Multi-signature wallet provider Safe said Thursday that last month’s $1.4 billion Ethereum heist from Dubai-based centralized exchange Bybit stemmed from a compromised developer laptop.
After multiple independent reports pointed to a malicious code injection to Safe’s infrastructure, the firm, alongside security experts at Mandiant, released more details Thursday, saying that the investigation had reached a “critical checkpoint.”
“We present these findings in the spirit of transparency and to highlight key lessons learned, along with calls to action for the broader community to learn from this incident and strengthen defenses,” it posted on X (formerly Twitter). “We wish to stress that despite hundreds of hours of analysis already conducted, there is more work to be done.”

We Now Know How Bybit Was Hacked for $1.4 Billion in Ethereum
Multiple independent audits have now pointed the finger at the cause of last week’s historic $1.4 billion Bybit hack—billed as the largest crypto hack of all time based on the value of the assets—and it wasn’t the crypto exchange at fault. Rather, analysts at Verichains and Sygnia Labs, two top cybersecurity firms, have determined that North Korean hackers managed to pull off the biggest hack in history by planting malicious code into the infrastructure of Safe—a crypto wallet provider used by B...
The investigation’s key findings highlighted a high-level Safe developer’s workstation being compromised on February 4 when it interacted with a malicious docker project, or lightweight application.
From there, the hackers—which on-chain sleuths and the FBI have said hailed from North Korea’s state-sponsored Lazarus hacking group—were able to bypass multi-factor authentication on Safe’s Amazon Web Services account, "hijacking" active AWS session tokens to do so.
A Wayback Machine snapshot shows that two weeks after the initial compromise, malicious JavaScript was inserted on the Safe website, leading to the Bybit exploit on February 21.
Since the exploit, Safe has put in place more rigorous security measures, including a full infrastructure reset, improved UI for verifying transaction hashes, and enhanced malicious transaction detection.
Nevertheless, the investigation is still ongoing, and Safe’s concluding call to action is that users must better be able to verify that the transactions they sign and approve ultimately have the intended outcome.

Biggest Crypto Hacks of All Time
Despite maturing to the point of becoming a multi-trillion-dollar asset class, the crypto world is still ripe with hacks and scams. In fact, the worst one ever just happened. Malicious actors looking to take advantage of inexperienced users or insecure crypto protocols have found ample opportunity, siphoning off more than $10 billion in funds in the last 5 years according to Chainalysis. And six out of the last 11 years have seen over $1 billion worth of losses to hacks and exploits, peaking in...
“The act of signing the transaction itself currently is the last line of defense, and it can only be effective if the user can understand what they are signing,” the firm said. “To support users in securing their transactions, Safe has published a comprehensive guide on how to verify transactions before signing and will take further steps to make this process a frictionless part of using the Safe in the near-term.”
The Bybit hack was the largest crypto hack of all time. The exchange is actively monitoring the stolen funds, offering up to $140 million in bounties for those that help track and freeze them.
Edited by Andrew Hayward