Bybit

FORENSIC REPORT

TIME OF DEATH: February 21, 2025, approximately 0200 UTC. The victim, Bybit exchange, pronounced dead on arrival after catastrophic fund drainage originating from a compromised Safe multisig wallet on Ethereum mainnet. The specimen exhibited all classic signs of phishing exploitation—the kind where no zero-day vulnerability exists, only the oldest vector known to digital security: human gullibility wearing a tailored suit.

CAUSE OF DEATH ANALYSIS: The Safe multisig wallet, theoretically one of the industry's more robust custody solutions, was rendered worthless through credential compromise. The pathology here is straightforward and depressing: someone with signing authority accessed a malicious interface, authenticated with legitimate credentials, and authorized transactions they believed legitimate. The Safe contracts themselves show no signs of forced entry—the locks were opened with keys borrowed through social engineering. The $1.4 billion hemorrhage occurred across a single coordinated drain, suggesting the attacker obtained multiple signing credentials or convinced multiple signatories, each believing the other had validated the transaction.

CONTRIBUTING FACTORS: The Safe multisig is only as secure as its weakest human link, and this specimen had several. No air-gapped signing environment. No out-of-band verification protocols. No hardware wallet enforcement for multisig participants. The exchange's operational security posture suggests a false sense of immunity—the belief that institutional custody solutions eliminate risk. They don't. They simply shift risk from code to people, and people remain the most exploitable variable in any system.

VICTIM IMPACT: $1.4 billion in liquid losses. The specimen's users face frozen accounts, delayed withdrawals, and the existential dread of knowing their exchange trusted security theater over security rigor. Bybit's market position sustained critical injuries. Contagion effects ripple through the ecosystem as users question which other major exchanges are one phishing email away from complete liquidation.

PATHOLOGIST'S NOTE: In twenty years of examining digital autopsies, I've observed that the most sophisticated security failures are invariably the simplest. Safe multisig didn't fail because of a clever exploit—it failed because someone, somewhere, clicked something they shouldn't have. The irony is almost beautiful: an exchange built on trustlessness, murdered by the oldest, dumbest form of trust. The specimen is dead. The cause of death is human. As it always is.