The crypto industry has been rocked by a major security breach after Bybit, one of the leading exchanges, confirmed a sophisticated hack that resulted in the loss of approximately $1.5 billion in digital assets.
The attack, which targeted Bybit’s Ethereum multisignature cold wallet, has now been traced back to a vulnerability in Safe{Wallet}’s infrastructure, as detailed in an extensive forensic report compiled by security firm Sygnia.
The investigation, launched immediately after the unauthorized transactions were detected on February 21, 2025, revealed that the breach was enabled through malicious JavaScript code injected into Safe{Wallet}’s AWS S3 bucket, altering transaction details at the moment of signing.
The findings indicate that the attacker manipulated a transaction, moving funds from a Bybit cold wallet to a warm wallet, intercepting and diverting the assets to an external address under their control.
The compromised cold wallet was drained, and the funds were dispersed across multiple addresses, making immediate recovery efforts significantly challenging.
How the Attack Unfolded: A Deep Dive into the Bybit Hack
The forensic examination of Bybit’s signing hosts provided a clearer picture of how the breach was executed.
Investigators found that every host involved in signing the multisignature transaction had cached JavaScript resources from Safe{Wallet} that contained malicious modifications.
The cache files showed that these JavaScript resources had been altered two days before the attack, on February 19, 2025, strongly suggesting premeditation.
This malicious script was specifically designed to trigger only when transactions originated from certain contract addresses, including Bybit’s multisig contract and another unidentified address believed to be controlled by the hacker.
The forensic team further analyzed internet archives of Safe{Wallet}’s JavaScript resources and discovered that a legitimate version of the script had been replaced with the compromised one on the same day.
Just two minutes after the attacker successfully executed the transaction and drained the wallet, Safe{Wallet}’s AWS S3 bucket was updated again, this time restoring the original, non-malicious JavaScript file.
This swift modification suggested an attempt to cover tracks, making it harder for investigators to pinpoint when and how the attack was staged.
Despite the restoration, forensic analysis of Chrome browser artifacts across all three signers’ machines provided irrefutable evidence of the injected code’s presence during the attack.
The Anatomy of the Exploit and Ongoing Recorvery Efforts
Further analysis of blockchain records revealed that the attack had been meticulously planned days in advance.
On February 18, 2025, the hacker deployed a malicious contract containing code specifically designed to facilitate unauthorized withdrawals.
Later the same day, another contract was deployed, incorporating backdoor functions that would later be used to exploit Bybit’s multi-signature wallet.
These contracts remained dormant until the attacker successfully manipulated the signing process, upgraded Bybit’s contract, and rerouted the funds.
When the unauthorized transaction was executed on February 21, the exploit was fully operational, allowing the hacker to drain 401,347 Ether and substantial amounts of wrapped and staked Ethereum assets.
The stolen funds were then systematically laundered through multiple wallet addresses, making direct tracing difficult.
Blockchain forensics traced initial movements to a cluster of addresses, which investigators suspect belong to the threat actor.
Despite this, the ongoing nature of the investigation means the full extent of asset dispersion remains unclear.
Bybit’s security infrastructure itself showed no signs of direct compromise, further solidifying the conclusion that the vulnerability may lie within Safe{Wallet}.
As part of the recovery effort, Chainflip, a cross-chain decentralized exchange (DEX), is rolling out a protocol upgrade to prevent hackers from laundering stolen funds.
The 1.7.10 upgrade introduces enhanced security measures, enabling broker operators like SwapKit and Rango DEX to block suspicious deposits of ETH and ERC-20 tokens.
The post Bybit Releases Forensic Report Linking $1.5B Hack to Safe Wallet Compromise appeared first on Cryptonews.
