Catenaa, Friday, February 28, 2025-Bybit released a detailed forensic report on February 26, 2025, confirming a $1.5 billion hack that exploited a vulnerability in the Safe Wallet infrastructure.
The attack, which was first detected on February 21, targeted Bybit’s Ethereum multisignature cold wallet. Forensic analysis by Sygnia revealed that malicious JavaScript code was injected into Safe Wallet’s AWS S3 bucket, altering transaction details during the signing process.
This manipulation allowed the hacker to reroute funds from Bybit’s cold wallet to external addresses.
The breach, which involved the deployment of sophisticated malicious contracts, drained 401,347 Ether, as well as other Ethereum-based assets. The stolen funds were then laundered through multiple wallet addresses, making recovery efforts extremely difficult. Despite the attack, Bybit’s security infrastructure was not directly compromised, and investigators traced the vulnerability to Safe Wallet, a third-party service used for digital asset storage.
The breach highlights the risks associated with relying on third-party services for digital asset management. The injected code had been placed on Safe Wallet’s system on February 19, 2025, and was only activated during transactions from Bybit’s multisig wallet.
Blockchain forensics revealed that the malicious contracts deployed by the attacker remained dormant until they were triggered, allowing the funds to be diverted.
In response, decentralized exchange Chainflip has implemented a protocol upgrade to block the laundering of stolen funds, enhancing security for Ethereum transactions. The attack underscores the need for continuous security reviews, enhanced monitoring, and tighter control over third-party integrations to mitigate such risks in the future.
