Safe Wallet Infrastructure Vulnerability Identified as Key Cause of Bybit Hack

bybit

The attack on Bybit was carried out through the infrastructure of the Safe Wallet, rather than the trading platform’s own systems, according to a preliminary incident report.

Sygnia analysts found that the attacker injected malicious JavaScript code into Safe Wallet resources stored in AWS S3 cloud storage.

The script was activated only for transactions linked to Bybit’s contract addresses and an unknown test address, indicating a targeted attack.

image 72

Two minutes after stealing the assets, the hacker replaced the modified files with their original versions to cover their tracks.

Cached files on the devices of three transaction signers contained modifications made on February 19. The injected code manipulated transaction approval data, replacing the recipient address.

image 73

Web archives like Wayback Machine also recorded changes to Safe Wallet’s infrastructure code.

image 74

“Forensic analysis of the three signers’ hosts indicates that the root cause of the attack was malicious code originating from the Safe Wallet infrastructure. No signs of compromise were found within Bybit’s systems. The investigation is ongoing to confirm the findings,” the report concluded.

Earlier, cypherpunk Adam Back blamed the incident on ‘poor EVM design’.

As of February 26, hackers had laundered 135,000 ETH (~$335 million). The attack has been attributed to the North Korean Lazarus Group.