Companies are trying to take advantage of Bibit Hacks

Table of Contents

This is a segment of the 0xResearch newsletter. To read the complete edition, Subscribe.

The Bibit $1.4 billion exploit has sparked a predictable response. Each influx of security and infrastructure companies claims that technology has been able to prevent attacks.

The FBI confirmed that Huck is a work by the North Korean Lazarus group. An important detail revealed yesterday is that it is a secure developer machine at risk and not BYBit’s infrastructure, allowing attackers to inject malicious code into the transaction signing interface.

The deception caused Bibit signatories to blindly approve fraudulent transactions and discharge the largest Ethereum wallet.

Security researcher Taylor Monaghan emphasized that the attack is completely predictable given the long-standing blind signature problem of the crypto industry. As she stated, “No organization in this space takes security seriously enough to protect us from our dedicated, lasting, motivated enemies like Lazarus.”

The key findings are as follows:

Safe {Wallet} UI was compromised – Bybit’s interface showed expected transactions, but the signer unconsciously approved a completely different transaction.

Blind signatures on ledger devices were the final obstacle. Bybit’s final signer, Ben Zhou, admitted that he did not fully review the transaction in the ledger’s hardware wallet before approving it.

The attack targeted human surveillance – Lazarus didn’t have to misuse smart contracts or break the security of encryption. It simply exploited the trust of the UI.

Former Binance CEO CZ criticized Safe’s response and raised key questions such as why single developer machines have access to Bybit’s trading process. How did the Ledger signing process prevent this? And what kind of security lessons should the industry take away?

These are all good questions that take time to deal with perfectly.

The wave of companies is rushing

With each famous hack, companies are flooded with spaces where products claim they stopped it. Some deal with specific issues (safe transaction validation), while others hijack the story for marketing.

Oisy (dfinity-backed onchain wallet)

Claim: Browser extensions and secret key management are weak links. Oysie eliminates them by running completely on-chain.

reality: The attack had nothing to do with browser extensions or exposure to secret keys. It was a blind signature. Oisy’s architecture may be novel, but it does not solve the problem that caused this hack.

Impossible cloud networks (distributed cloud storage)

Claim: Intensive cloud services (such as AWS) were the root cause of the exploit.

reality: Distributed cloud storage can reduce the attack surface, but Bibit was not hacked through AWS. The problem was Safe’s UI manipulation and blind signatures. It wasn’t a specific choice for a cloud hosting provider.

Cubist (Hardware-assisted Signature Security)

Claim: This exploit will be blocked when strict signing policies such as pre-authorized addresses, governance delays, and multi-requirement factor authentication.

reality:This is actually related. If Bybit had enforced signature restrictions, Lazarus would not have been able to trick it into blindly signing a malicious deal.

Fireblocks (MPC-based security and transaction policy enforcement)

Claim:BYBIT’s security model was fundamentally flawed. The attack was launched by combining the blind signature requirement for ledger with the SAFE UI vulnerability. Fireblocks claims to mitigate this risk with its MPC-based infrastructure, policy engines and real-time transaction validation.

reality: This claim is one of the more valid answers. FireBlocks policy enforcement prevented any arbitrary approval by requesting predefined transaction rules that block unexpected transactions even if signers were deceived.

But there is also risk as Taylor Monaghan puts her distinctive cheeky style. “Fantastic multi-sigs, semi-xodials, MPCs, blah blah blah… Please make your attack surface bigger and don’t make it smaller.”

The real lesson is that UI Trust is the biggest security hole. Bybit’s attacks were not about smart contracts, decentralization, or key private security. This was about blind trust in the compromised UI.