Bybit’s $1.4 Billion Hack Traced to Safe Developer’s Infected Laptop

Initially, independent reports suggested that malicious code had been inserted into Safe’s infrastructure. Safe worked alongside cybersecurity firm Mandiant to investigate the issue.

They shared an update in a March 6 post on X, stating, "We present these findings in the spirit of transparency and to highlight key lessons learned, along with calls to action for the broader community to learn from this incident and strengthen defenses".

Did you know?

Want to get smarter & wealthier with crypto?

Subscribe - We publish new crypto explainer videos every week!

What is a DAO in Crypto? (Animated Explanation)

SUBSCRIBE

ON YOUTUBE

Further investigation revealed that on February 4, a senior Safe developer unknowingly interacted with a harmful Docker project, which led to their workstation being compromised. This allowed hackers to access Safe’s Amazon Web Services (AWS) account, bypassing multi-factor authentication by hijacking active session tokens.

A timeline of events showed that two weeks after the initial breach, malicious JavaScript was inserted into Safe’s website. This code played a direct role in the February 21 attack that targeted Bybit.

In response, Safe has reset its entire infrastructure, improved its user interface for verifying transaction hashes, and enhanced its ability to detect suspicious transactions. However, the company acknowledges that more work remains and is urging users to be extra cautious when signing transactions.

To assist users, Safe has published a detailed guide on how to verify transactions before approving them. The company also plans to integrate additional security measures to make the process easier for users.

Bybit recently launched a bounty program, Lazarus Bounty, to recover stolen funds. What did CEO Ben Zhou say about it? Read the full story.