Simple Fix Could Stop Crypto’s $1.75B Lazarus Multisig Hacks

Source: The solution to crypto’s Lazarus problem could be simpler than expected | protos.com

In the last 18 months, North Korean hacker groups, most notably Lazarus, have exploited a multisig wallet vulnerability to steal over $1.75 billion in crypto, outpacing all other losses in the sector by a wide margin. But a straightforward fix could significantly curb this threat.

What is a Hijacked Multisig?

Multisignature (multisig) wallets increase security by requiring multiple trusted parties to approve transactions. The idea: a single compromised key can’t drain funds on its own.

Lazarus’ method tricks several team members into signing fraudulent transactions disguised as routine operations. Once signed, the hackers “hijack” the multisig wallet, gaining full control over the funds.

Recent notorious hacks using this tactic include:

• The $197 million breach of an Indian crypto exchange in July 2022
• The Radiant Capital DeFi hack in October 2022, where developer devices were infected with malware
• February 2023’s ByBit exploit, involving a compromised Safe {Wallet} user interface

In all cases, attackers leveraged spoofed front-ends presenting legitimate-looking transactions, duping signers into unwittingly approving malicious actions.

Current Defense Efforts

The security community has concentrated on improving transaction visibility and signing clarity-for example, through scripts that simplify verifying multisig transactions on hardware wallets.

One such effort was by Pascal Caversaccio of Security Alliance, who created a Bash script enabling easier checking of transaction hashes before signing, following the Radiant hack.

A New Layer: The “Undo Button” for Multisig

Veteran security researcher Daniel Von Fange, formerly of Origin Protocol, proposes adding a critical extra step after transaction signing but before execution.

The idea:

• Once signers approve a transaction in a multisig wallet (e.g., Gnosis Safe), it is submitted on-chain to a guard contract.
• The transaction becomes publicly visible but cannot execute immediately.
• During a preset delay period, team members have an opportunity to cancel any suspicious or malicious transaction.
• Only after this “cooldown” does the transaction proceed to execution.

This approach adds a second chance to catch hijacked transactions before funds move, effectively acting as a safety net or “undo button.”

Von Fange stresses the urgency for large crypto teams to adopt this workflow swiftly, warning that hackers currently control targeted computers and may attempt further attacks soon.

Why It Matters

• Immediate reduction in multisig hijacking risk
• Minimal additional effort for signers
• Potential to save billions of dollars in lost funds

This simple yet powerful tweak could redefine security processes for multisig wallets, helping the crypto industry overcome one of its biggest security challenges.