Cryptocurrency exchange Bybit has released a detailed investigation report into its recent $1.5 billion security breach, focusing on the source of unauthorized activity. Cyber security firms Sygnia and Verichains concluded that the attack originated from Safe{Wallet}’s infrastructure, not Bybit’s systems, based on their findings. 💻
The incident was first detected on February 21, 2025, when Bybit noticed suspicious transactions involving one of its Ethereum (ETH) cold wallets. The investigation revealed that a malicious actor exploited a multisig transaction from a cold wallet to a hot wallet using Safe{Wallet}. A critical flaw in this process allowed the attacker to intercept and manipulate the transaction, ultimately gaining control over the stolen assets.
Key takeaways from the report:
* Malicious JavaScript code was injected into a resource within Safe{Wallet}’s AWS S3 bucket. This code was specifically designed to tamper with transaction data during signing and alter details without detection. 🔎
* The injection method targeted specific transactions originating from Bybit’s contract address or another unidentified one, likely controlled by the attacker. 🚀
* In a swift response, the malicious JavaScript files were quickly removed from Safe{Wallet}’s AWS S3 bucket just two minutes after the attack was publicly disclosed.
Bybit claims its own infrastructure remained secure but the incident underscores vulnerabilities in third-party wallet solutions. 🛡️
*This is not investment advice.