Safe Infrastructure Vulnerability Blamed for Bybit Breach

The attack on Bybit was executed through the Safe (Wallet) infrastructure, rather than the trading platform’s own systems, according to a preliminary incident report.

Bybit Hack Forensics Report
As promised, here are the preliminary reports of the hack conducted by @sygnia_labs and @Verichains
Screenshotted the conclusion and here is the link to the full report: https://t.co/3hcqkXLN5U pic.twitter.com/tlZK2B3jIW

— Ben Zhou (@benbybit) February 26, 2025

According to an investigation by analysts at Sygnia, the perpetrator injected malicious JavaScript code into Safe (Wallet) resources stored in the AWS S3 cloud.

The criminals’ script was activated only during transactions involving Bybit’s contract addresses and an unknown test address, indicating the targeted nature of the attack.

Two minutes after the asset theft, the hacker replaced the modified files with the original versions to cover their tracks.

Cached files with changes made on February 19 were found on the devices of three participants who signed the fake transaction. The code manipulated data at the time of approval, substituting the recipient’s address.

Web archives like WaybackMachine also recorded changes to the Safe (Wallet) infrastructure code.

“The forensic investigation results from the hosts of the three signatories indicate that the root cause of the attack is the malicious code originating from the Safe (Wallet) infrastructure. No signs of compromise were found in Bybit’s infrastructure. The investigation continues for final confirmation of the findings,” the conclusion states.

Previously, cypherpunk Adam Back cited the “flawed EVM design” as the reason for the incident.

By February 26, hackers had laundered 135,000 ETH (~$335 million). Responsibility for the attack was attributed to the North Korean group Lazarus.