Ddos 
The cryptocurrency exchange Bybit recently fell victim to a cyberattack, resulting in the theft of approximately $1.4 billion worth of Ethereum. The stolen assets were held in Bybit’s vault wallet, which operates on the Safe{Wallet} multi-signature platform.
Following the breach, numerous cybersecurity researchers struggled to ascertain how the attackers executed the exploit. After all, it seemed improbable that the hackers could have simultaneously compromised Bybit’s wallet custodians to authorize the necessary signatures.
However, the latest investigation has definitively ruled out Bybit’s direct involvement, revealing that the security vulnerability resided within Safe{Wallet} itself. In fact, it has now emerged that Lazarus Group, the notorious North Korean hacking collective, had infiltrated Safe{Wallet} long before the attack but had strategically waited for an opportune moment to strike their high-value target.
According to researchers, the attack specifically targeted Bybit. The hackers injected malicious JavaScript code into app.safe.global, a platform accessible to Bybit’s signers. However, the malicious script remained dormant, activating only under specific conditions. This selective execution mechanism ensured that the backdoor remained undetected by regular users.
A forensic analysis of Bybit’s signer machines, combined with a historical review via the Wayback Archive, led researchers to uncover cached versions of the malicious JavaScript payload. This discovery strongly suggests that Safe.Global’s Amazon AWS S3 or AWS CloudFront accounts or API keys were compromised.
With access to these credentials, the attackers were able to manipulate the AWS S3 storage or CloudFront CDN services, injecting the malicious script into the platform. Further analysis of Safe{Wallet}’s AWS S3 storage buckets revealed Ethereum multi-signature cold wallet malware specifically designed to target Bybit.
In an official statement, Safe{Wallet} confirmed that their forensic investigation traced the attack to a compromised Safe{Wallet} developer machine. In essence, the hackers first infected a developer’s system with malicious code and then leveraged the compromised developer’s credentials to inject their JavaScript payload into the platform.
In response, Safe{Wallet} has completely rebuilt and reconfigured its infrastructure, implementing a full credential rotation, including API keys, to ensure that all attack vectors have been neutralized and cannot be exploited in future incidents.
Notably, researchers found no vulnerabilities in Safe{Wallet}’s smart contracts, frontend, or backend services. Instead, the attack’s brilliance lay in its meticulous, premeditated strategy—an elaborate supply chain compromise that successfully infiltrated Safe{Wallet}’s development environment before launching the assault on Bybit.
Donate