Binance Founder Criticizes Safe’s Report on Bybit Hack

The Safe report on the investigation into the $1.46 billion Bybit hack is vague and raises more questions than it answers, according to Binance founder Changpeng Zhao (CZ).

I usually try not to criticize other industry players, but I still do it once in a while. ?

This update from Safe is not that great. It uses vague language to brush over the issues. I have more questions than answers after reading it.

1. What does “compromising a Safe… https://t.co/VxywHyzqXb

— CZ ? BNB (@cz_binance) February 26, 2025

“I usually try not to criticize other industry players, but I do it from time to time,” he wrote.

According to the wallet team’s findings, the Lazarus Group attacked Bybit using a compromised Safe {Wallet} developer machine. This resulted in a disguised malicious transaction proposal. The incident occurred during a transfer of funds from cold storage.

“Lazarus is a state-sponsored North Korean hacker group well-known for sophisticated social engineering attacks on developer credentials, sometimes combined with zero-day exploits,” the report’s authors noted.

The investigation did not uncover any vulnerabilities in the wallet’s smart contracts or the frontend and service source code. The Safe {Wallet} team has taken additional measures to address the attack vector, they added.

In CZ’s view, the conclusions presented failed to answer several important questions:

1. What does “hacking a developer machine” mean and how was it carried out?
2. How did this device gain access to the “Bybit-managed account”?
3. How did the hackers bypass the Ledger verification step for multiple signatories?
4. Was the Bybit address with $1.46 billion the largest under Safe’s management, and why did the attackers not target others?
5. What lessons can other multisig wallet providers and users learn for self-custody?

Co-founder of the company behind Safe, Gnosis, Martin Köppelmann, provided CZ with some clarifications.

thank @cz_binance
1) The interface was compromised — there was no bug in the interface code but instead they got access to the server via a compromised developer machine.

2) The interface was modified specifically targeting the Bybit Safe. So when Bybit would do a transaction -…

— koeppelmann.eth ?? (@koeppelmann) February 26, 2025

Overall, he reiterated the report’s points regarding the attack vector and could not explain the methods used to deceive the signatories. According to Köppelmann, Bybit’s storage was indeed one of the largest and apparently the first to suffer such an attack — which is why the hackers attempted to cover their tracks.

The entrepreneur also discussed measures being developed to enhance transaction security.

Regarding CZ’s third question, Ledger’s CTO Charles Guillemet provided an answer. He stated that the hardware wallet provider offers several solutions for transaction security, but integrating them into Safe is challenging due to technical specifics.

A complete answer to (3) here: https://t.co/OU18K7OX5C

— Charles Guillemet (@P3b7_) February 26, 2025

“For me, the main takeaway from the Bybit hack is this: companies and financial institutions should use enterprise-level custody solutions. Storing $1.46 billion in a free Safe{Wallet} smart contract with a group of signatories, designed for retail users, should become a thing of the past,” the programmer stated.

Back in earlier discussions, Blockstream co-founder and cypherpunk Adam Back concluded that the exchange hack was due to “improper EVM design.”