The Bybit hack, one of the largest in crypto history, saw $1.5 billion in Ethereum stolen through what appears to be a sophisticated phishing attack. Unlike traditional exchange breaches that involve compromising backend keys—such as hot, warm, or cold wallet private keys—this incident unfolded in a highly unusual manner. According to a live stream from Bybit CEO Ben Zhou, the hack was executed when he and other multi-sig signers unknowingly approved the fraudulent transaction via their Ledger devices, effectively sending the massive sum directly to the hackers.
The critical flaw wasn't in Bybit's security infrastructure per se but in the inherent risks of using raw wallet addresses and defi that the Ledger didn't understand. Zhou admitted that he didn't check the Ledger's display before signing, assuming that the transaction details were correct since it was part of routine operations. This suggests that the hackers managed to manipulate the transaction in the web UI in a way that made it appear legitimate, tricking multiple signers into authorizing a transfer that was indecipherable for humans on the Ledger screen.
This type of attack underscores a persistent problem in crypto: address-based transactions are inherently prone to human error and phishing attacks. If even the CEO of a major exchange can be deceived into signing off on a fraudulent transaction, everyday users stand an even higher risk.
The key to solving this underlying issue is to eliminate the reliance on raw wallet addresses altogether. Instead of manually verifying a complex alphanumeric string, users send crypto using human-readable names. If Bybit had incorporated this technology, the Ledger would have displayed an error and told the operators to not sign, making it significantly harder for hackers to manipulate transactions.
Infrastructure players like MatterFi can ensure that all wallets can cryptographically compute the correct receive address based on a user's registered name, without exposing sensitive information on-chain. This means users can publicly share their payment names—like "Mehow" on Instagram—without revealing their transaction history or balances. The private key infrastructure ensures only the intended recipient can access the funds, mitigating phishing risks at a fundamental level.
With Bybit having to halt Ethereum deposits in response to the breach, it's clear that crypto platforms need to rethink their security models. Address-based systems, no matter how fortified, still leave users vulnerable to social engineering and human error.
By transitioning to cryptographic name-based transactions, the industry can take a major step toward preventing similar incidents in the future.
© 2025 Benzinga.com. Benzinga does not provide investment advice. All rights reserved.
Trade confidently with insights and alerts from analyst ratings, free reports and breaking news that affects the stocks you care about.
