Bybit $1.5B Hack Preliminary Conclusions and FBI Report – Attack Began on February 19 via Safe App

Key Points

• A Safe JavaScript file was replaced with malicious code on February 19 at 15:29:25 UTC.
• The attack specifically targeted the Ethereum Multisig Cold Wallet of Bybit.

Official forensic reports about the latest almost $1.5 billion Bybit hack have been released, revealing the attack through the Safe app – the largest smart account ecosystem on the EVM.

Preliminary Conclusions About Safe App Compromise

Accoridng to official reports, the benign JavaScript file of Safe app was replaced with malicious code on February 19, at 15:29:25 UTC, and specifically targeted BYbit’s Ethereum Multisig cold wallet.

The attack was reportedly designed to activate during the next transaction on Bybit which occurred on February 21, at 14:13:35 UTC.

Investigation results from the machines of Bybit Signers and the cached malicious JavaScript payload found on the Wayback Archive, experts concluded that the compromise had happened via a Safe dev machine: an account or API key was likely compromised/leaked.

Attackers specifically went after Bybit but could have hit any exchange or entity.

Meanwhile, Safe released an official statement via X.

Safe Official Statement

In its official statement, the team at Safe revealed the following main conclusions:

• Forensic findings confirmed the targeted attack was conducted on Bybit by the Lazarus Group.
• Safe smart contracts were unaffected, and the attack was conducted by compromising a dev’s machine, which affected a Bybit-operated account.
• Safe Wallet reportedly added security measures to eliminate the attack vector.

The team listed the following important issues in its official statement:

• The forensic review of external security researchers did not indicate vulnerabilities in the Safe smart contracts or source code of the frontend and services.
• Following an investigation, Safe restored its Safe Wallet on the Ethereum mainnet, fully rebuilt, with reconfigured infrastructure, eliminating attack vector.
• Safe Wallet frontend remains operational, with additional security measures.
• Users are advised to exercise extreme caution and remain vigilant when signing transactions.

The team highlighted that Lazarus is a state-sponsored North Korean hacker group known for sophisticated social engineering attacks on dev credentials, often combined with zero-day exploits.

Official FBI Report About Bybit Hack

Bybit’s $1.5 billion hack was the worst one in history. The exchange’s CEO, Ben Zhou also shared the official preliminary reports via X, together with an FBI official report.

According to the reports, bad actors converted some of the stolen assets into BTC and other crypto across thousands of addresses on more blockchains. It is expected that these assets will be further laundered and converted to fiat.

FBI also encouraged the private sector entities to block transactions with or derived from trader addresses TraderTraitor – the FBI’s reference to North Korean malicious cyber activity.

Meanwhile, Binance’s CZ criticized Safe’s updates, citing “vague language” and unclear explanations about their dev’s machine exploit.