Bybit Forensic Investigation Determines $1,480,000,000 Hack Stemmed From Vulnerability in Safe Wallet
An investigation into the recent Bybit hack has revealed a shocking truth: the attackers most likely exploited a vulnerability in Safe, the crypto wallet used by Bybit. The massive heist, which saw hackers linked to North Korea's Lazarus Group steal $1.48 billion from Bybit's Ethereum (ETH) wallet, was a wake-up call for the entire cryptocurrency industry.
Late last week, news broke of the largest heist in history, with Bybit's ETH wallet being hit hard. The attack is believed to have been carried out by Lazarus Group, who are known for their malicious activities. Now, after an investigation by finance security firm Verichains and cybersecurity consultants Sygnia, Bybit CEO Ben Zhou has revealed that the hackers compromised the exchange's ETH wallet directly through Safe by accessing its Amazon Web Services (AWS) bucket.
"The benign Javascript file of app.safe.global appears to have been replaced with malicious code on February 19, 2025, at 15:29:25 UTC, specifically targeting Ethereum Multisig Cold Wallet of Bybit. The attack was designed to activate during the next Bybit transaction, which occurred on February 21, 2025, at 14:13:35 UTC...
According to the investigation results from the machines of Bybit's Signers and the cached malicious Javascript payload found on the Wayback Archive, it is strongly concluded that AWS S3 or CloudFront account/API Key of Safe.Global was likely leaked or compromised. This finding highlights the severity of the vulnerability exploited by the hackers.
In a statement, Safe also confirmed the on-chain investigators' findings. "The forensic review into the targeted attack by the Lazarus Group on Bybit concluded that this attack targeted to the Bybit Safe was achieved through a compromised Safe{Wallet} developer machine resulting in the proposal of a disguised malicious transaction...
Following the recent incident, the Safe{Wallet} team conducted a thorough investigation and have now restored Safe{Wallet} on Ethereum mainnet with a phased rollout. The Safe{Wallet} team has fully rebuilt, reconfigured all infrastructure, and rotated all credentials, ensuring the attack vector is fully eliminated.
The Safe{Wallet} team will release a more in-depth post-mortem report on the attack in the near future. Just days after the hack, Bybit CEO Ben Zhou said the exchange had restored a 1:1 backing on all client assets after the record-setting hack. His claims were echoed in a proof-of-reserves audit report published by blockchain security auditor Hacken on Sunday.
A New Era of Security
"The Hacken team's Proof of Reserves audit, conducted on Sunday, February 23, 2025, demonstrates that Bybit maintains an in-scope reserve ratio of > 100 %. This finding signifies that Bybit possesses sufficient reserves to cover its in-scope liabilities, thereby bolstering trust and confidence among its users and stakeholders."
The recent Bybit hack serves as a wake-up call for the cryptocurrency industry. It highlights the importance of robust security measures and regular audits to prevent such attacks. As the industry continues to evolve, it is crucial that exchanges and wallets prioritize security and transparency.
Stay Ahead of the Curve
Don't miss a beat – subscribe to get email alerts delivered directly to your inbox.
Disclaimer: Opinions expressed at The Daily Hodl are not investment advice. Investors should do their due diligence before making any high-risk investments in Bitcoin, cryptocurrency or digital assets...
Please be advised that your transfers and trades are at your own risk, and any losses you may incur are your responsibility. The Daily Hodl does not recommend the buying or selling of any cryptocurrencies or digital assets, nor is The Daily Hodl an investment advisor.