Over the years, there have been several high-profile hackings where cold wallets were compromised. Like the example we gave in our previous article here on spur protocol with the Ledger Nona S and Saleem Rashid, many of these Bitcoin scams and frauds occur when there is a lack of user responsibility and device malfunction. 

Here are some more real-world examples that will help give you further insight into hacking strategies and how you can learn from them. 

The Kraken-Trezor Hack

Back in 2020, security researchers at Kraken intentionally found a vulnerability in a Trezor hardware wallet. They were able to extract the seed phrases on the device by using a voltage glitching technique. This type of hack involves manipulating the device’s power supply to cause errors that reveal your sensitive information. 

 

A hacker would need to physically have your cold wallet to be able to use this method, but it highlights the importance of securing your physical device in a safe location. 

Google App Store Vs. Hackers

In April of 2024, Google filed a lawsuit against a group of crypto scammers who have allegedly used phishing schemes to fraud over 100,000 people globally by uploading fake crypto exchange apps to the Google Play Store. 

We know this example is not particularly linked to one certain cold wallet, but it goes to show that even trusted platforms can be vulnerable. 

If your chosen hardware cold wallet relies on a downloaded app to make exchanges or trades, be certain that you are using the official app. 

💪 Pro Tip: Using QR Codes that come with the physical device can ensure you are linking to the official app.

The Bybit Hack:

Cryptocurrency exchange Bybit said last week hackers had stolen digital tokens worth around $1.5 billion, in what researchers called the biggest crypto heist of all time.

Bybit CEO Ben Zhou said the crypto was taken from a "cold wallet" - a digital wallet usually stored offline and so supposedly more secure - that was used for ether tokens.

Blockchain research firm Elliptic said the hack was more than double the last-biggest crypto heist and "is almost certainly the single largest known theft of any kind in all time." So, what went wrong?

Inside the Attack

The high-level details of the Bybit hack remain largely unchanged from the hours following the initial announcement and Ben Zhou’s livestream explanation. An attacker — demonstrated by ZachXBT to be the Lazarus Group — tricked the signers for a Bybit multi-sig cold wallet into approving a transaction that transferred control of the Safe multi-sig contract to them. This was accomplished by masking the transaction details in the Safe user interface, allowing the attacker to insert a backdoor function that they used to drain an estimated $1.4 billion from the wallet.

Initially, most theories and signs pointed to Bybit’s infrastructure being compromised by the attacker. If the signers’ devices were infected with malware, this malware could have performed the critical modifications to the Safe UI. However, this wasn’t the case.

Later forensic investigations revealed that the attack was made possible by a social engineering attack targeting a Safe developer. With this access, the attacker injected malicious JavaScript into the Safe UI code hosted on AWS. When the Bybit signers went to approve a transaction, they downloaded and used this malicious version of the interface instead of the legitimate one.

This malicious code was designed to look for a specific type of transaction, such as the routine transfers of ETH between Bybit’s cold and hot wallet. When a matching transaction was found, the code executed, modifying the transaction to include a delegatecall instruction in the multi-sig proxy contract that effectively performed a malicious upgrade to the attacker’s contract. This malicious version of the transaction was what was sent to the signers’ Ledger hardware wallets for approval and then on to the blockchain for execution.

After the malicious version of the transaction was signed, the JavaScript malware restored the original version within the Safe UI. This was intended to cover their tracks and minimize the risk of detection. Additionally, the malicious JavaScript hosted on Safe’s AWS instance was replaced with a clean version moments after the attack. However, the malicious version is still visible on Wayback Machine.

Lessons Learned from the Attack

The unfolding story of the Bybit hack upended many initial theories and suggested countermeasures. It also demonstrated that the incident was the result of a sophisticated and carefully planned operation by the Lazarus Group.

The newly available details of the hack underscore the importance of preventative security controls designed to mitigate the risks associated with “blind signing”, which is when multi-sig signers approve a transaction without a full understanding of its purpose and functionality.