The wallet that assembled the transaction is a web wallet. Months ago, the web wallet's host, Amazon S3, was breached and a single JavaScript file was slightly modified from the original source code, which is available for everybody to see. The modification changes the recipient ONLY when ByBit's cold wallet is being used.

ByBit then took the assembled version with the malicious code and signed with all their multisig cold signers without verifying that the receiving address has been changed to the attacker.