Two days ago, attackers broke into an offline Ethereum wallet and stole $1.5 billion from the Bybit exchange. This incident marks a significant shift in criminal activity within the crypto world: attackers are increasingly exploiting human vulnerabilities through social engineering and UI manipulation instead of relying solely on code vulnerabilities.
A new report from Check Point Research shows that the Bybit attack is not an isolated event but part of a growing pattern of crypto-focused strikes. As early as July 2024, Check Point’s Threat Intelligence systems detected a pattern of abuse involving the Safe protocol’s execTransaction function, which was being leveraged to carry out increasingly sophisticated attacks. The breach at Bybit confirms that this technique is evolving into a serious threat across the industry. Check Point previously flagged similar misuse of execTransaction, underlining the rising adoption of this approach in targeted attacks against cryptocurrency institutions.
“The attack on Bybit is not surprising — in July last year we exposed the exact manipulation technique the attackers used in this record-breaking heist,” says Oded Vanunu, Head of Products Vulnerability Research at Check Point Research. “What is most alarming is that even hardware wallets — once considered the safest option — are now vulnerable. This attack shows that the only way to prevent cybercriminals from carrying out similarly impactful attacks in the future is to proactively secure and validate every step of a transaction.”
Check Point’s analysis highlights how attackers combine social engineering, user-interface tricks, and protocol-level function abuse to bypass traditional defenses. Rather than exploiting software bugs or network vulnerabilities alone, adversaries manipulate transaction flows and user approvals to make malicious operations appear legitimate. This trend raises the stakes for exchanges, custodians, and wallet providers, who must now harden both technical controls and the user experience to prevent deceptive prompts and unauthorized approvals.
The implications extend beyond a single platform. As attackers refine techniques like execTransaction manipulation and UI-based deception, any institution that relies on multisignature workflows, hardware wallets, or third-party transaction tooling could be at risk. Security teams should prioritize end-to-end transaction integrity: validate inputs at each stage, enforce strict signing policies, implement transaction pre-checks, and reduce reliance on user-facing approvals that can be spoofed or coerced.
Defensive measures recommended by researchers include enhancing wallet firmware to verify transaction details on secure screens, introducing stronger transaction binding to intended actions, improving phishing-resistant authentication, and deploying monitoring systems that detect anomalous signing patterns. In addition, organizations should run regular threat modeling exercises and red-team simulations that include social engineering and UI manipulation scenarios to expose weaknesses before attackers do.
While technical patches and protocol updates will be necessary, addressing the human element remains crucial. Educating staff and users about social engineering tactics, creating clear signing procedures, and limiting the exposure of critical approval workflows can reduce opportunities for exploitation. Industry-wide collaboration on standards for multisig protection and transaction verification can also help raise the baseline security for all participants.
Read more in Check Point’s blog: https://blog.checkpoint.com/security/what-the-bybit-hack-means-for-crypto-security-and-the-future-of-multisig-protection/