Bybit Blocks 1B+ DOT in Fake Deposits, Attackers Discover 'Verify Everything' Isn't Just a Catchphrase

Bybit's Group Risk Control team detected and blocked a coordinated wave of fake deposit attacks across multiple blockchain networks, stopping more than 1 billion DOT in potential losses before any funds were incorrectly credited. The attacks were neutralized in real time, with no users affected and no assets mistakenly added to accounts. Apparently, the attackers missed the memo that you can't just print money by asking nicely—or through cleverly structured transactions.

The incidents exploited techniques designed to fool exchange deposit scanners into treating nonexistent or unconfirmed transfers as legitimate deposits. Attackers attempted to make transactions appear legitimate at the system level even when no actual net balance increase occurred. Think of it as trying to return a rental car you never picked up—technically you've got a receipt somewhere, but good luck driving.

Some attempts relied on batch transaction structures, where multiple transfers are bundled into one operation. In one case, a large transfer was set up to fail while smaller transfers inside the same batch succeeded. This structure could create confusion for systems that only check overall transaction status rather than examining each component separately. It's the blockchain equivalent of hiding vegetables in your kid's pasta—you think you're being clever, but someone's checking the plate.

Other attackers used multi-step transaction flows combined with ownership changes to simulate incoming funds without producing a real balance increase. This is basically the Web3 version of those emails promising you've won the Nigerian lottery, except with more gas fees and fewer grammatically questionable promises.

Bybit's deposit monitoring framework employs layered validation that scans full on-chain data, filters transactions against deposit addresses and related account structures, and validates each transaction down to its atomic components. The approach includes inner transaction verification, batch decomposition, transfer method recognition, ownership-aware tracking for account-based chains such as Solana, and balance-based validation to confirm real asset movement. Translation: they actually check the receipts.

Suspicious activity is scored for severity based on structure, complexity, and possible financial impact, with real-time alerts triggering internal review. The attackers apparently forgot that scoring high on "financial impact" is not the flex they thought it was