Forensic Report Links Bybit’s $1.48B Loss to Safe Wallet Security Flaw

According to a recent investigation into the Bybit incident, hackers took advantage of a security hole in Safe, the exchange’s cryptocurrency wallet. In what is now regarded as one of the biggest cryptocurrency heists in history, hackers affiliated with North Korea’s Lazarus Group stole $1.48 billion in Ethereum (ETH) from Bybit’s wallet late last week.

After a combined investigation by cybersecurity specialists Sygnia and financial security firm Verichains, Bybit CEO Ben Zhou revealed that Lazarus most likely gained access to Bybit’s Ethereum wallet via breaking into Safe’s Amazon Web Services (AWS) infrastructure.

“The benign Javascript file of app.safe.global appears to have been replaced with malicious code on February 19, 2025, at 15:29:25 UTC, specifically targeting Ethereum Multisig Cold Wallet of Bybit. The attack was designed to activate during the next Bybit transaction, which occurred on February 21, 2025, at 14:13:35 UTC…” Zhou explained.

The investigation suggests that hackers gained access to Safe.Global’s AWS S3 or CloudFront account, enabling them to inject malicious code.

Safe Wallet Responds to Security Breach

Safe acknowledged the findings and confirmed that Lazarus Group targeted Bybit through a compromised Safe{Wallet} developer machine.

“The forensic review into the targeted attack by the Lazarus Group on Bybit concluded that this attack targeted to the Bybit Safe was achieved through a compromised Safe{Wallet} developer machine resulting in the proposal of a disguised malicious transaction… Following the recent incident, the Safe{Wallet} team conducted a thorough investigation and have now restored Safe{Wallet} on Ethereum mainnet with a phased rollout.”

Since then, Safe has redesigned its architecture, changing credentials and resetting systems to stop such attacks. The business intends to publish a thorough report outlining the hack.

Zhou reassured users that Bybit had restored a 1:1 asset backup in spite of the big attack. The exchange has reserves more than 100% of its obligations, according to a proof-of-reserves audit conducted by blockchain security company Hacken.

“The Hacken team’s Proof of Reserves audit, conducted on Sunday, February 23, 2025, demonstrates that Bybit maintains an in-scope reserve ratio of > 100%,” the report stated.