Key Insights
- Bybit details how North Korea’s Lazarus Group exploited Safe(Wallet)’s AWS infrastructure rather than Bybit’s own systems.
- Lazarus hackers injected malicious JavaScript into an AWS S3 bucket. The altered code manipulated Bybit’s transaction signing process, allowing unauthorized fund transfers.
- Bybit has recovered approximately $100 million so far and launched a bug bounty program offering up to 10% of the stolen funds as a reward for recovery assistance. The investigation is ongoing.
SINGAPORE (MarketsXplora) – Cryptocurrency exchange Bybit has released an interim investigation report shedding new light on the massive security breach that resulted in the loss of $1.5 billion.
The attack, which took place on Friday, has been attributed to North Korean cybercriminal group Lazarus, according to Tel Aviv-based cybersecurity firm Sygnia. The firm’s forensic investigation details how the group exploited a vulnerability within Safe(Wallet)’s infrastructure to compromise Bybit’s multisig signing process.
An Exploit During Routine Operations
The breach occurred during what should have been a routine transaction when Bybit’s multi-signature (multi-sig) holders coordinated to move funds from a cold wallet to a warm wallet using the Safe(Wallet) interface. The attacker intervened and manipulated the transaction, ultimately gaining control of the affected cold wallet and transferring its holdings to a wallet under their control, Sygnia reported.
This aligns with initial research from the Ethereum security community, which suggested that Lazarus leveraged blind signatures to trick signers into interacting with a malicious address masked by a manipulated user interface. However, the new findings clarify that Bybit’s own infrastructure was not directly compromised. Instead, the attack originated from Safe(Wallet)’s cloud-based environment.
Compromise of Safe(Wallet)’s AWS Infrastructure
Sygnia’s forensic team has traced the breach back to Safe(Wallet)’s Amazon Web Services (AWS) S3 bucket, a storage system commonly used for hosting static files such as scripts and HTML code. The investigation found that a Safe developer’s computer had been compromised, allowing the attacker to inject malicious JavaScript into the AWS S3 bucket. This code, when loaded into the browsers of Bybit’s multisig signers, altered the transaction details at the moment funds were being moved.
Security researcher and SEAL 911 co-founder pcaversaccio explained that the attack began with the compromise of a developer machine.
“This allowed access to AWS and their S3 bucket. A malicious JavaScript was pushed to the bucket and eventually distributed,” he told MarketsXplora. “The malicious JS code targeted specifically the Bybit contract address. The JS code changes the content of the transaction during the signing process.”
How the Bybit Hack Was Executed
Safe(Wallet) confirmed the attack was executed through a compromised developer machine, which led to the proposal of a disguised malicious transaction. However, it assured that neither its frontend, source code, nor smart contracts were breached.
Despite this confirmation, questions remain about how the attacker gained access to the Safe developer’s machine and whether other Safe users are at risk. Sygnia suggested that Lazarus may have obtained AWS access keys through phishing, malware, or a more sophisticated method, enabling them to modify files within the S3 bucket. Once inside, they uploaded or altered JavaScript files to manipulate Bybit’s transaction signing process.
According to Sygnia, the injected code specifically targeted transactions originating from two contract addresses: Bybit’s and an unidentified second address, which may belong to the attacker. The malware lay dormant in the system and activated only when it detected transactions involving these addresses.
Two minutes after executing the malicious transaction, Lazarus uploaded clean JavaScript files to Safe(Wallet)’s AWS S3 bucket, effectively erasing traces of the attack.
Industry Reactions and Unanswered Questions
The attack has sparked concern across the cryptocurrency industry, with prominent figures questioning the circumstances that enabled such a large-scale exploit. Former Binance CEO Changpeng Zhao (CZ) criticized Safe(Wallet)’s response, stating,
“This update from Safe is not that great. It uses vague language to brush over the issues. I have more questions than answers after reading it.”
CZ raised concerns about the details of the developer machine breach, the method used to bypass security verification steps, and why Bybit’s $1.5 billion Ethereum address was specifically targeted. Security experts have speculated that Lazarus waited for an optimal moment to strike, choosing Bybit’s routine fund transfer as their target.
Odysseas, founder of Ethereum security protocol Phylax, suggested that the attackers may have compromised Safe(Wallet)’s production server, replacing a library within the user interface code with a malicious version.
“Basically [Lazarus] could have attacked anyone, but because this is something you do once, they waited for a very profitable attack to appear—Bybit moving funds from cold storage to a hot wallet,” he said.
In response to the attack, Safe(Wallet) announced that it has fully rebuilt and reconfigured its infrastructure, rotated all credentials, and eliminated the attack vector. Despite these actions, it urged users to remain cautious when signing transactions.
Bybit’s Efforts to Recover Stolen Funds
Bybit has assured its users that their funds remain secure despite the hack. The exchange has taken steps to mitigate the impact, securing a bridge loan to cover any shortfall in reserves.
To retrieve the stolen funds, Bybit launched a bug bounty program offering a 10% reward to anyone who can help recover the assets and a 5% incentive for exchanges and crypto mixers that assist in freezing the stolen funds. Early estimates suggest Bybit has already recovered approximately $100 million, including $43 million in mETH.
Sygnia emphasized that the investigation remains ongoing as forensic teams continue working to confirm the full extent of the attack and its implications.