Forensic investigators have found that North Korean Lazarus hackers stole $1.5 billion from Bybit after hacking a developer’s device at the multisig wallet platform Safe{Wallet}.
Bybit CEO Ben Zhou shared the conclusions of two investigations by Sygnia and Verichains, which both found that the attack originated from Safe{Wallet}’s infrastructure.
“The attack specifically targeted Bybit by injecting malicious JavaScript into app.safe.global, which was accessed by Bybit’s signers. The payload was designed to activate only when certain conditions were met. This selective execution ensured that the backdoor remained undetected by regular users while compromising high-value targets,” Verichains said.
“Based on the investigation results from the machines of Bybit’s Signers and the cached malicious JavaScript payload found on the Wayback Archive, we strongly conclude that AWS S3 or CloudFront account/API Key of Safe. Global was likely leaked or compromised.”
“Two minutes after the malicious transaction was executed and published, new versions of the JavaScript resources were uploaded to Safe{Wallet}’s AWS S3 bucket. These updated versions had the malicious code removed,” Sygnia added.
Sygnia also found that the malicious JavaScript code (targeting Bybit’s Ethereum Multisig Cold Wallet) served from Safe{Wallet}’s AWS S3 bucket and used to redirect Bybit’s crypto assets to an attacker-controlled wallet had been modified two days before the February 21 attack. Following the incident, Sygnia’s forensic investigation of Bybit’s infrastructure did not discover any evidence of compromise.
Their conclusions were also confirmed today by the Safe Ecosystem Foundation in a statement revealing that the attack was conducted by first hacking into a Safe {Wallet} developer machine, which provided the threat actors with access to an account operated by Bybit.
“The forensic review into the targeted attack by the Lazarus Group on Bybit concluded that this attack targeted to the Bybit Safe was achieved through a compromised Safe{Wallet} developer machine resulting in the proposal of a disguised malicious transaction,” Safe said.
Since the incident, the Safe{Wallet} team has restored Safe{Wallet} on the Ethereum mainnet with a phased rollout that temporarily removed the native Ledger integration, the signing device/method used in the Bybit crypto heist.
The phased rollout to restore Safe{Wallet} services also added further security measures, including enhanced monitoring alerts and additional validations for transaction hash, data, and signatures.
Safe{Wallet} ‘s team says it has fully rebuilt and reconfigured all infrastructure and rotated all credentials to ensure that the attack vector has been removed and cannot be used in future attacks.
While a forensic review by external security researchers found no vulnerabilities in the Safe smart contracts or the source code of its frontend and services, Safe advises users to remain vigilant and “exercise extreme caution” when signing transactions.
Largest crypto heist in history
As BleepingComputer reported, the North Korean hackers intercepted a planned transfer of funds from one of Bybit’s cold wallets into a hot wallet. They then redirect the crypto assets to a blockchain address under their control, allowing them to siphon over $1.5 billion in what is now considered the largest crypto heist in history.
“On February 21, 2025, at approximately 12:30 PM UTC, Bybit detected unauthorized activity within one of our Ethereum (ETH) Cold Wallets during a routine transfer process. The transfer was part of a scheduled move of ETH from our ETH Multisig Cold Wallet to our Hot Wallet,” Bybit shared in a post-mortem published on Friday.
“Unfortunately, the transaction was manipulated by a sophisticated attack that altered the smart contract logic and masked the signing interface, enabling the attacker to gain control of the ETH Cold Wallet. As a result, over 400,000 ETH and stETH worth more than $1.5 billion were transferred to an unidentified address.”
Since then, Bybit has restored its ETH reserves and the CEO said the crypto exchange is solvent even if the lost assets will not be fully recovered.
While investigating the attack, crypto fraud investigator ZachXBT discovered links between the Bybit hackers and the infamous North Korean Lazarus threat group after the attackers sent some of the stolen Bybit funds to an Ethereum address previously used in the Phemex, BingX, and Poloniex hacks.
ZachXBT’s findings were also confirmed by blockchain intelligence company TRM Labs and blockchain analysis firm Elliptic, who found “substantial overlaps observed between addresses controlled by the Bybit hackers and those linked to prior North Korean thefts” and shared more info on the hackers’ attempts to slow down tracing attempts.
In December, blockchain analysis company Chainalysis said North Korean hackers stole $1.34 billion in 47 crypto heists in 2024.
Elliptic added this week that they’ve “stolen over $6 billion in crypto assets since 2017, with the proceeds reportedly spent on the country’s ballistic missile program.”