be tampered with by malicious software."

What Can Individual Holders Do to Protect Their Crypto?

The Bybit hack involved a sophisticated institutional target. But the underlying attack mechanism — manipulating what a signer sees versus what they actually authorize — is the same technique used in approval-based phishing attacks that target individual holders every day.

Here's what self-custody with clear signing looks like in practice:

1. Move assets off exchanges to a cold wallet

Exchange exposure means exchange risk. Every day your assets sit on a platform, you're trusting their entire software stack. A cold wallet (hardware wallet) stores your private keys on a physically isolated device that never connects directly to the internet — giving you direct control with no exchange intermediary. Unlike software wallets or exchange accounts, a cold wallet's private keys cannot be accessed remotely even if your computer is compromised.

2. Choose a wallet with verified clear signing

Look for a wallet that displays the complete transaction on the device itself — not just a hash. Confirm the recipient address character by character, verify the network, check the exact amount before pressing approve.

D'CENT Biometric Wallet uses Trusted Clear Signing (WYSIWYS): the transaction data travels directly from the secure element to the device screen, bypassing any connected software. What appears on the device display is the literal data being signed — not a representation of it.

3. Never approve transactions based solely on what your phone or browser shows

Connected software can be compromised. Your device screen is the only verification layer that matters. If your hardware wallet's screen shows something different from your browser or mobile app, stop immediately.

4. Test with small amounts first

Before moving significant holdings, send a small test transaction and verify it arrived correctly before transferring larger amounts.

5. Keep your recovery phrase offline, always

This is unrelated to the Bybit hack mechanism, but a foundational security principle: your recovery phrase (= seed phrase, 24-word backup) written on paper and stored securely offline cannot be stolen through software attacks.

What Mistakes Should You Avoid After a Major Hack?

High-profile hacks generate a lot of noise. Here are the common reactions that can create new risks:

1. Rushing to move funds without verifying your hardware wallet setup
Panic-buying a hardware wallet and immediately transferring everything without testing your recovery phrase first is a new way to lose access to your funds. Always verify recovery before transferring.

2. Buying a hardware wallet from unofficial channels
Compromised or pre-configured hardware wallets have been documented in the wild. Always purchase directly from the manufacturer or an authorized reseller.

3. Assuming "institutional-grade" means "safe for you"
Bybit used a multi-sig cold storage setup. That setup was bypassed through a software intermediary. "Institutional" describes the scale, not the invulnerability.

4. Storing your recovery phrase digitally
Screenshots, cloud notes, password managers — any digital copy of your recovery phrase is a single point of failure that can be compromised remotely. Paper, stored offline.

5. Thinking one hardware wallet protects you from all risks
Hardware wallets reduce private key theft risk significantly. They do not protect you from approval-based phishing if you sign a malicious transaction, from network selection errors, or from losing your recovery phrase. The final security layer is always your own verification.

Security Checklist: What Should You Do After the Bybit Hack?

FAQ

What exactly caused the Bybit hack?
Attackers compromised the Safe{Wallet} front-end by injecting malicious JavaScript into the web interface Bybit's signers used to review transactions. Signers saw a normal-looking UI, but the underlying transaction had been replaced with one that transferred control of the wallet to the attackers. The root cause was blind signing — the signers couldn't independently verify what they were actually authorizing.

Could a hardware wallet have prevented the Bybit hack?
The Bybit attack targeted an institutional multi-signature setup, not an individual hardware wallet. The relevant lesson for individual holders is the underlying mechanism: signing something you can't fully verify. A hardware wallet with clear signing (WYSIWYS) — where the device shows the full, unmodified transaction data on its own screen — significantly reduces the risk of approving manipulated transactions. No single tool eliminates all risk.

What is blind signing in crypto?
Blind signing is when you approve a transaction by confirming a cryptographic hash (abstract character string) without being able to read the full transaction details — recipient address, amount, network, and any smart contract functions being executed. Many web3 interactions require blind signing by default, which is why transaction verification on a trusted, independent device screen matters.

Is my crypto safer on an exchange after regulatory clarity like the SEC rules?
No. Regulatory clarity reduces legal uncertainty for exchanges, but it does not protect your funds from exchange hacks, insolvency, withdrawal freezes, or operational failures. The Bybit hack happened in 2025 under existing regulatory frameworks. Self-custody is the only way to eliminate exchange counterparty risk.

What is WYSIWYS?
WYSIWYS stands for "What You See Is What You Sign." It describes hardware wallets that display the complete, unmodified transaction data — recipient address, exact amount, network — directly on the device screen before you approve. This makes it significantly harder for compromised software to trick you into signing something different from what you intend.

How do I verify a transaction properly with a hardware wallet?
Before pressing approve on your hardware wallet: (1) Check the recipient address on the device screen — verify the first and last 6+ characters against your intended destination. (2) Confirm the network — sending ETH on the wrong network is irreversible. (3) Verify the exact amount. (4) If the device shows anything unexpected or different from your browser/app, stop and investigate before proceeding.

Who was behind the Bybit hack?
Multiple security firms including Chainalysis and Mandiant attributed the attack to Lazarus Group, a threat actor linked to North Korea with an extensive track record of targeting cryptocurrency exchanges and DeFi protocols.

Does moving to self-custody mean I need to manage my own security completely?
Self-custody means you control the keys, not a third party. That comes with direct responsibility for your recovery phrase (written on paper, stored offline) and your signing behavior. It also means that exchange-level security failures no longer put your assets at risk. The trade-off is real — but for anyone holding a meaningful amount of crypto long-term, most security professionals consider self-custody the more prudent approach.

What is a DeFi exploit and how does it differ from an exchange hack?
A DeFi exploit targets weaknesses in smart contract code or protocol logic — attackers drain funds directly from a protocol's liquidity pool without needing user credentials. An exchange hack like Bybit typically targets the exchange's custody infrastructure (keys, signing interfaces, or software supply chain). Both result in fund loss, but DeFi exploits are often irreversible once the transaction confirms on-chain. Staying current on DeFi exploit activity helps you evaluate which protocols and platforms carry elevated risk.

What should I do if a crypto exchange I use gets hacked?
Check the exchange's official announcement channels for confirmed details before acting on rumors. If withdrawals are available and you have significant holdings, move them to a self-custody cold wallet following your normal verification steps. If withdrawals are frozen, document your account balance with screenshots immediately. Going forward, keep only active trading amounts on exchanges and move long-term holdings to a cold wallet for self-custody.

The Bottom Line

The Bybit hack was the largest exchange theft in history — but the lesson it teaches is not new. Exchange custody means trusting a third party's entire security stack. Self-custody means your assets are only as vulnerable as your own behavior.

The attack succeeded because signers couldn't verify what they were actually signing. Clear signing (WYSIWYS) on an independent device screen is the most direct countermeasure that individual holders can apply today.

Hardware wallets reduce private key theft risk significantly. They don't eliminate all risk — approval-based phishing and social engineering remain threats. The final security layer is always your own verification habit: check the address, confirm the network, verify the amount on your device screen before pressing approve.

Next Steps

• Move long-term holdings off exchanges to a self-custody hardware wallet
• Verify your recovery phrase works on a blank device before trusting it with funds
• Enable WYSIWYS / clear signing on your hardware wallet
• Read: SEC Crypto Regulation 2026 — What the Digital Commodity Rules Mean for Your Wallet