DECODED – Why $1.46B walked out of Bybit & the phishing lesson from Tuscany Lightning Summit in Viareggio

Tuscany Lightning Summit 2026, May 12-13, Viareggio.
What we learned in two days inside Europe’s most technical Layer-2 ecosystem, and why it confirmed exactly what we’ve been saying since day one.

The most secure room in the world is also the most phishable (rounded down)

There was a moment, during our CTO Francesco Baccaro‘s speech, when the room went silent for a few seconds before the applause started: it wasn’t the silence of embarrassment, call it the silence of recognition.

We were talking about phishing to a room full of Bitcoin developers, wallet founders, Layer-2 engineers, the people who design the most paranoid security systems ever conceived (and I got a couple of autograph from them!), multi-sig. Hardware wallets, cold storage, threshold signatures.. meaning people who read BIPs to relax.

And we told them, essentially, one thing: your code isn’t what gets you. Your developers are.
So, that silence was the silence of people who already knew.

On Feb 21, 2025, someone stole $1.46 BILLION without writing a single exploit

You all know this one, but let’s walk through it with the right eyes.
Lazarus Group, North Korea, the usual suspects.
Target: Bybit.
Take: roughly 401,000 ETH.
Technique: no buffer overflow, no reentrancy bug, no private key stolen in the conventional sense.

What did they actually do?
They hit a Safe{Wallet} developer (the company that provides Bybit’s multi-sig infrastructure) and they posed as a trusted open-source contributor. They convinced the developer, one of the few with admin privileges, to install a malicious Docker Python project.

From there: AWS session tokens, MFA bypass, and a seemingly innocent JavaScript file on Safe’s S3 bucket swapped with a tampered version that showed Bybit’s signers a legitimate-looking transaction in the familiar UI while silently rewriting the multi-sig contract logic underneath.
Bybit’s signers, including CEO Ben Zhou, looked at the screen: they actually saw a correct address and they saw a SAFE URL. They signed. Bingo!

They didn’t sign what they thought they were signing.
This is phishing. Genuine phishing.. not “advanced hack,” not “0day exploit,” not “advanced persistent threat”, the language vendors love because it makes the problem sound bigger than their solutions.
It’s phishing, lads and fags – dressed up as a supply chain attack, garnished with a little JavaScript injection, but at the root there’s a developer who opened the wrong thing and trusted the wrong person.

The point the crypto world doesn’t want to hear (but we forced them to)

In 2025, wallet drainer losses fell 83%, from $494M to $83.85M.
Total losses: $83.85M across 106.106 victims, down 83% and 68% respectively from 2024.
Round of applause for everyone, someone will say (don’t, please).

Except that number specifically excludes Bybit
Quick recap in case you were too lazy to read the whole story: Bybit incident (Feb, $1.46B), Lazarus compromised a Safe{Wallet} developer machine, 17x the year’s total signature phishing losses.

A single incident worth seventeen times the entire year’s signature phishing combined. When one attack becomes that disproportionate, it stops being statistics and becomes strategy.

Attackers stopped chasing retail with $800-per-victim drainers; the threat is bifurcating: mass phishing for retail users vs sophisticated supply chain and APT attacks for high-value targets.

Translation: you’re either a small fish getting plucked by a fake airdrop, or you’re a big fish being studied for months. There is no middle ground anymore. And if you’re a serious crypto company (exchange, custodian, wallet provider, market maker, fund, you name it) you’re automatically in the second group.
Whether you noticed or not.

Feeling the pain? You have to.

2025 introduced two technical novelties worth your attention.

Permit and Permit2 signatures.
The largest single theft of the year was $6.5M in stETH and aEthWBTC stolen in September via a malicious Permit signature. One signature. One. The user isn’t authorizing a transfer, they’re authorizing the future authorization of transfers. Subtle. Lethal. Permit-based attacks accounted for 38% of losses among incidents exceeding $1 million.

EIP-7702.
After Ethereum’s Pectra upgrade, EIP-7702-based malicious signatures emerged, allowing attackers to exploit account abstraction and bundle multiple harmful actions into a single user signature. Two major cases in August. $2.54M evaporated. The protocol shipped on Tuesday. Attackers were abusing it by Friday.

New ground, same psychological mechanism: convince someone to sign something they’re not actually reading. Sounds obvious. It is. That’s exactly why it works.

In Viareggio, we said something uncomfortable

Between coffee breaks and discussions about BOLT 12, we asked a few founders: “When was the last time you tested your team with a realistic social engineering simulation?“

The recurring answers:

• “Oh yes, we do annual training!!!“
• “Oh yes, we use [famous commodity vendor, static fluff]. They send fake emails with bad grammar!!!“
• “Oh geez, my developers wouldn’t fall for it. They’re too technical!!!“

That last one is the most dangerous, ’cause it’s exactly the psychological profile of the Safe{Wallet} developer who opened the fake Docker project. Technical and shiny brilliant, also confident in his own pattern recognition – which is precisely what made him a perfect target.

Modern phishing isn’t the Nigerian prince wire transfer, but:

• a fake contributor on GitHub pitching a collaboration that flatters you
• a fake recruiter on LinkedIn offering you your dream role, with a “coding challenge” hosted in a private repo
• a fake invite to an exclusive event (yes, we thought about this one in Viareggio too)
• a fake follow-up after a real call, with a PDF “of the slides” that is anything but a PDF
• a fake security patch in an npm package you’ve used for years

We’ve seen, replicated, and automated every single one of these. They run in our simulation scenarios because they happen now, not because they’re hypothetical.

What WE take away from the Lightning Summit

Three things, nothing more*

One
The Bitcoin and Layer-2 world has built some of the most robust cryptographic systems in existence. And often entrusts them to small, distributed teams made of developers who trust other developers. The risk isn’t in the code. It’s in the human trust model wrapped around it.

Two.
The more technical you are, the more vulnerable you are to well-crafted phishing. Because well-crafted phishing doesn’t insult your intelligence, it exploits it. It offers you something you want to be true: a job opportunity, a bug bounty, a collaboration, a quote from a VC who had been ignoring you.

Three.
The crypto industry is finally figuring out, after Bybit, that wallet security starts long before the wallet. It starts in your developers’ inboxes. In your CTO’s Telegram DMs. In your CFO’s Google Meet call with a real-time-generated face.

So what do we do?

We don’t sell fear. We sell rehearsal.
In case you’re reading this and don’t know what’s Baited core, here’s!

We build social engineering simulations that look like the real attacks, OSINT-driven, context-aware, built on public information your team has been leaving scattered across LinkedIn, GitHub, and conferences (yes, conferences like Tuscany Lightning Summit, where the audience is always photographed and tagged).

We don’t send “Clicc here for wire transfer” emails riddled with typos.
We send the email your CFO will open, because it looks like it came from your real supplier, after a real conversation, about a real project. And if they open it, lucky you, it was us.

The goal isn’t to make anyone feel stupid.
It’s to show your team (in a controlled environment) the exact moment they would have fallen, before they fall for real.
Because the next time $1.46 billion walks out of a cold wallet, it won’t be because someone broke an elliptic curve.. it’ll be because someone opened an attachment!

Thanks to Fulgur Ventures for the invite and to all the Layer-2 founders and developers who made time to talk with us between sessions. See you next year, hopefully with no new records set in the meantime.

*ok, I must confess: when Riccardo talked about Viareggio, I was like “OMFG! YEEEESSS!” ’cause it’s a chace for me to get back home – and believe me, at every corner we turned I was telling stories to the boys about this and that. And, before the event started, I went for a short stroll on the beach. AMAZING!