Written by Oded Vanunu, Chief Technologist & Head of Product Vulnerability Research at Check Point

The crypto universe has just received another wake-up call. A recent high-profile breach has revealed deep cracks in the security protocols of the industry, reminding us that even the most sophisticated defenses can be compromised. This time, the hackers were able to breach a multisig cold wallet, stealing about $1.5 billion worth of Ethereum tokens.

This attack is especially troubling because it wasn’t a conventional vulnerability that looked for a flaw in the blockchain system or a smart contract. Rather, Security researchers have determined that hackers injected malicious JavaScript directly into Safe’s online infrastructure hosted on AWS. The code was specifically designed to activate only when interacting with Bybit’s contract address, allowing it to remain undetected by regular users.

The JavaScript manipulation modified transaction data behind the scenes:

1. When Bybit signers accessed the interface, the code identified target addresses
2. It silently modified critical transaction parameters including recipient address and operation type
3. It preserved the appearance of legitimacy by displaying the original transaction details to signers

This finding confirms our assessment that this attack sets a new precedent in crypto security by bypassing a multisig cold wallet through sophisticated UI manipulation, further proving that multisigs and cold wallets are not automatically secure when the interface layer can be compromised. Attackers used social engineering and user interface (UI) deception to carefully manipulate human behavior. The presence of human error compromises even the most robust systems.

This event highlights the pressing need for more robust security models, specifically in how transactions are authenticated and how signers verify transactions. The increasing complexity of UI-based attacks necessitates a change of strategy—moving beyond traditional cryptographic security toward comprehensive risk mitigation.

Why This Attack Changes Everything
For years, multisig wallets and cold storage have been considered the gold standard for securing crypto assets. But this breach shattered that assumption, revealing three major weaknesses:

• Multisig is not infallible—if signers can be deceived, multiple approvals do not guarantee safety.
• Cold wallets are not immune—an attacker does not need to breach the storage itself if they can manipulate what a signer sees.
• Supply chain and UI-based attacks are evolving rapidly, making them difficult to detect with traditional security measures.

With this shift in attack strategies, crypto institutions, exchanges and custodians must rethink how they authenticate and verify transactions.

How Crypto Security Must Evolve
Given the increasing complexity of attacks, securing digital assets requires a multi-layered approach that goes beyond cryptographic security. Here’s what needs to change:

• Real-Time Preventive Threat Monitoring
  • A prevention-first approach, securing every step of a transaction
  • Developing advanced anomaly detection systems that can flag unusual transaction patterns.
  • Leveraging AI and behavioral analysis to detect and prevent social engineering attempts.
• Strengthening Human-Centric Security Measures
  • Educating users and institutional signers on UI-based manipulation techniques.
  • Implementing multi-factor verification processes that include independent transaction confirmation.
• Enhancing Transaction Verification Protocols
  • Introducing secondary verification mechanisms to confirm transaction details before execution.
  • Using independent, air-gapped devices for transaction approvals to reduce UI-based risks.
• Adopting a Zero-Trust Security Model
  • Treating every device and signer as potentially compromised.
  • Implementing strict access controls and segregating signing authority across multiple verification channels.

Looking Ahead: The Future of Crypto Security
This attack proves that a prevention-first approach, securing every step of a transaction, is the only way to stop cybercriminals from carrying out similar high-impact attacks in the future. We cannot afford to rely solely on conventional cryptographic models as attacks become increasingly complex. Rather, we need a comprehensive strategy that addresses social engineering tactics, UI manipulation risks and human vulnerabilities. Crypto institutions can better safeguard their assets in an increasingly complex threat landscape by enforcing real-time threat monitoring, educating users and bolstering transaction verification.

Although no security system is entirely foolproof, staying ahead of cybercriminals will require a proactive and flexible approach. The sector needs to move toward multi-layered defense tactics that combine stringent verification procedures, education and technology. As digital assets become more mainstream, security practices must evolve just as rapidly. Trust, transparency and protection should be at the forefront of the crypto ecosystem—because, at the end of the day, security isn’t just about code. It’s about people.