Forensic Report Links $1.4B Bybit Hack to Safe{Wallet} Compromise

Bybit CEO Ben Zhou reported initial findings of the $1.4 billion hack, indicating that attackers exploited vulnerabilities in Safe{Wallet}’s infrastructure rather than Bybit's security. Key details include:

  • The attack involved unauthorized access to developer credentials, allowing hackers to insert malicious JavaScript into the Safe{Wallet} app.
  • This code deceived Bybit’s Ethereum Multisig Cold Wallet during a routine transaction on February 21, 2025.
  • Investigations suggest involvement from the Lazarus Group, linked to North Korea.

Safe{Wallet} Response

Safe{Wallet} clarified that its smart contracts were secure and the breach stemmed from a compromised developer machine. They have since rebuilt their infrastructure with enhanced security measures and resumed operations on the Ethereum mainnet.

Bybit's Recovery Efforts

Bybit has restored the stolen funds and is actively pursuing recovery efforts, including:

  • Distribution of stolen assets across over 11,000 wallets.
  • Implementation of a wallet blacklist API to block flagged addresses.
  • A bounty program offering up to $140 million for information on the hackers.