Not if the industry learns from the tactics and tips offered here for a start…

In one of the largest thefts in digital asset history, hackers had on 22 Feb 2025 gained access to an offline Ethereum wallet and stolen US$1.5bn worth of digital assets, primarily consisting of Ethereum tokens.

The Bybit crypto exchange heist marks a new phase in attack methods, featuring advanced techniques for manipulating user interfaces. Rather than just targeting protocol flaws, the attackers had used clever social engineering to trick users, compromising a major institutional multi-signature setup.  

According to researchers from Check Point Research (CPR), the incident represents a significant evolution of these attack patterns, introducing sophisticated UI manipulation techniques not previously seen. Instead of just exploiting protocol mechanics, the attackers had employed advanced social engineering through manipulated interfaces to compromise significant institutional defenses. 

Another wakeup call to the industry
Even before this attack, cybercriminals had previously exploited legitimate blockchain protocols through the Safe Protocol’s execTransaction function Safe contracts and framework, coaxing unsuspecting victims into signing off on fraudulent transactions. Following is an example:

When execTransaction is triggered on a proxy contract, it forwards this call to the master copy, also known as the singleton. This is achieved using the delegatecall operation in the Solidity smart contract programming language, enabling the execution of the master copy’s code within the proxy’s storage context. Then:

  • The execTransaction function, as defined in the singleton contract, ensures that transactions are only executed after receiving the requisite approvals from the designated number of owners, verified through their signatures. It also efficiently manages gas payments, ensuring that all transaction costs are adequately covered and refunds are issued where necessary. Furthermore, this function is enhanced by integration with guard contracts, which perform additional security checks. This setup creates a secure and efficient framework for handling multi-signature transactions.
  • The process involves a call to the Gnosis Safe executor contract. This contract is specifically designed to facilitate transaction execution on behalf of the Safe. Within this contract, the execute function is triggered, which in turn calls the Safe MultiSend contract.
  • The Safe MultiSend contract is a crucial component of the Gnosis Safe framework. It enables the bundling of multiple transactions into a single operation, much like the aggregate function in Uniswap. This capability is highly beneficial for enhancing efficiency and minimizing gas costs when several actions need to be executed concurrently. Analyzing the data directed to the MultiSend function reveals that it processes three transferFrom requests involving the token “Umbrella” from the victim, allowing the attacker to drain the tokens from the victim’s wallet. This hack sets a new precedent in crypto security by bypassing a multisig cold wallet without exploiting any smart contract vulnerability. Instead, it exploited human trust and UI deception. Conclusions:

    ▶ Multisigs are no longer a security guarantee if signers can be compromised

    ▶ Cold wallets are not automatically safe if an attacker can manipulate what a signer sees

    ▶ Supply chain and UI manipulation attacks are becoming more sophisticated

    ▶ Even with airtight technical defenses, human error remains the biggest vulnerability. This attack highlights how tactics such as UI manipulation and social engineering can compromise even the most secure wallets

Recommendations for businesses 

According to CPR’s Head of Products Vulnerability Research, Oded Vanunu, crypto security must evolve beyond just cryptographic trust: it must account for human vulnerabilities, advanced malware threats, and UI manipulation attacks.

The industry needs to rethink how transactions are verified and how multi-layered, independent verification processes can prevent such catastrophic breaches in the future. Three CPR recommendations for tightening vigilance against crypto attacks are:

Oded Vanunu, CPR’s Head of Products Vulnerability Research,

  1. Comprehensive security measures: Firms holding significant crypto assets need to integrate traditional security products, such as endpoint threat prevention and email security, to prevent malware from infecting sensitive machines and spreading throughout the organization. This is crucial to safeguard against sophisticated attacks that exploit human vulnerabilities and user interface manipulation.
  2. Real-time prevention: The industry needs a paradigm shift from incremental security improvements to real-time prevention. Just as corporate networks and clouds use firewalls to inspect every packet, Web3 requires real-time inspection of every transaction to ensure security. This approach can prevent malicious activities before they cause damage.
  3. Implement Zero Trust security: Every signer’s device should be treated as potentially compromised. Use dedicated, air-gapped signing devices for multisig approvals. Require signers to cross-verify transaction details via a second independent channel

The most alarming takeaway is that even cold wallets — once considered the safest option — are now vulnerable. This attack proves that a prevention-first approach, securing every step of a transaction, is the only way to stop cybercriminals from carrying out similar high-impact attacks in the future, according to CPR’s Vanunu.