Key Highlights:
- Sophisticated Attack Vector: SafeWallet’s report, with Mandiant, details how Lazarus Group compromised a developer’s MacOS system via likely malware, hijacking AWS session tokens to inject malicious JavaScript, enabling a $1.4 billion theft from Bybit’s cold wallet on February 21, 2025.
- Targeted Execution: The attackers embedded malicious code into SafeWallet’s infrastructure on February 19, activating it during a Bybit transaction two days later, deceiving signers into approving a fraudulent transfer while leaving Safe’s smart contracts untouched.
- Rapid Response and Fallout: Bybit restored reserves and tracked 77% of the stolen $1.07 billion, but $280 million went dark as Lazarus laundered funds in 10 days, prompting SafeWallet to overhaul security and fueling debate over multisig vulnerabilities.
SafeWallet, a prominent multisignature wallet provider, released a detailed post-mortem report dissecting the February cybersecurity breach that resulted in a $1.4 billion theft from the cryptocurrency exchange Bybit. Compiled with cybersecurity firm Mandiant, the forensic analysis points to a sophisticated attack by North Korea’s Lazarus Group, which compromised a SafeWallet developer’s machine to bypass security measures. The report, published amid ongoing scrutiny of crypto vulnerabilities, offers a rare glimpse into one of the largest heists in digital asset history.
The breach unfolded on February 21, when hackers siphoned over 400,000 Ether-related tokens—valued at $1.4 billion—from Bybit’s Ethereum multisig cold wallet. SafeWallet’s investigation revealed that the attackers hijacked a developer’s Amazon Web Services (AWS) session tokens, exploiting a 12-hour reauthentication window. After failing to register a multifactor authentication (MFA) device, the group likely used malware to infiltrate the developer’s MacOS system, gaining access to active session tokens. This allowed them to inject malicious JavaScript into SafeWallet’s infrastructure, specifically targeting Bybit’s transaction process.
“The exploit was precise,” the report states, noting that the malicious code, embedded on February 19 at 15:29 UTC, activated during a routine Bybit transfer two days later. By altering the app.safe.global interface, the attackers deceived Bybit’s signers into approving a fraudulent transaction, redirecting funds to a hacker-controlled wallet. SafeWallet emphasized that its smart contracts remained uncompromised, pinning the vulnerability on the developer’s machine rather than core protocol flaws. Following the incident, the firm rebuilt its infrastructure, rotated credentials, and rolled out enhanced safeguards.
Bybit CEO Ben Zhou, speaking on March 4, reported that 77% of the stolen funds—roughly $1.07 billion—remained traceable on-chain, while $280 million had vanished into untraceable channels. The exchange swiftly restored its reserves, borrowing 40,000 ETH from Bitget to cover withdrawals, and maintained solvency. The U.S. Federal Bureau of Investigation (FBI) linked the attack to Lazarus, warning node operators to block transactions from associated addresses as the group laundered the haul across thousands of wallets in just 10 days.
The fallout has rippled through the crypto community. Binance co-founder Changpeng Zhao criticized SafeWallet’s initial response as “vague,” questioning how multiple signers were misled and why other targets weren’t hit. SafeWallet co-founder Martin Köppelmann speculated that the attackers avoided broader strikes to evade detection. Meanwhile, Bybit launched a $140 million bounty to recover funds, though tracing efforts face challenges as Lazarus leverages mixers and bridges.
For users like Sarah Kim, a Melbourne-based trader who lost faith in centralized exchanges after the hack, the incident underscores persistent risks. “I moved to hardware wallets after this,” she said. As SafeWallet resumes phased operations on Ethereum’s mainnet, the report signals a push for tighter security—but also a reminder of the human vulnerabilities even the most robust systems can’t fully escape.
Disclaimer: TrueToCrypto.com (the “Website”) is for general informational purposes only and is obtained from independent sources that are believed to be reliable. However, TrueToCrypto.com, its owners, affiliates, officers, employees, and agents (collectively, “We,” “Us,” or “Our”) make no representations or warranties, express or implied, as to the accuracy, completeness, timeliness, reliability, or suitability of the information contained on or accessed through this Website. Further read Disclaimer.
