Why was Bybit’s Ethereum cold wallet attacked?

Bybit's Ethereum cold wallet was compromised, highlighting that offline storage alone doesn't guarantee security. The attack likely stemmed from vulnerabilities in private key management, hardware, or network interactions, possibly exacerbated by human error or evolving attack techniques.

Feb 27, 2025 at 04:43 pm

Private key generation step : The generation of private keys requires strict compliance with the rules of encryption algorithms to ensure their randomness and unpredictability. If there are flaws in the generation process, such as using a weak random number generator, the generated private key may be guessed by the attacker through brute force cracking or other technical means. For example, when some early cryptocurrency wallets were generated, the security of the private key was greatly reduced due to the incomplete random number generation algorithm when generating private keys, and they were easily hacked.

Private key storage link : Even if the private key generation is secure, if the storage method is improper, it will give attackers an opportunity to take advantage of it. Although a cold wallet stores private keys offline, if there are security risks in the storage medium itself, such as physical stolen by the hard disk or paper private keys found by others, the private keys will be leaked. In addition, if sufficient security measures are not taken to backup the private key, it may also lead to illegal acquisition of the private key. For example, if the private key is backed up in an insecure cloud storage service, once the cloud service is compromised by a hacker, the private key will fall into the hands of the attacker.

Private key usage link : When a user needs to use assets in a cold wallet to conduct transactions, the private key needs to be imported to an online device for signature operation. During this process, if there are malware in online devices, such as keyboard recorders, screenshot software, etc., the private key may be stolen. For example, if a user imports a private key on a computer infected with a keyboard recorder, an attacker can obtain asset control by recording the private key information entered by the user.

Hardware design defects : During the design process of cold wallet hardware, if various security factors are not fully taken into account, there may be some vulnerabilities. For example, the chip design of some hardware wallets may have security vulnerabilities, and attackers can obtain private key information stored inside the chip through physical attack methods, such as side channel attacks. Side channel attack is to infer the data processed internally by analyzing the physical characteristics of the hardware device during operation, such as power consumption, electromagnetic radiation, etc., to obtain the private key.

Hardware supply chain risk : The production of cold wallet hardware involves multiple links and suppliers. If there are security risks in the supply chain, it may also lead to cold wallet attacks. For example, during the hardware production process, some components may be maliciously tampered with and implanted into a backdoor program so that the attacker can remotely control the cold wallet or obtain private key information in the future. In addition, if sufficient security measures are not taken in the transportation process of the hardware, the hardware may also be stolen or tampered with.

Cold wallet interacts with online devices : When cold wallets transmit data with online devices, if the transaction signature information is transmitted from cold wallet to online trading platform, if the communication link is not encrypted or the encryption strength is insufficient, the data may be stolen or tampered with. For example, using an unencrypted Bluetooth connection for data transmission, an attacker can obtain transmitted data, including transaction signature information, through Bluetooth sniffing technology, thereby forging transactions.

Online device security issues : If there are security loopholes in the online devices that cold wallets interact with, such as computers, mobile phones, etc., they will also pose a threat to the security of cold wallets. For example, if an online device is infected with malware, the attacker can use these malware to obtain relevant information about the cold wallet, or conduct man-in-the-middle attacks when the cold wallet interacts with the online device, stealing private keys or tampering with transaction instructions.

Inadequate safety awareness for employees : If employees on the Bybit platform are not inadequately safe, they may introduce safety risks during the operation. For example, when employees dealing with cold wallet-related transactions, using an unsafe network environment, or arbitrarily revealing information about cold wallets, may provide clues to attackers. In addition, if employees do not take sufficient security measures when using online devices to manage cold wallets, such as not updating system patches in time, not installing antivirus software, etc., it is easy to cause attacks on the online device, which in turn endangers the security of the cold wallet.

Internal personnel's illegal operations : If internal personnel have illegal operations, such as privately tampering with the configuration information of the cold wallet, leaking the private key, etc., it will also lead to attacks on the cold wallet. This situation is not uncommon in some companies. Because internal personnel are familiar with the operating methods of the system, once violations occur, they are often difficult to detect in time, and the losses caused may be very serious.

The emergence of new attack technologies : Hackers continue to research and develop new attack technologies to break through existing security protection mechanisms. For example, the development of quantum computing technology may pose a threat to traditional encryption algorithms. Although quantum computers have not yet been popularized to a level that is sufficient to pose a real threat to Ethereum cold wallets, if quantum computing technology makes major breakthroughs in the future, existing encryption algorithms based on mathematical problems may be cracked, resulting in the leakage of private keys in cold wallets.

Specialization of attack organizations : Today's hacker attack organizations are becoming more and more specialized. They have rich technical resources and financial support to carry out long-term and targeted attacks. These attacking organizations may conduct in-depth research on large cryptocurrency trading platforms like Bybit, find their security vulnerabilities, and develop detailed attack plans. They may also use social engineering and other means to deceive employees into trust and obtain relevant information from cold wallets, thereby carrying out attacks.

Lag in security protection technology : Security protection technology in the cryptocurrency field is often improved and upgraded after an attack incident, which leads to a certain lag in security protection technology. While Bybit may have adopted a variety of security protection technologies to protect Ethereum cold wallets, these technologies may not be able to deal with emerging security threats in a timely manner in the face of changing attack methods. For example, new malware may bypass detection of existing antivirus software and firewalls, thereby infecting cold wallet-related devices.

The coordination problem of multiple security protection mechanisms : In order to improve security, Bybit may adopt multiple security protection mechanisms, such as encryption technology, access control, firewall, etc. However, if the synergy between these security protection mechanisms is not good, security vulnerabilities may exist. For example, encryption technology is used to protect the confidentiality of data, access control is used to restrict access to cold wallets, and firewalls are used to prevent illegal external network access. However, if there is a vulnerability in the interface between encryption technology and access control, an attacker may use this vulnerability to bypass access control, obtain encrypted data, and then obtain private key information by cracking the encryption.