Multi-signature wallet provider Safe said Thursday that last month’s $1.4 billion Ethereum heist from Dubai-based centralized exchange Bybit stemmed from a compromised developer laptop.
After multiple independent reports pointed to a malicious code injection to Safe’s infrastructure, the firm, alongside security experts at Mandiant, released more details Thursday, saying that the investigation had reached a “critical checkpoint.”
“We present these findings in the spirit of transparency and to highlight key lessons learned, along with calls to action for the broader community to learn from this incident and strengthen defenses,” it posted on X (formerly Twitter). “We wish to stress that despite hundreds of hours of analysis already conducted, there is more work to be done.”
The investigation’s key findings highlighted a high-level Safe developer’s workstation being compromised on February 4 when it interacted with a malicious docker project, or lightweight application.
From there, the hackers—which on-chain sleuths and the FBI have said hailed from North Korea’s state-sponsored Lazarus hacking group—were able to bypass multi-factor authentication on Safe’s Amazon Web Services account, "hijacking" active AWS session tokens to do so.
A Wayback Machine snapshot shows that two weeks after the initial compromise, malicious JavaScript was inserted on the Safe website, leading to the Bybit exploit on February 21.
Since the exploit, Safe has put in place more rigorous security measures, including a full infrastructure reset, improved UI for verifying transaction hashes, and enhanced malicious transaction detection.
Nevertheless, the investigation is still ongoing, and Safe’s concluding call to action is that users must better be able to verify that the transactions they sign and approve ultimately have the intended outcome.
“The act of signing the transaction itself currently is the last line of defense, and it can only be effective if the user can understand what they are signing,” the firm said. “To support users in securing their transactions, Safe has published a comprehensive guide on how to verify transactions before signing and will take further steps to make this process a frictionless part of using the Safe in the near-term.”
The Bybit hack was the largest crypto hack of all time. The exchange is actively monitoring the stolen funds, offering up to $140 million in bounties for those that help track and freeze them.
Edited by Andrew Hayward