TLDR
- Bybit’s $1.4 billion hack was traced to compromised SafeWallet credentials
- Forensic investigations by Sygnia and Verichains found malicious JavaScript code injected into SafeWallet’s AWS infrastructure
- North Korea’s Lazarus Group was identified as the perpetrator of the attack
- The attack occurred on February 21, 2025, targeting liquid-staked Ether
- SafeWallet has rebuilt and reconfigured its infrastructure to eliminate the attack vector
Cryptocurrency exchange Bybit lost over $1.4 billion worth of liquid-staked Ether in a security breach on February 21, 2025, making it the largest crypto hack in history.
According to forensic investigations, the attack was carried out by North Korea’s Lazarus Group, who exploited a vulnerability in SafeWallet’s infrastructure rather than Bybit’s systems.
Multiple forensic teams, including cybersecurity firms Sygnia and Verichains, conducted investigations into the hack. Their findings revealed that the credentials of a SafeWallet developer were compromised, giving attackers unauthorized access to SafeWallet’s infrastructure. This allowed the hackers to deceive Bybit’s transaction signers into approving a malicious transaction.
Bybit Hack Forensics Report
As promised, here are the preliminary reports of the hack conducted by @sygnia_labs and @Verichains
Screenshotted the conclusion and here is the link to the full report: https://t.co/3hcqkXLN5U pic.twitter.com/tlZK2B3jIW— Ben Zhou (@benbybit) February 26, 2025
The investigation identified that malicious JavaScript code had been injected into SafeWallet’s Amazon Web Services (AWS) S3 bucket. According to Sygnia’s report, this code was added on February 19, 2025, two days before the actual unauthorized transaction occurred.
The code was designed to activate only when transactions originated from specific contract addresses, including Bybit’s contract.
Analysis of Chrome browser cache files from the three signers’ systems confirmed the presence of the compromised JavaScript resource at the time of the transaction. This provided clear evidence of how the attack was executed through SafeWallet’s systems without compromising Bybit’s own infrastructure.
Forensic experts discovered that approximately two minutes after the fraudulent transaction was executed, new versions of the affected JavaScript files were uploaded to SafeWallet’s AWS S3 bucket, removing the injected code. This quick change suggests an attempt by the attackers to hide evidence of the unauthorized modification.
Web archives captured two snapshots of SafeWallet’s JavaScript resources on February 19, 2025. The first snapshot showed the original, unaltered version, while the second snapshot contained the malicious code, further supporting the conclusion that the attack originated from within SafeWallet’s AWS infrastructure.
In response to the incident, SafeWallet has “fully rebuilt, reconfigured all infrastructure, and rotated all credentials, ensuring the attack vector is fully eliminated,” according to their announcement. The SafeWallet team confirmed they have added security measures to prevent similar attacks in the future.
https://t.co/9zhPMCmGbB
— Safe.eth (@safe) February 26, 2025
Despite the massive theft, Bybit quickly replenished users’ crypto assets and maintained operations without major disruptions. To meet customer withdrawals, the exchange borrowed 40,000 ETH from Bitget, which has since been repaid. Bybit restored its reserves through a combination of loans, asset purchases, and large holder deposits.
Bybit CEO Ben Zhou confirmed that the exchange is “back to 100%” full backing on client assets. “The preliminary forensic review finds that our system was not compromised. While this incident underscores the evolving threats in the crypto space, we are taking proactive steps to reinforce security,” Zhou stated.
The attack dwarfed previous major crypto heists, including the 2022 Ronin Network attack and the 2021 Poly Network heist. According to Cyvers data, this single incident represented more than 60% of all crypto funds that were stolen during the entire previous year.
The Bybit hack has affected market confidence, leading to a drop in Ether and broader cryptocurrency prices. The incident highlights the ongoing security challenges facing the cryptocurrency industry, even as exchanges work to improve their security measures and response capabilities.
Oliver Dale
Editor-in-Chief of CoinCentral and founder of Kooc Media, A UK-Based Online Media Company. Believer in Open-Source Software, Blockchain Technology & a Free and Fair Internet for all. His writing has been quoted by Nasdaq, Dow Jones, Investopedia, The New Yorker, Forbes, Techcrunch & More. Contact Oliver@coincentral.com
