Bybit Incident Technical Analysis

On 2025-02-21 attackers drained Bybit's cold multisig Ethereum wallet (~$1.46B) by compromising a Safe{Wallet} developer environment and presenting a masked transaction to three signers; the signed transaction used a delegatecall to overwrite the GnosisSafe implementation (masterCopy) with a malicious contract exposing sweepETH/sweepERC20 functions. The report documents exploit transactions and addresses, links the incident to similar prior attacks (Radiant Capital), outlines likely vectors (device compromise, phishing, blind signing), provides mitigation recommendations (hardened endpoints, dedicated signing devices, transaction verification and simulations), and notes Arkham's attribution to the DPRK Lazarus Group.