Check Point analyzed the February 2025 Bybit theft in which attackers compromised an offline Ethereum wallet and stole roughly $1.5 billion in digital assets. The attack abused signer trust rather than a smart contract flaw: multisig participants were shown a fake Safe-looking interface and approved a transaction that handed control to the attacker. The chain involved Gnosis Safe execTransaction behavior, stolen or misused signatures, and a delegatecall to attacker-controlled contract 0xbdd077f651ebe7f7b3ce16fe5f2b025be2969516, which enabled sweep functions to move funds including 400,000 ETH. The incident matters because it shows that multisig cold-wallet controls can fail when user interface manipulation, social engineering, or signer compromise affects transaction approval.