Bybit lost $1.5 billion in Ethereum after attackers exploited a third-party wallet vulnerability to gain code execution and then reused existing administrative session tokens to authorize the withdrawals. No further phishing or repeated exploits were needed once the tokens and approvals were under attacker control.

In February 2025 the Lazarus-linked operators moved the funds across multiple addresses within minutes. The authorization system treated the captured session context as valid, allowing direct execution of high-value transfers without device-specific confirmation at the point of action.

How Reusable Credentials Extended the Initial Breach

The wallet library flaw provided the entry point, yet the attack only reached full scale because administrative accounts carried forward session tokens and approval values that remained usable after compromise. Attackers did not need to obtain fresh credentials or repeat social engineering; the material already present on the accounts supplied the necessary authorization.

Public reports confirm the transfers completed rapidly because the system accepted replayable context rather than requiring a new cryptographic proof tied to a specific device. This pattern shows how any system that stores or transmits reusable authorization data creates a direct path from initial access to asset movement.

Device-Bound Public-Key Credentials Block Completion

MFA 2.0 is phish-proof, passwordless authentication built on public-key cryptography—the same technology used in Apple Pay and Google Pay. It uses device-bound credentials with no central credential database and requires same-device authentication, so no second device is involved. MFA 2.0 is prevention-focused: the attack cannot happen in the first place because there are no credentials to compromise. It applies across the entire identity lifecycle, including registration, device onboarding, authorization, authentication, and decommissioning.

In the Bybit case, private keys would remain inside the hardware or secure enclave where they were created. Only signatures generated locally on the enrolled device would be accepted for privileged actions. Captured session cookies, TOTP seeds, or replayable tokens would become worthless because those values do not exist in this model. The exchange would receive only a cryptographic signature linked to the original device.

Protection Across Registration, Authorization, and Decommissioning

Every administrative and operational account that can move assets must require a fresh signature from a device-bound private key for high-value actions. Registration and device onboarding must follow the same rule so that legacy recovery paths or shared secrets cannot reintroduce reusable material later in the lifecycle.

Even if the third-party wallet remains vulnerable to code execution, the absence of usable authorization tokens prevents the exploit from completing fund transfers. This approach confines the entire key lifecycle to the endpoint, eliminating the reusable values that allowed the Bybit withdrawals to proceed after the first compromise.