Bybit $1.4b theft originated from compromised Safe UI

An independent audit confirmed that North Korea’s Lazarus Group infiltrated Safe’s infrastructure to compromise Bybit’s ethereum wallet.

A forensic analysis conducted by Sygnia Labs and Verichain found that Bybit’s security integrity remained intact despite an attack on its Ethereum (ETH) cold wallet on Feb. 21.

The Dubai-based crypto exchange reported the theft of over 400,000 ethereum, worth approximately $1.4 billion, from its Safe-provided multi-signature wallet last week. Initial speculation suggested that one of Bybit’s signers had been compromised by Lazarus. However, the post-mortem audit traced the root cause to a Safe developer machine.

“They hot swapped the Gnosis Safe UI with JS code that only targeted Bybit’s cold wallet,” Haseeb Qureshi, managing partner at Dragonfly explained. 

This means Lazarus successfully compromised a Safe developer with access to specific frontend deployment credentials, allowing bad actors to disguise malicious transactions.

Safe acknowledged the findings, reaffirming that Bybit’s security remained intact while confirming the attack vector. The protocol also stated that its internal investigation found no vulnerabilities in the Safe smart contracts or source code.

Following the recent incident, the Safe{Wallet} team conducted a thorough investigation and have now restored Safe{Wallet} on Ethereum mainnet with a phased rollout. The Safe team has fully rebuilt, reconfigured all infrastructure, and rotated all credentials, ensuring the attack vector is fully eliminated.

Safe post mortem

Martin Koeppelmann, co-founder of Gnosis, the team behind Safe, thanked Bybit CEO Ben Zhou for his leadership during the crisis. Koeppelmann emphasized the need for additional security layers and reducing reliance on web2 technology to prevent similar incidents in the future.