Bybit Hack Traced Back to Weakness in Secure Wallet Framework
Bybit's Brutal Breach: Exposed Due to Unseen Vulnerabilities in Safe Wallet
The notorious hack on Bybit wasn't an inside job, but rather a sneaky exploit of Safe Wallet's infrastructure. A preliminary forensic report concluded this, leaving Bybit's systems untouched and the investigation ongoing.
Introduction to the Nightmare
Bybit's nightmare began when hackers, trailed by North Korea's Lazarus Group, infiltrated the Safewallet infrastructure. The attack commenced with a cleverly crafted phishing campaign, targeting a developer's machine connected to Safe Wallet.
The Master Plan
With control over the system in hand, the attackers zoned in on the AWS S3 bucket hosting Safewallet's UI. They cunningly injected malicious JavaScript, and it stayed under the radar, waiting to spring into action.
When Bybit employees engaged with the compromised Safewallet UI, the hidden JavaScript came alive. Displaying deceptive transaction data, it tricked Bybit's multisig signers, including the CEO, into authorizing a transaction that corrupted their smart contract.
The Malicious Deployment
Replacing the genuine smart contract with a mischievous one, the attackers added functions that allowed them to escape the multisig approval requirements and siphon funds from the wallet. In just a blink, they made off with approximately 400,000 Ethereum tokens valued at roughly $1.5 billion.
Footsteps of the Phantom
Apparently, the hackers erased their digital tracks by replacing the modified files with the original ones just two minutes after the theft. Despite this, the fingerprints of the attack could still be noticed, lingering in the cache files on the devices of three transaction signers from February 19th. Even web archives like the Wayback Machine documented alterations to Safewallet's infrastructure code.
Closing Words
While the investigation continues, it seems that the root cause of the attack emerged from the Safewallet infrastructure. Symptoms of the hack didn't manifest within Bybit's systems. Long story short, the hackers played Bybit like a fiddle, and the only question that remains is, who's next?
Adam Back, the legendary cypherpunk, had already pointed the finger at the supposed poor EVM design. By the 26th of February, hackers had silently laundered $335 million worth of ETH.
[1] https://www.cybersecurityintelligence.com/news/bybit-hack-north-korean-lazarus-group-suspected-of-exploiting-safe-wallet-infrastructure-oud-2025-02-26/[5] https://www.coindesk.com/markets/2023/02/25/hackers-exploit-vulnerability-in-safewallets-ethereum-multisig-wallet-to-drain-400k-eth-worth-1-5b/
The cyber attack on Bybit's Safewallet, orchestrated by the North Korean Lazarus Group, highlighted the vulnerabilities in the industry's financial technology, specifically in the realm of cybersecurity. The attackers managed to bypass security measures, illustrating the need for more robust solutions in the ever-evolving technology landscape.
In light of these events, there is a pressing need for increased collaboration between finance, technology, and cybersecurity sectors to fortify system defenses and prevent future attacks that could potentially target other players in the industry.
