$1.4 Billion Crypto Heist Traced To Hackers Breaching Safe{Wallet}
The cryptocurrency world was left reeling last week after hackers stole an astonishing $1.4 billion from Bybit, a leading digital exchange. The cyberattack, attributed to the notorious North Korean hacking group Lazarus, exposed a shocking vulnerability in Safe{Wallet}, a provider of secure cryptocurrency wallets used by Bybit and other major exchanges.
The hackers pulled off the daring heist by infiltrating Safe{Wallet}'s systems, exploiting a compromised developer's credentials to gain unauthorized access. Once inside, they injected malicious JavaScript code into the system, allowing them to manipulate transactions and deceive signers into approving fraudulent deals.
How Did the Hack Happen?
The investigation, led by two cybersecurity agencies hired by Bybit, revealed that the attackers compromised a Safe{Wallet} developer's machine, which was linked to an account operated by Bybit. The hackers then injected malicious JavaScript code into the system, modifying critical transaction functions and sending funds to their desired addresses.
According to forensic reports from Verichains, a financial security firm, the malicious code was designed to activate only when certain conditions were met, ensuring it remained undetected by regular users while compromising high-value targets. The payload also included a backdoor that allowed the attackers to delete the malicious code from Safe{Wallet}'s system after stealing the cryptocurrency.
The Investigation Reveals Key Insights
Forensic analysis of computers used by Bybit employees who signed the fraudulent transaction revealed traces of the hack. A closer look at Chrome browser cache files indicated the existence of the malicious JavaScript code coming from Safe{Wallet}'s IT infrastructure over the app.safe.global domain.
The investigation also found that the hackers deployed their attack on Tuesday and Wednesday, around two minutes after modifying the JavaScript resources in an AWS S3 bucket. Bybit claims to have moved most of its funds out of Safe{Wallet}-administered addresses on the day of the hack and has received a huge loan to help recover from the loss.
Safe{Wallet} Responds to the Attack
The cryptocurrency wallet provider has taken swift action to mitigate the attack, rebuilding, reconfiguring its infrastructure, and rotating all credentials. According to Safe{Wallet}, there were no vulnerabilities in their smart contracts or source code, and external security researchers did not identify any weaknesses in their systems.
Bybit's CEO, Ben Zhou, has announced a $140 million bounty reward to help trace and freeze the stolen funds, which are currently linked to the North Korean hacking group Lazarus. As the cryptocurrency world continues to grapple with this devastating breach, Bybit and Safe{Wallet remain committed to securing their users' assets and preventing similar attacks in the future.