How Could the Bybit Hack Have Been Prevented?

Date:

Mar 20, 2025

Time to read:

00 minutes

Table of contents

On February 21, 2025, Bybit, one of the world's leading crypto exchanges, faced the unthinkable: a devastating hack resulting in the loss of more than $1.4 billion worth of Ethereum. The event stunned the crypto community and raised urgent questions about the industry's security practices.

How the Hack Unfolded

The disaster began with what should have been a routine transaction - Bybit planned to transfer 40,000 ETH from cold storage, typically one of the safest asset storage methods, into a hot wallet for liquidity purposes.

Root Cause

Attackers secretly injected malicious JavaScript into Safe{Wallet}'s AWS-hosted resources two days before the hack.

This malicious script manipulated the transaction details shown to authorized users, deceiving them into approving a dangerous transaction without their knowledge.

Minutes after executing the theft, hackers replaced the malicious code to erase evidence, indicating an attempt to avoid detection.

How It Happened

The hackers tricked Bybit’s team into unknowingly approving a hidden command. This allowed attackers to redirect control of Bybit’s wallet, giving them complete access to drain funds.

However, hackers intercepted this transfer by exploiting vulnerabilities within Bybit's wallet interface. Instead of 40,000 ETH, around 401,000 ETH were diverted into an unknown wallet, rapidly becoming one of the most significant heists in crypto history.

Could Extractor Have prevented this Hack?

Hindsight often reveals clear paths to prevention. In Bybit's case, real-time transaction monitoring and advanced anomaly detection tools, such as Extractor, could have made the difference. Extractor’s on-chain analytics and monitoring technology could have immediately flagged the abnormal increase in transferred funds and suspicious destination wallets.

But the most interesting part here is how, the Safe Multisig Monitor, developed by Extractor, would have played a vital role in this process.

This monitor provides constant tracking and validation of multisig transactions and identifies any discrepancies between transaction hashes and signatures and Safe transaction types. According to the simulated Bybit transaction analysis, the monitor detected a critical transaction hash mismatch between expected and submitted values, which triggered immediate alerts.

In a nutshell, Safe Multisig Monitor triggers in such cases like:

the list of signers for a Safe Multisig contract is retrieved
a new confirmation signature has been submitted for a safe transaction
Safe Multisig transaction has been fully confirmed and executed
the computed Safe transaction hash does not match the expected hash
the submitted signature does not match the expected signer

Bybit Hack and Safe Multisig Monitor Simulation

The whole backtest was simulated with nonce 71 (exploited transaction). All submitted transaction signatures are valid and signed with the same safe tx hash.

When calculated with the provided inputs, the safe tx hash (provided by API) is mismatched with the expected one (generated by code, implemented in Safe Multisig detector based on Open Zeppelin Safe Util logic: safe_hashes.sh).

As a result, Extractor’s Safe Multisig Monitor has triggered a critical alert. Also, the transaction is using a delegate call operator, which raised a high alert regarding the submitted signatures and transactions.

So, we can tell that implementing event one this Monitor with verification steps would have created an essential protective barrier that could significantly decrease or avoid this disastrous loss.

Lessons Learned

The Bybit incident is a sobering reminder that even industry leaders aren't immune to cyber threats. As crypto continues its rapid expansion, exchanges must adopt smarter, proactive security practices - leveraging powerful monitoring platforms like Extractor - to protect themselves and maintain trust with users.

For a complete list of available Monitors and Detectors, including how Extractor can be integrated into your security stack, visit our Documentation.

The future of crypto security isn’t just about stronger walls - it’s about smarter sentinels watching the gates.

Stay Ahead of Crypto Regulations & Threats

Subscribe to our news and updates

Thank you! Your submission has been received!

Oops! Something went wrong while submitting the form.

FAQ

What is Extractor?

Extractor by Hacken is a real-time threat intelligence and response platform for stablecoins, RWA, DeFi, and exchanges to prevent crypto hacks. It unifies on- and off-chain monitoring with four-layer coverage across financial, governance, compliance, and security risks.

What types of risks can Extractor detect?

Extractor monitors both on-chain and off-chain activity across four categories: financial (reserves, TVL, peg stability), governance (multisigs, upgrades, admin key changes), compliance (AML, KYT, sanctions), and security (exploits, anomalies, suspicious addresses). This gives you a complete risk picture in real time.

Can Extractor integrate with our existing workflows?

Yes. Extractor connects easily through APIs, SDKs, and webhooks, so alerts and dashboards can flow directly into your security stack, SIEM, or compliance reporting tools. No code changes to your contracts are required.

Which networks are supported?

Extractor covers 17+ major EVM and non-EVM chains, including Ethereum, Polygon, Arbitrum, Optimism, BNB Chain, Avalanche, Base, zkSync, Stellar, ICP, VeChain, and more. Support for new networks is continuously added, guided by client demand.

What happens when an exploit or anomaly is detected?

Extractor goes beyond alerts. It can trigger pre-approved smart actions and a smart contract firewall to pause contracts, blacklist addresses, freeze suspicious flows, or enforce withdrawal limits automatically. This minimizes losses and creates immutable incident logs for post-mortems.

Who benefits most from Extractor?

The platform is purpose-built for stablecoin issuers, tokenization platforms, DeFi protocols, and crypto exchanges. Its main value is providing real-time monitoring and automated incident response for these high-risk use cases, while also generating regulator-ready dashboards and evidence that external stakeholders require.