Vulnerability in Safe Infrastructure Identified as Primary Cause of Bybit Hack

The attack on Bybit was executed using the infrastructure of the Safe (Wallet) rather than through the trading platform’s systems, according to a preliminary incident report.

As per an investigation by analysts at Sygnia, the attacker inserted malicious JavaScript code into the Safe (Wallet) resources hosted on AWS S3. The criminal script was triggered only during transactions related to Bybit’s contract addresses and an unknown test address, indicating that the attack was targeted.

Two minutes after the assets were stolen, the hacker reverted the modified files back to their original versions to cover their tracks. Cached files with changes made on February 19 were found on the devices of three participants involved in signing the fraudulent transaction. This code manipulated data at the time of approval, altering the recipient’s address.

Web archives, including Wayback Machine, also recorded changes made to the Safe (Wallet) infrastructure code.

«The results of the forensic investigation involving the hosts of the three signers indicate that the root cause of the attack was the malicious code originating from the Safe (Wallet) infrastructure. No signs of compromise were found within Bybit’s infrastructure. The investigation is ongoing to confirm the findings,» the report concluded.

Earlier, cryptographer Adam Back labeled the “faulty design of the EVM” as a reason for the incident.

To recap, by February 26, hackers had laundered 135,000 ETH (approximately $335 million). Responsibility for the attack has been attributed to the North Korean group Lazarus.