Author: Wu Blockchain
In the face of widespread doubts about how Bybit was breached despite having multiple signatories, on the evening of February 26th, Bybit and Safe simultaneously issued announcements.
Safe stated that the forensic review of the targeted attack by the Lazarus Group on Bybit concluded that the attack on Bybit's Safe{Wallet} was carried out through the compromised machines of Safe{Wallet} developers, resulting in the spoofed malicious transactions. Lazarus is a government-backed North Korean hacker group known for complex social engineering attacks on developer credentials, sometimes combined with zero-day vulnerabilities.
The forensic review by external security researchers did not reveal any vulnerabilities in the source code of the Safe smart contract, front-end, or services. After the recent incident, the Safe{Wallet} team conducted a thorough investigation and has been restoring Safe{Wallet} on the Ethereum mainnet in phases. The Safe{Wallet} team has completely rebuilt and reconfigured all infrastructure and rotated all credentials to fully eliminate the attack vector. Pending the final investigation results, the Safe{Wallet} team will release a comprehensive post-mortem.
The Safe{Wallet} front-end is still running with additional security measures. However, users need to be extra cautious and vigilant when signing transactions.
Bybit stated:
Attack timeline: Malicious code was injected into Bybit's AWS S3 bucket on February 19, 2025, and triggered when Bybit executed a multisig transaction on February 21, 2025, resulting in the theft of funds.
Attack method: The attacker modified the front-end JavaScript files of Safe{Wallet}, injecting malicious code to alter Bybit's multisig transactions and redirect funds to the attacker's address.
Attack target: The malicious code was specifically targeted at Bybit's multisig cold wallet addresses and a test address, activating only under specific conditions. Post-attack actions: About two minutes after the malicious transaction was executed, the attacker removed the malicious code from the AWS S3 bucket to cover their tracks.
Investigation conclusion: The attack originated from the AWS infrastructure of Safe{Wallet} (possibly a compromised S3 CloudFront account/API key), and Bybit's own infrastructure was not attacked.
The Safe multisig wallet is a blockchain-based smart contract cryptocurrency wallet that manages assets through a multi-signature (Multisig) mechanism. Its core is to require multiple pre-defined signatories (e.g., 2 out of 3, or 3 out of 5, known as the M/N mechanism) to jointly authorize a transaction. The wallet itself is a contract deployed on the blockchain, recording the owner addresses and signature threshold, and transactions need to collect enough signatures for the contract to verify and execute. Its technical principle relies on the Elliptic Curve Digital Signature Algorithm (ECDSA), where signatories use their private keys to sign transactions, and the contract verifies them using the public keys. Transaction proposals are first stored in the contract, and after collecting signatures, they are submitted to the blockchain for execution, supporting flexible features like account recovery.
Polygon's Mudit Gupta questioned why a developer was initially allowed to modify the content on the production Safe website, and why the changes were not monitored.
Binance founder CZ stated that he usually does not criticize other industry participants, but Safe is using vague language to cover up the issues. What does "compromised the Safe{Wallet} developer machine" mean? How did they compromise that specific machine? Was it social engineering, a virus, etc.? How did the developer machine access the "Bybit-operated accounts"? Were some codes directly deployed from that developer machine to the production environment? How did they deceive the Ledger verification steps of multiple signatories? Was it blind signing, or did the signatories not properly verify? Was the $1.4 billion address the largest managed by Safe? Why did they not target others? What lessons can other "self-custody, multi-signature" wallet providers and users learn from this? CZ also denied that Binance used Safe to store assets.
Slow Mist's Yuchen stated that while the Safe smart contract part was fine (easily verifiable on-chain), the front-end was tampered with to achieve a deceptive effect. As for why it was tampered with, we'll have to wait for Safe's official details. Safe is a kind of security infrastructure, and in theory, anyone using this multisig wallet could be robbed like Bybit. The terrifying thing is that all other services with front-ends, APIs, and user interactions may have similar risks. This is also a classic supply chain attack. The security management model for large/massive assets needs a major upgrade. If Safe's front-end had done basic SRI verification, even if the JS was changed, nothing would have happened. Yuchen said he wouldn't be surprised if that Safe dev was a North Korean spy.
GCC's Constantine stated that this is a major blow to the industry, as the so-called decentralized public goods have almost no security at all, with single points of failure even in the hands of a few ordinary front-end developers. In addition to Safe, there is a huge number of web3 open-source dependencies that face similar supply chain attack risks. They not only have weak risk control, but also rely heavily on traditional internet infrastructure to ensure security.
Hasu stated that while the Safe front-end, not Bybit's infrastructure, was compromised, Bybit's infrastructure was also not robust enough to prevent the ultimately rather simple hack. When transferring over $1 billion, there is no reason not to verify the integrity of the message on a second isolated machine.
Mingdao stated that the key is that large-amount signature transactions should be generated on a permanently offline computer. As long as the multisig initiators sign offline, it doesn't matter how the others sign, it won't be a problem. If all multisig parties are running on an online computer and relying on an online web page to generate transactions, the cold wallet becomes a hot wallet. This is not Safe's fault, as it didn't custody the money. It just unfortunately became the center of trust.
Vitalik also once stated that he personally keeps 90% of his assets under Safe multisig custody.
The founder of Wintermute stated that it's not that Bybit's security measures were perfect (it seems they may have been the largest multisig account using the SAF E protocol). If they had used solutions like Fireblocks or Fordefi, combined with other measures, especially when handling simple fund transfers, it might have been more reasonable.
