Quick reading of Bybit forensic investigation report: Is Safe a breakthrough point for hackers?

avatar
Foresight News
02-26
This article is machine translated
Show original
Here is the English translation:

On February 21, Bybit was hacked, losing nearly $1.5 billion, making it one of the largest hacking incidents. Today, Sygnia has released a preliminary report on this incident, and the following is a translation of the report in Chinese.

Background

On Friday, February 21, 2025, Bybit detected unauthorized activity involving one of its ETH cold wallets. The incident occurred when a threat actor intervened and manipulated the multi-signature ETH transaction from the cold wallet to the hot wallet through Safe{Wallet}. The threat actor managed to gain control of the affected cold wallet and transferred the assets it held to wallets under their control.

Sygnia was commissioned by Bybit to conduct a forensic investigation to determine the root cause of the attack, identify the scope and source of the attack, and mitigate current and future risks.

Key Findings:

  • Forensic investigation of all hosts used to initiate and sign transactions revealed that malicious JavaScript code was injected into resources in the Safe{Wallet}'s AWS S3 bucket.
  • The modification timestamps and publicly available web archives indicate that the injection of the malicious code was directly carried out in the Safe{Wallet}'s AWS S3 bucket.
  • Preliminary analysis of the injected JavaScript code suggests that its primary purpose was to manipulate the transactions, effectively altering the transaction content during the signing process.
  • Further analysis of the injected JavaScript code revealed an activation condition that would only execute if the transaction source matched one of two contract addresses: Bybit's contract address and an unidentified contract address (possibly related to a test contract controlled by the threat actor).
  • Within two minutes of the malicious transaction being executed and published, a new version of the JavaScript resource was uploaded to the Safe{Wallet}'s AWS S3 bucket, with the malicious code removed.
  • The preliminary findings indicate that the attack originated from the Safe{Wallet}'s AWS infrastructure.
  • So far, the forensic investigation has not found any signs of compromise in Bybit's infrastructure.

Technical Findings

Chrome Browser Cache

Forensic analysis of the Chrome browser cache files on all three signing hosts identified cache files containing JavaScript resources created during the transaction signing process.

The content of the cache files shows that the resources provided by the Safe{Wallet}'s AWS S3 bucket on February 21, 2025, were last modified on February 19, 2025, two days before the malicious transaction occurred.

Malicious JavaScript Injection

The JavaScript code content found in the Chrome browsing history shows the malicious modifications introduced by the threat actor. Preliminary analysis of the injected code highlights that it was intended to modify the transaction content.

Current State of Safe{Wallet}'s AWS S3 Bucket

The current resources provided by Safe{Wallet} through its AWS S3 bucket do not contain the malicious code identified in the Chrome cache files.

The investigation determined that the JavaScript resources were modified on February 21, 2025, at 14:15:13 and 14:15:32 UTC - approximately two minutes after the malicious transaction was executed.

Safe{Wallet}'s Web Archives

Further analysis of Safe{Wallet}'s resources using public web archives revealed two snapshots of Safe{Wallet} JavaScript resources taken on February 19, 2025. Examination of these snapshots shows that the first snapshot contained the original, legitimate Safe{Wallet} code, while the second snapshot contained the resource with the malicious JavaScript code. This further indicates that the malicious code used to create the malicious transaction originated directly from Safe{Wallet}'s AWS infrastructure.

Conclusion

The forensic investigation of the three signing hosts' machines indicates that the root cause of the attack was malicious code originating from the Safe{Wallet}'s infrastructure.

No signs of compromise were found in Bybit's infrastructure.

The investigation is ongoing to further confirm these findings.

About Sygnia

Sygnia is a cybersecurity consulting and incident response firm known for its elite cyber intelligence team. Sygnia partners with clients to rapidly contain and remediate attacks, and proactively enhance their cyber resilience. Sygnia's consultants bring their extensive experience, commitment, and discretion to address every security challenge with your business health in mind. Their proven track record, dedication, and prudence have earned the trust of security teams, senior management, and boards of directors at leading global organizations, including Fortune 100 companies.

Source
Disclaimer: The content above is only the author's opinion which does not represent any position of Followin, and is not intended as, and shall not be understood or construed as, investment advice from Followin.
Like
Add to Favorites
Comments
Relevant content
Followin logo
No comment
avatar
Reply