A forensic investigation into the Bybit hack revealed that attackers exploited a Safe{Wallet} developer machine to insert malicious code, deceiving Bybit’s cold wallet.
By Anisha Pandey
Edited by Marco T. Lanz
Updated
2 mins read
Bybit CEO Ben Zhou shared the initial findings of the $1.4 billion Bybit hack, revealing how attackers infiltrated the exchange’s security layers. Reports from cybersecurity firms Sygnia Labs and Verichains suggest that the attack originated from Safe{Wallet}’s compromised infrastructure, rather than any breach within Bybit itself.
Bybit Hack Forensics Report
As promised, here are the preliminary reports of the hack conducted by @sygnia_labs and @Verichains
Screenshotted the conclusion and here is the link to the full report: https://t.co/3hcqkXLN5U pic.twitter.com/tlZK2B3jIW— Ben Zhou (@benbybit) February 26, 2025
According to the report, the hackers gained unauthorized access to a Safe developers’ credentials to insert a malicious JavaScript into Safe{Wallet}’s app, effectively deceiving Bybit’s Ethereum Multisig Cold Wallet. Notably, they embedded this harmful code in the app.safe.global website on February 19, 2025, at 15:29:25 UTC. The malicious script remained dormant until Bybit conducted a routine transaction on February 21, at 14:13:35 UTC, triggering the exploit.
Signers approving transactions saw a legitimate contract address displayed, but in the background, the JavaScript altered the submission to direct funds to the hacker-controlled wallet instead. This suggests a sophisticated, well-planned operation, with investigations pointing towards the infamous North Korean-linked Lazarus Group.
The revelation that Safe{Wallet}’s infrastructure sparked the hack has resulted in a debate across the crypto community. Some users sarcastically questioned whether Safe should rebrand as “Unsafe,” while others called for greater security measures in transaction verification.
In response, Safe{Wallet} issued a public statement clarifying that its smart contracts and front-end services remained uncompromised. They explained that the attack started from a compromised developer machine that allowed hackers to insert disguised malicious transactions.
— Safe.eth (@safe) February 26, 2025
According to Safe{Wallet}’s post, they have since rebuilt and reconfigured its entire infrastructure, implementing enhanced security measures. The platform has resumed operations on the Ethereum mainnet, albeit with a phased rollout. A full post-mortem report is expected once investigations conclude.
Despite suffering one of the largest cryptocurrency hacks in history, Bybit has showcased resilience by quickly restoring the stolen $1.4 billion in Ether. The exchange has launched an aggressive counteroffensive against the hackers. With funds already distributed across over 11,000 cryptocurrency wallets, it aims to trace and retrieve the stolen cryptocurrency.
Bybit has introduced a wallet blacklist API to prevent transactions from flagged addresses and has enlisted Web3 security firm ZeroShadow to track the stolen funds. The exchange also announced a bounty program, offering up to $140 million for information leading to the freezing or recovery of stolen assets.
Disclaimer: Coinspeaker is committed to providing unbiased and transparent reporting. This article aims to deliver accurate and timely information but should not be taken as financial or investment advice. Since market conditions can change rapidly, we encourage you to verify information on your own and consult with a professional before making any decisions based on this content.
With a background in finance and a passion for innovation, Anisha has been covering the ever-evolving world of crypto for over four years. Her deep understanding of the crypto market have made her a trusted source for analysis and news. Whether it's dissecting the latest trends or decoding whitepapers, Anisha is dedicated to bringing clarity to the world of digital assets.
