The situation has reversed, Bybit was hacked for 1.5 billion USD, and it turns out the Safe protocol developer was compromised

Author: Wu Says Blockchain

Amid widespread confusion about how Bybit's multiple signers were compromised, Bybit and Safe simultaneously released announcements on the evening of February 26.

Safe stated that the forensic review of the targeted attack by the Lazarus Group on Bybit concluded that the attack on Bybit Safe was executed through the compromised Safe{Wallet} developer's machine, leading to disguised malicious transactions. Lazarus is a government-backed North Korean hacking organization known for conducting complex social engineering attacks on developer credentials, sometimes combined with zero-day vulnerabilities.

The forensic review by external security researchers did not indicate any vulnerabilities in the source code of Safe's smart contracts or its front-end and services. Following the recent incident, the Safe{Wallet} team conducted a thorough investigation and phased recovery of the Safe{Wallet} on the Ethereum mainnet. The Safe{Wallet} team has completely rebuilt and reconfigured all infrastructure and rotated all credentials to ensure the complete elimination of the attack vector. After waiting for the final results of the investigation, the Safe{Wallet} team will release a complete post-mortem analysis.

The Safe{Wallet} front-end is still operational and has taken additional security measures. However, users need to be especially cautious and vigilant when signing transactions.

Bybit stated:

Attack Time: Malicious code was injected into Safe{Wallet}'s AWS S3 bucket on February 19, 2025, and triggered when Bybit executed a multisig transaction on February 21, 2025, resulting in stolen funds.

Attack Method: The attacker tampered with the front-end JavaScript file of Safe{Wallet}, injecting malicious code to modify Bybit's multisig transaction and redirect funds to the attacker's address.

Attack Target: The malicious code specifically targeted Bybit's multisig cold wallet address and a test address, activating only under specific conditions. Post-Attack Actions: Approximately two minutes after the execution of the malicious transaction, the attacker removed the malicious code from the AWS S3 bucket to cover their tracks.

Investigation Conclusion: The attack originated from Safe{Wallet}'s AWS infrastructure (possibly due to S3 CloudFront account/API Key leakage or compromise), and Bybit's own infrastructure was not attacked.

Safe multisig wallets are cryptocurrency wallets based on blockchain smart contracts that manage assets through a multisignature mechanism. Its core requirement is that multiple predefined signers (for example, 2 out of 3, or 3 out of 5, known as M/N mechanism) must jointly authorize transactions. The wallet itself is a contract deployed on the blockchain that records owner addresses and signature thresholds, with transactions needing to collect sufficient signatures before being verified and executed by the contract. Its technical principle relies on the Elliptic Curve Digital Signature Algorithm (ECDSA), where signers use private keys to sign transactions, and the contract verifies them using public keys. Transaction proposals are first stored in the contract and submitted to the blockchain for execution after collecting signatures, supporting flexible expansions such as account recovery features.

Polygon's Mudit Gupta questioned why a developer had the authority to change content on the Safe production site in the first place. Additionally, why was there no monitoring of such changes?

Binance founder CZ stated, "I usually don't criticize other industry participants, but Safe is using vague language to cover up the issue. What does 'compromised Safe{Wallet} developer's machine' mean? How was that specific machine compromised? Was it social engineering, a virus, etc.? How did the developer's machine access 'accounts operated by Bybit'? Did some code get directly deployed from this developer machine to the production environment? How did they deceive multiple signers' Ledger verification steps? Was it blind signing? Or did the signers fail to verify correctly? Is $1.4 billion the largest address managed by Safe? Why didn't they target others? What lessons can other 'self-custody, multisig' wallet providers and users learn from this? Furthermore, CZ denied that Binance also used Safe to store assets."

SlowMist's Yu Xuan stated that while the smart contract part of Safe is fine (easily verifiable on-chain), the front-end was tampered with to achieve a deceptive effect. As for why it was tampered with, we will wait for Safe's official details to be disclosed. Safe can be considered a security infrastructure, and theoretically, anyone using this multisig wallet could be stolen from like Bybit. It is chilling to think that all other user-interactive services with front-ends, APIs, etc., could have similar risks. This is also a classic supply chain attack. The security management model for large/huge assets needs a significant upgrade. If the Safe front-end had implemented basic SRI verification, even if the JS was altered, there would have been no issues. Yu Xuan stated that if that Safe developer was indeed a North Korean agent, he wouldn't be surprised.

GCC principal Konstantin stated that this is a significant blow to the industry; the so-called decentralized public goods have single-point risks that are almost entirely insecure, even among a few ordinary contract front-end developers. Besides Safe, there are a large number of web3 open-source dependencies that also face similar supply chain attack risks; they not only have weak risk control but also heavily rely on traditional internet infrastructure for security.

Hasu stated that although the Safe front-end, rather than Bybit's infrastructure, was compromised, Bybit's infrastructure was also insufficient to prevent what was ultimately a relatively simple hacking attack. When transferring over $1 billion in funds, there is no reason not to verify message integrity on a second isolated machine.

Mingdao stated that the core issue is that large fund signing transactions should be generated by permanently offline computers. As long as the initiating party's multisigners sign offline and then broadcast through a connected computer, it doesn't matter how others sign. If all multisigners are running on connected computers, relying on a connected web page to generate transactions, this cold wallet becomes a hot wallet. This is not Safe's fault; after all, it did not hold the funds. It just unfortunately became the center of trust.

Vitalik has also stated that 90% of his personal assets are stored using Safe multisig.

Wintermute's founder stated that it is not to say that Bybit's security measures are flawless (it seems they might be using the largest multisig account of the SAF E protocol). If they had used solutions like Fireblocks or Fordefi, combined with other measures, especially when handling simple fund transfers, it might have been more reasonable.