In simply over 18 months, North Korean hackers, together with the notorious Lazarus group, have used the identical “hijacked multisig” approach to steal over $1.75 billion price of crypto, a determine dwarfing all different losses within the sector over the identical interval.
There could also be an answer, nonetheless, and it’s easier than one may assume.
A thread posted to X by veteran safety researcher Daniel Von Fange, till lately of Origin Protocol, suggests including a step to the standard multisig workflow.
The change would insert a surprisingly easy sanity examine on any accepted motion, to be ratified between signing and execution.
North Korea hijacking multisigs is now the most important loss class in crypto hacks.
After speaking with groups and constructing three prototypes, I believe I do know the subsequent safety layer in fixing this, and it requires much less from signers, no more. 🧵 1/14 pic.twitter.com/0MrfseOXvp
— Daniel Von Fange (@danielvf) August 19, 2025
What’s a hijacked multisig?
Multisig wallets require any transaction to be signed by a sure threshold of trusted addresses. They intention to extend safety by guaranteeing {that a} single compromised tackle can’t trigger outsized injury by itself.
Nevertheless, Lazarus’ most well-liked assault vector depends on tricking a number of members of a crypto firm’s staff into signing malicious transactions disguised as regular operational actions.
The signatures then “hijack” the group’s multisig pockets, granting the hackers free reign over the funds contained inside.
Compromised multisigs have led to really staggering losses over the previous 12 months or so. First, Indian crypto change WazirX was drained of $230 million price of property in July final 12 months.
Three months later, DeFi protocol Radiant Capital was hit for $50 million.
Lastly, the most important heist in historical past noticed ByBit lose $1.5 billion to Lazarus-linked hackers in February of this 12 months.
The signers might be duped into signing over management of the multisig by way of spoofed front-ends, which current completely normal-looking transactions. Within the Radiant case, developer gadgets had been contaminated with malware, whereas preparation for the ByBit hack concerned compromising the Protected {Pockets} UI individually.
The way to clear up the Lazarus downside
Up to now, the safety group has been centered on workflow self-discipline and bettering the readability of transaction knowledge on {hardware} gadgets, such because the script written by Safety Alliance’s Pascal Caversaccio within the wake of the Radiant hack.
In mild of the current incident at Radiant and the clear challenges of verifying multisig transactions on a Ledger system, I’ve constructed a easy Bash script designed to simplify the method. This script generates the area, message, and Protected transaction hashes, making it simpler to… pic.twitter.com/Xg1AiYDW0j
— sudo rm -rf –no-preserve-root / (@pcaversaccio) October 21, 2024
Von Fange highlights the immediacy of the hijacking assault vector, stating “when the signatures land on chain from the attacker, the game is over and that’s when you find out. Some could have been collected weeks or months ago.”
Consulting with different researchers from Optimism, Safety Alliance and Origin Protocol, he suggests including what quantities to an “undo button” which permits groups a second probability to revert any malicious transaction earlier than it takes impact.
He urges “a few large teams that need the protection badly enough” to check out such a workflow to be able to show its effectiveness.
“Clever, evil, people are at this moment controlling projects’ computers, getting ready to try this again,” he says.
“We can save a billion dollars.”
