The Bybit cold Ethereum wallet theft involved a masked Safe{Wallet} transaction that obtained three valid signer approvals while sending malicious transaction data to Ledger devices. The attacker used a delegatecall to modify the Safe masterCopy storage slot and replace the implementation contract with one containing sweepETH() and sweepERC20() backdoor functions. The incident drained assets including 401,346 ETH, 15,000 cmETH, 8,000 mETH, 90,375 stETH, and 90 USDT, with exploit transactions and attacker-controlled contracts listed in the body. The article states that Arkham and zachxbt attributed the attack to the DPRK’s Lazarus Group, while noting that the exact UI-manipulation method in the Bybit case remained unconfirmed. The case matters because it links device compromise, transaction masking, and blind signing to a large-scale Web3 theft.