An investigation into the recent Bybit hack has determined that the attackers most likely took advantage of a vulnerability in Safe, the crypto wallet that Bybit was using. Late last week, hackers linked to North Korea’s Lazarus Group pulled off what is believed to be the biggest heist in history, stealing $1.48 billion from Bybit’s Ethereum ( ETH ) wallet. Now, after an investigation by finance security firm Verichains and cybersecurity consultants Sygnia, Bybit CEO Ben Zhou reveals that Lazarus most likely compromised the exchange’s ETH wallet directly through Safe by accessing its Amazon Web Services (AWS) bucket. “The benign Javascript file of app.safe.global appears to have been replaced with malicious code on February 19, 2025, at 15:29:25 UTC, specifically targeting Ethereum Multisig Cold Wallet of Bybit. The attack was designed to activate during the next Bybit transaction, which occurred on February 21, 2025, at 14:13:35 UTC… Based on the investigation results from the machines of Bybit’s Signers and the cached malicious Javascript payload found on the Wayback Archive, we strongly conclude that AWS S3 or CloudFront account/API Key of Safe.Global was likely leaked or compromised.” In a statement , Safe also confirmed the on-chain investigators’ findings. “The forensic review into the targeted attack by the Lazarus Group on Bybit concluded that this attack targeted to the Bybit Safe was achieved through a compromised Safe{Wallet} developer machine resulting in the proposal of a disguised malicious transaction… Following the recent incident, the Safe{Wallet} team conducted a thorough investigation and have now restored Safe{Wallet} on Ethereum mainnet with a phased rollout. The Safe{Wallet} team has fully rebuilt, reconfigured all infrastructure, and rotated all credentials, ensuring the attack vector is fully eliminated.” Safe says it will release a more in-depth post-mortem report on the attack in the near future. Just days after the hack, Zhou said the exchange had restored a 1:1 backing on all client assets after the record-setting hack. His claims were echoed in a proof-of-reserves audit report published by the blockchain security auditor Hacken on Sunday. “The Hacken team’s Proof of Reserves audit, conducted on Sunday, February 23, 2025, demonstrates that Bybit maintains an in-scope reserve ratio of > 100 %. This finding signifies that Bybit possesses sufficient reserves to cover its in-scope liabilities, thereby bolstering trust and confidence among its users and stakeholders.” Don't Miss a Beat – Subscribe to get email alerts delivered directly to your inbox Check Price Action Follow us on X , Facebook and Telegram Surf The Daily Hodl Mix Disclaimer: Opinions expressed at The Daily Hodl are not investment advice. Investors should do their due diligence before making any high-risk investments in Bitcoin, cryptocurrency or digital assets. Please be advised that your transfers and trades are at your own risk, and any losses you may incur are your responsibility. The Daily Hodl does not recommend the buying or selling of any cryptocurrencies or digital assets, nor is The Daily Hodl an investment advisor. Please note that The Daily Hodl participates in affiliate marketing. Generated Image: Midjourney The post Bybit Forensic Investigation Determines $1,480,000,000 Hack Stemmed From Vulnerability in Safe Wallet appeared first on The Daily Hodl .
