Signed, Sealed, Drained: How Backdoors Drain Crypto Wallets

• The biggest losses of 2023-2026 broke no cryptography. Bybit’s $1.5bn drain ran through a sound multisig and clean contracts; the attacker only changed what the signers saw.
• Four mechanisms recur and braid together: poisoned software supply chains, tampered signing interfaces, laundered authority via approvals and off-chain signatures, and privileged paths hidden in contracts, proxies and multisig modules.
• Hardware wallets and multisig do nothing once the device blind-signs an opaque payload and the operator trusts a compromised host. Radiant defeated hardware wallets, Tenderly and multiple reviewers at once because they all read the same poisoned source.
• Bitcoin and non-EVM setups carry the same backdoor risk relocated. DMM lost 4,502.9 BTC through a compromised wallet-management vendor and session cookies; mobile OCR malware like SparkCat steals the seed phrase straight from photo galleries.
• The controls that held constrain the signing moment or the integrity of the code feeding it (clear signing, isolated signing machines, multisig policy gating upgrades and modules, supply-chain hygiene).

The largest crypto theft on record did not break a single private key. On 21 February 2025, Bybit lost roughly 401,000 ETH and stETH worth about $1.5 billion from an Ethereum cold wallet, and the forensic reviews from Sygnia, Verichains and the Safe Ecosystem Foundation converged on the same uncomfortable finding, that the Safe smart contracts were sound, the exchange’s own infrastructure showed no compromise, and three signers authorized the drain themselves while reading an interface that had been quietly rewritten to lie to them. Lazarus had compromised a Safe{Wallet} developer machine, injected JavaScript into the web app that activated only for Bybit’s targeted wallet, and let the multisig do exactly what multisig is supposed to do. The threshold held. The keys were never extracted. The cryptography behaved.

A wallet drain in this period is rarely the moment a key gets cracked, and far more often the final stage of a longer compromise somewhere in the chain of trust between a developer’s laptop and the screen where a human clicks approve. If an attacker can change what the signer sees, change what code runs before the signature, or borrow a privileged authorization path that was sitting in the contract all along, they can move the funds without touching the maths the whole system is built to protect.

The signature is the boundary

Across the consequential losses of 2023 to 2026, four mechanisms recur, often braided together inside a single incident. Software supply chains get poisoned, so trusted code starts behaving against its users. Signing interfaces get tampered with, so the transaction a human approves is not the transaction that executes. Authority gets laundered through approvals and off-chain signatures, so an attacker pulls funds later without prompting anyone again. And privileged control paths hidden in contracts, proxies and multisig modules get abused, so ownership or implementation changes hands under cover of a routine action. A fifth vector sits slightly apart and bites hardest outside the EVM world, where attackers skip the key entirely and capture the recovery phrase at the moment it is created, restored, displayed or photographed.

The future of finance is here. Trade crypto and more

A hardware wallet narrows online key exposure and a multisig removes the single point of failure, and neither does anything for you if the device cannot render the real meaning of the payload and the operator is trusting a host that has already been turned. Ledger, Trezor and MetaMask have all reoriented their security messaging around the same idea over the period, pushing clear signing, transaction simulation and higher-integrity previews, because the industry has worked out the hard way that the authorisation moment is where the money is lost. The rest of this piece walks the four mechanisms through the incidents that defined them, surfaces the one case the field still cannot agree on, and ends on what has held up.

Supply chains: one forgotten account is enough

On 14 December 2023, an attacker published three malicious versions of Ledger’s Connect Kit to npm, the library that thousands of decentralized apps load to wire Ledger devices into their front ends. The route in was almost banal. A former Ledger employee had been phished, the attacker rode the person’s session token straight past two-factor authentication, and although Ledger’s internal offboarding had revoked the departed employee’s access to GitHub, single sign-on and internal tooling, nobody had pulled their publishing rights on npm, an external service the company could not revoke automatically. Versions 1.1.5, 1.1.6 and 1.1.7 carried Angel Drainer, a malware-as-a-service kit that crafts draining transactions on demand, and any front end pulling the latest Connect Kit from the CDN served its users a hostile wallet-connection flow. The window was short, under two hours of active draining and around five hours of exposure before a clean 1.1.8 propagated, and the take was roughly $600,000, with Tether later freezing some of the attacker-controlled funds.

The figure is small for the lesson it teaches. The attacker needed no Ledger device exploit, no compromise of any dApp’s own servers, and no private key, because controlling one widely trusted dependency put hostile code inside every front end that imported it. The Connect Kit loader was a dependency for tens of thousands of repositories, so a single stale credential became a broadcast channel into the wallets of users who had done nothing wrong and were running hardware wallets precisely to stay safe.

If anyone hoped that was a one-off, September 2025 settled it, when a separate phishing campaign hijacked a reputable maintainer’s npm account and pushed malicious code into packages with more than a billion cumulative downloads, built to silently swap crypto addresses inside transactions before they were signed. The blast radius was theoretical rather than catastrophic that time, but the shape was identical, and it confirmed that the package registry sits upstream of every wallet preview and every signature, with verification controls that lag the value flowing through it.

Interface deception: the verification collapse at Radiant

Radiant Capital lost about $50 million on 16 October 2024, and the post-mortem reads like a stress test of every control the industry recommends, all failing at once. The attackers, later linked by Mandiant to North Korean activity that began with a September Telegram message impersonating a former contractor, compromised the devices of at least three core developers. On those devices, the Safe front end displayed legitimate transaction data while malicious transactions were relayed to the hardware wallets in the background, and the wallet then surfaced a benign-looking error that nudged the signer to try again, harvesting valid signatures for a payload nobody had agreed to. The developers used geographically separated hardware wallets, reviewed each transaction, and simulated on Tenderly, and none of it showed an anomaly because the deception lived between the screen and the silicon.

Radiant ran a three-of-eleven multisig, so an attacker only needed to infect three of eleven candidate machines to assemble a threshold, and once they held three signatures they executed a transferOwnership call that handed the lending pools’ Pool Provider to an attacker contract. Because Ledger devices do not parse Gnosis Safe transactions in human-readable form, the signers were blind-signing an opaque payload and trusting the front end to describe it, and the front end had been compromised. With ownership secured, the attacker upgraded the pool contracts to malicious implementations that retained the existing approvals users had granted, then drained those user funds across Arbitrum, BSC, Base and Ethereum.

Radiant is the cleanest demonstration in the dataset that hardware wallets plus simulation plus multiple human reviewers can all be defeated together, because each of those controls reads the same poisoned source. The protocol’s own remediation list said it plainly, calling for an independent device to decode raw transaction data, an end to blind signing on critical actions, and audits triggered automatically when a transaction throws a recurring error, since the error pattern was the only visible symptom anyone could have caught.

Privileged paths: when the multisig becomes a false assurance

Bybit is the same family of attack scaled to a national-treasury budget. The malicious JavaScript on the Safe web app behaved normally for everyone except Bybit’s signers preparing a cold-to-warm transfer, and for them it masked the interface so the displayed action and the signed action diverged, swapping a routine transfer for a transaction that changed the wallet’s control logic through a delegatecall to an attacker-controlled implementation. The FBI attributed the theft to North Korea’s TraderTraitor cluster within days, and the laundering moved through mixers at a speed that left little to recover. Two minutes after execution, the attacker re-uploaded clean JavaScript to Safe’s S3 bucket to cover the change.

Safe’s own documentation is explicit that an enabled module can execute transactions while bypassing the ordinary owner-signature verification, which means module enablement, implementation upgrades and ownership transfers deserve the same suspicion as a direct withdrawal, and most signing playbooks do not give them that. A threshold scheme assumes the signers know what they are approving, and once an attacker can make a transferOwnership or an upgradeToAndCall look like a rebalance, the threshold counts signatures for the wrong action and the multisig converts from a safeguard into a rubber stamp with extra steps. The contract logic at Bybit was never the vulnerability, and the source code of the front end was not either, because the attack lived in the deployment pipeline and the runtime substitution of what the signers saw.

Buy bitcoin and stocks. Signup to Coinbase today

The case the field still cannot close: WazirX

WazirX lost about $230 million on 18 July 2024 from a four-of-six Safe multisig, five keys held by WazirX on hardware wallets and the sixth an HSM key at custody provider Liminal, and the signed transaction turned out to be a contract upgrade dressed as routine GALA and USDT transfers. Beyond that, the public record splits, and it has stayed split, so the honest treatment is to lay out who claims what rather than smooth it into a single narrative.

WazirX’s own account leaned on the limits of blind signing, stated that its preliminary investigation found no evidence its signer machines were compromised, and pointed at the custody infrastructure, noting that Liminal’s interface was not supposed to permit a contract upgrade or a transfer to a non-whitelisted address. Liminal countered that its platform was not breached and that the affected wallet had been created outside its ecosystem, and later commissioned its own review. A Mandiant report dated August 2024 placed the origin on the Liminal side of the boundary, which Liminal disputed on methodology, drawing a direct parallel to Radiant’s compromised-signer-device pattern. Third-party analysis by Cobo, framed explicitly as inference from public reports and on-chain data, argued the likeliest path was a counterfeit Liminal interface delivered through a man-in-the-middle or cross-site scripting technique that showed the signers benign transfers while collecting signatures for the upgrade.

The signers were blind-signing ERC-20 transactions, where the hardware device shows neither token nor destination and the human is trusting whatever the custody web page renders, so a discrepancy between the displayed transaction and the real payload was sufficient to gather four legitimate signatures for a malicious upgrade deployed eight days earlier. Where the discrepancy was introduced, and on whose infrastructure, remains contested between the parties, and the Indian and Singaporean legal proceedings that followed have not produced a settled public attribution of root cause. Treat WazirX as a strong example of transaction-disguise against a multisig and a weak example of anything more specific.

No approvals, still drained: the non-EVM cases

The EVM ecosystem carries a particular exposure because users routinely hand powerful permissions to contracts, routers, relayers and modules, and approval-phishing exploits exactly that, collecting an approve, setApprovalForAll or off-chain Permit2 signature under cover of a fake airdrop or claim, then pulling tokens later with no further prompt. MetaMask’s safety guidance has grown around this because an off-chain signature feels harmless to the user and grants a standing licence to move funds, and Chainalysis and Scam Sniffer have tracked drainer campaigns in the hundreds of millions on that mechanic alone. The defence is unglamorous, reviewing and revoking stale allowances and treating any unsolicited connect or claim prompt as hostile.

Bitcoin has no ERC-20 approvals, which tempts people into thinking the backdoor risk evaporates, and the record says it relocates. DMM Bitcoin lost 4,502.9 BTC, about $308 million, in May 2024, and the joint FBI, DC3 and NPA advisory traced the entry to a TraderTraitor operative posing as a LinkedIn recruiter, who sent an employee at wallet-software firm Ginco a malicious Python script disguised as a pre-employment test on GitHub. The compromise yielded session cookies, the attackers impersonated the employee inside Ginco’s unencrypted communications system, and weeks later they used that foothold to manipulate a legitimate DMM transaction request. No private key was cracked and no contract was exploited, because the theft crossed social engineering, code execution, session hijacking and an internal-workflow compromise around the signing-support environment.

At the retail end of the same logic, attackers harvest the recovery phrase directly. Kaspersky’s SparkCat campaign, disclosed in February 2025, embedded an optical-character-recognition module built on Google’s ML Kit inside apps that reached both Google Play and, for the first time for a stealer of this kind, the App Store, with the Play versions alone downloaded close to 250,000 times. The malware requested gallery access at a plausible moment, scanned stored images for the text of seed phrases, and exfiltrated the matches, and its successor SparkKitty widened the net to whole image galleries. A screenshot of twelve or twenty-four words is a complete bearer credential, so the attacker never needs the device or the key if the user once photographed their backup.

What has held up

The controls that survived contact with these incidents share a property, they constrain the signing moment or the integrity of the code feeding it, rather than adding another reviewer who reads the same compromised screen. Clear signing ranks first, because a device that renders the true semantics of a transaction removes the blind-signing gap that Radiant, Bybit and WazirX all exploited, and its limit is honest, since a device that cannot decode a complex nested payload still leaves the operator trusting the host. Isolating the signing environment ranks alongside it, because dedicated machines that never browse or develop would have raised the cost of the endpoint compromises behind DMM, Radiant and Bybit, and this is the change institutional treasuries can make fastest.

On the supply-chain side, reproducible builds, signed releases and dependency pinning are effective only when organisations verify the artefacts they ship, and the Connect Kit incident shows that disciplined internal offboarding means little if one external publishing account is left live. Multisig policy has to constrain more than transfers, gating module enablement, implementation upgrades, ownership changes and arbitrary-call destinations behind the same scrutiny as a withdrawal, because every large multisig loss in this set ran through one of those paths rather than a plain transfer. Transaction simulation and balance-change previews stop a great deal of routine approval-phishing and many drainer flows, and Radiant is the standing reminder that a severe host compromise can desynchronize the preview from the signed payload, so simulation is a strong filter and a weak guarantee.

For mobile and retail users, the highest-return habits are mundane, never storing a recovery phrase as a screenshot or gallery photo, minimising app permissions so a gallery request in a chat screen looks as wrong as it is, and keeping a low-value wallet for testing unfamiliar applications. 

New Scam Prevention Course. Never make a rushed crypto decision again.

Attribution and the regulatory tail

A striking share of the marquee losses trace to one origin, with the FBI tying DMM and Bybit to TraderTraitor, the Lazarus subgroup also tracked as Jade Sleet, UNC4899 and Slow Pisces, and independent analysts reaching the same place on WazirX through KYC-linked deposit addresses and Tornado Cash funding. Attribution at that level rarely comes from the chain alone, because on-chain clustering reveals laundering paths while the device forensics, cloud logs, session artefacts and intelligence correlation are what explain how a transaction became authorized in the first place. The Bybit and DMM reconstructions both hinged on evidence off the chain, the modified JavaScript recovered from cache and S3, the session cookies and the compromised endpoints.

The regulatory direction follows the same logic toward operational resilience rather than cryptographic novelty. In the EU, DORA pushes harmonized ICT risk controls, third-party risk management and incident reporting across covered financial entities, and MiCA-related standards layer governance expectations onto crypto-asset service providers, and neither prevents a drain by itself. What they pressure is precisely the trust-chain hygiene these cases exposed, the vendor oversight that a compromised Safe developer machine or a Ginco employee should have triggered, and the incident discipline that decides whether stolen funds can be frozen in the minutes that count.

The through-line from Ledger in 2023 to Bybit in 2025 is consistent enough to plan around. The attackers in these cases did not out-compute the cryptography, they found the seam between what a person believed they were authorising and what the machine in front of them signed, and they kept finding it in developer laptops, package registries, custody front ends and photo galleries. Securing the key was always the easy part, and the industry built excellent tools for it, while the harder problem of guaranteeing that a signature means what the signer thinks it means is the one still being lost.