# SafeWallet Releases Bybit Hack Post-Mortem Report
In a shocking turn of events, the SafeWallet team has released a post-mortem report detailing the cybersecurity exploit that led to the $1.4 billion hack against Bybit in February. The report, which provides a comprehensive analysis of the attack, highlights the importance of continued improvements to user experience and user interfaces to combat similar future threats.
## A Sophisticated Attack
According to a forensic analysis conducted by SafeWallet and cybersecurity firm Mandiant, the hacking group hijacked a Safe developer's Amazon Web Services (AWS) session tokens to bypass the multifactor authentication security measures put in place by the firm. The AWS settings required team members to reauthenticate their AWS session tokens every 12 hours, which prompted the hacking group to attempt a breach by registering a multifactor authentication (MFA) device.
## The Hackers' Methodology
Following several failed attempts at registering an MFA device, the threat actors compromised a developer's MacOS system, likely through malware installed on the system. Once they gained access, they used the AWS session tokens while the developer's sessions were active. This allowed them to work within the Amazon Web Services environment to set up the attack.
## The Attack Timeline
Here is a detailed timeline of the Safe developer security exploit:
* The hacking group registers an MFA device to bypass multifactor authentication * Multiple failed attempts at registering the MFA device * Compromise of the developer's MacOS system through malware installation * Use of AWS session tokens to gain access to the environment * Setup of the attack within the Amazon Web Services environment
## State-Sponsored Hackers
Mandiant's forensic analysis also confirmed that the hackers were North Korean state actors who took 19 days to prepare and execute the attack. This highlights the growing threat of state-sponsored hacking in the cryptocurrency space.
## Impact on Safe and Bybit
The cybersecurity exploit did not affect Safe's smart contracts, but the company has since added additional safeguards in place following what was the biggest hack in crypto history. Bybit, on the other hand, suffered a massive loss of $1.4 billion due to the hack.
## Laundering Funds
The US Federal Bureau of Investigation (FBI) published an online alert asking node operators to block transactions from wallet addresses linked to the North Korean hackers, which the FBI said would be laundered and converted to fiat currency.
Since that time, the Bybit hackers have laundered 100% of the stolen crypto, comprising nearly 500,000 Ether-related tokens, in only 10 days. On March 4, Bybit CEO Ben Zhou said that around 77% of the funds, valued at roughly $1.07 billion, are still traceable onchain, while approximately $280 million have gone dark.
## Still Tracing Funds
However, Deddy Lavid, CEO of the Cyvers cybersecurity firm, said that cybersecurity teams may still be able to trace and freeze some of the stolen funds. This highlights the ongoing importance of monitoring cryptocurrency transactions for suspicious activity.
The latest update from SafeWallet underscores the need for continued vigilance in the cryptocurrency space. As hackers become increasingly sophisticated, it is essential to stay ahead of their tactics and improve our defenses against cyber threats.