An investigation by Sygnia Labs and Verichains confirmed that Bybit hackers exploited a compromised Safe Wallet development machine to steal the funds. While the exchange claims that its systems were not breached, Safe has reconfigured its infrastructure to eliminate the vulnerabilities.
Bybit, one of the world’s largest cryptocurrency exchanges, has been theft of over $1.400 billion worth of Ethereum. Details of the attack, revealed in a recent forensic report conducted jointly by Sygnia Labs and Verichains, point to an unusual vector: code manipulation in the platform of Safe Wallet, a provider of multi-signature hardware wallets used by institutions.
According to the report, the attackers accessed a Safe development machine to replace the JavaScript file on app.safe.global, the official asset management portal. This malicious code was activated during a routine Bybit transaction, redirecting funds to addresses controlled by Lazarus Group, a hacking group linked to North Korea, which has been identified as the perpetrator of the attack.
PREPARE YOUR WALLETWhile Bybit claims that its own systems were not compromised, the incident exposes critical risks to the operational security of blockchain service providers.
Safe Wallet, for its part, confirmed the vulnerability and announced the complete reconfiguration of its infrastructure. However, experts such as Michael Lewellen of Blockaid point out that the attack could have been avoided with independent verifications of transactions, a standard still lacking on many platforms.
Silent engineering: How ghost code infiltrated
According to the forensic analysis presented by the firms, the attack against Bybit began weeks before the theft. Lazarus Group hackers compromised a Safe Wallet development computer using social engineering techniques. According to Sygnia Labs, they replaced the safe-transaction.js file on the app.safe.global site with a malicious version stored on Amazon S3 and distributed through CloudFront, AWS's hosting and content delivery services.
This camouflaged code It worked like a Trojan horse, as it remained dormant until Bybit initiated a routine transaction from its multi-signature hardware wallet. At that point, the hackers They modified the destination addresses without altering the interface visible to the signers. As a result, three Bybit executives approved the transaction believing it to be legitimate, while the script diverted the funds to addresses controlled by the hackers.
BUY BITCOINVerichains identified that The attack was timed to coincide with a scheduled transfer, maximizing the impact. The malicious code was removed two minutes after the theft, attempting to erase evidence, but was recorded in public archives such as Wayback Machine.
Bybit vs. Safe: The Battle for Hack Accountability
While Bybit maintains that its internal systems were not breached, Safe Wallet attributes the incident to a breach on a single development machine. Bybit CEO Ben Zhou shared details of the forensic report on X, while Safe acknowledged that a development computer was compromised, allowing the hack to occur. It also said it has added security measures to eliminate the attack vector.
“The forensic review of the Lazarus-led attack on Bybit concluded that this attack targeting Bybit’s Safe Wallet was achieved through a compromised machine of a Safe Wallet developer, resulting in a disguised malicious transaction being proposed. Lazarus is a state-sponsored North Korean hacking group that is well known for sophisticated social engineering attacks against developer credentials, sometimes combined with zero-day exploits,” he said.
Certificate
Blockchain Course
Basic levelTake this course where we explain blockchain in a clear, simple and concise way so that you have a very clear idea of what this new technology consists of.
Lazarus Group: North Korea's shadowy spectre
Cybersecurity analysts such as ZachXBT traced the stolen funds to a network of digital wallets, many linked to previous hacks such as those of Phemex and Atomic Wallet. Lazarus Group, funded by the North Korean regime, has perfected methods to evade economic sanctions using cryptocurrency.
INVITE AND WINThe Bybit hack highlights a systemic problem in blockchain infrastructure security: reliance on third parties exposes even the largest players to unpredictable risks. This unfortunate episode reinforces the need for companies to implement multi-layered checks, from transaction analysis to rigorous internal access management.
For users, the lesson is twofold: multisig wallets, while secure in theory, are not invulnerable if operational processes fail. And in the face of players like Lazarus Group, whose sophistication rivals nation states, the industry must prioritize collaboration over competition.
Investing in cryptoassets is not fully regulated, may not be suitable for retail investors due to high volatility and there is a risk of losing all invested amounts.
