To perform this attack, the attackers targeted Safe{Wallet}, a widely used multi-signature wallet solution that required multiple approvals (in Bybit’s case, at least three signers) before executing a transaction. These changes were subtle and specifically targeted Bybit, causing the entire application to function normally, except when Bybit was about to execute a transaction from their cold wallet. Once the funds were extracted, the attackers, which were identified as the Lazarus North-Korea state-sponsored group, executed a highly coordinated operation to disperse and obfuscate the stolen funds across multiple wallets, decentralized exchanges, and mixing protocols. However, instead of directly attacking the multi-signature security, the attackers exploited vulnerabilities in the web interface used to manage it.