Bybit security investigation revealed: SAFE front-end cloud service was attacked, how to ensure security by signing more than one billion assets carried by wallets

Author: Frank, PANews

On February 21, 2025, cryptocurrency exchange Bybit was attacked by epic hackers, and its assets worth $1.46 billion were stolen by North Korean hacker group Lazarus. In addition to chasing assets, it is more important to find out the attack path to avoid new attack incidents. On February 27, Bybit released a hacker evidence collection report, investigating the investigation directly pointed out that funds were stolen due to a vulnerability in Safe infrastructure. But it seems that Safe is unwilling to accept the allegation. The statement admitted that the developer was hacked, but blamed the main reasons for the North Korean hackers' clever means and Bybit's operational mistakes. The "Rashomon" was staged in the discussion of who has greater responsibility, which has also triggered a major debate in the industry's trust in infrastructure, security paradigms and human nature.

The attack originated from the attack on the front-end cloud service of

Safe{Wallet}

According to two investigation reports released by Bybit (the preliminary report on the Bybit incident and the temporary investigation report of Bybit), further analysis of the Safe{Wallet} resources found two snapshots of JavaScript resources taken on February 19, 2025. Review of these snapshots shows that the first snapshot contains the original, legitimate Safe{Wallet} code, while the second snapshot contains resources with malicious JavaScript code. This shows that the malicious code that creates malicious transactions comes directly from the AWS infrastructure of Safe{Wallet}.

The report's conclusions show that based on the findings of Bybit's signer machine and the cached malicious JavaScript payload found in Wayback Archive, we strongly concluded that Safe.Global's AWS S3 or CloudFront account/API keys may have been leaked.

To sum up, the initial source of this attack was that the hacker tampered with the front-end JavaScript files in the AWS S3 bucket by attacking the device of the Safe{Wallet} developer, and implanted targeted malicious code for the Bybit cold wallet address. Previously, Safe also released a simple investigation report, which stated that no code vulnerabilities and malicious dependencies were found (i.e., supply chain attacks). Safe then conducted a comprehensive review and suspended the Safe{Wallet} function. The results of this investigation seem to overturn Safe's previous investigation results.

Safe avoids the heavy lifting and makes more doubts

Bybit has not expressed his opinion on what responsibilities Safe should bear in this incident, but after the report was released on social media, they began to discuss Safe's security vulnerabilities and some voices believe that Safe should be responsible for it and make compensation.

Safe's official attitude towards this report is obviously not recognized. In its official statement, in the official statement, Safe cuts responsibility into three levels: technology, emphasizing that smart contracts are not attacked and product security. ​In terms of operation and maintenance, it acknowledged that the developer's device was hacked and caused the AWS key to leak, but it was blamed on the national-level attacks by North Korean hackers. For users, it is recommended that users "stay alert when signing transactions", implying that Bybit has not fully verified transaction data.

However, this response is suspected of avoiding the important and taking the minority into consideration. According to the process shown in the report, Safe has the following responsibilities in this process:

1. Permission out of control: The attacker obtains AWS permissions by invading the developer's device, exposing that the Safe team did not implement the principle of minimum permissions. For example, a developer can directly modify the production environment code and change the monitoring mechanism without code.

2. Front-end security negligence: Basic protection measures such as SRI (sub-resource integrity verification) have not been enabled.

3. Supply chain dependency risk: Attack path (developer device → AWS → front-end code) proves that Safe is overly dependent on centralized cloud services, which conflicts with the blockchain's decentralized security concept.

In addition, the industry has raised many questions about Safe's statement. Binance founder CZ has successively raised five technical questions (such as the specific method of the developer's equipment being invaded, the reasons for the out of control of permissions, etc.), directly pointing to the information opacity of Safe's statement. Safe has not disclosed the details of the attack chain, which has led to the industry's inability to defend targetedly.

Tokens have risen strangely, and daily active users have dropped by

nearly 70%.

Another big controversy in the community is whether Safe should compensate Bybit for the losses in this incident. Some users believe that Safe's infrastructure vulnerability caused the attack, and Safe should be responsible for compensation. What's more, it is proposed that Safe's predecessor Gnosis bear joint and several liability for compensation for losses. Safe was originally a multi-signature agreement developed by Gnosis team in 2017 as a multi-signature agreement developed by Gnosis team, and was split and operated independently from the Gnosis ecosystem in 2022. Gnosis completed ICO financing of 250,000 ETH in 2017, and currently has 150,000 ETH in the treasury, which belongs to the ETH giant whale.

But some people believe that the main responsibility for this incident is Bybit itself. On the one hand, it is entirely necessary to invest in R&D and develop a series of security infrastructures by managing a cold wallet of more than one billion assets. On the other hand, Bybit seems to be using a free Safe service and does not pay a subscription fee, so Safe is not obliged to assume responsibility from this perspective.

After the investigation report was released, Bybit, the party involved did not request Safe to make financial compensation.

While the industry is still arguing about the ownership of responsibility, the capital market is playing absurd drama. Safe's official token seems to have received different attention because of the incident. On February 27, SAFE token rose against the trend from US$0.44 to US$0.69, with a maximum increase of about 58% in 10 hours. However, from the perspective of investment logic, the incident mainly had a negative impact on Safe's brand, and the rise may be just caused by short-term market sentiment.

Data on February 27 showed that Safe's total managed assets exceeded US$100 billion, and its silence on the details of the vulnerability is shaking its credibility as an industry infrastructure.

In terms of daily active users data, it can be clearly seen that Safe has suffered a significant impact after this incident. Compared with the 1200 daily active addresses on February 12, the data dropped to 379 daily active users on February 27, a decrease of nearly 70%.

In addition, after the centralized risks of the front-end were exposed, the community once again paid attention to the security mechanism of the front-end. ICP founder Dominic Williams said that North Korean hackers recently successfully stole $1.5 billion of Bybit's funds, mainly to exploit the web-side vulnerability of Safe{Wallet}, which is hosted in the cloud rather than on smart contracts. Williams criticized some Web3 projects for running only on "fake onchain", which leads to security risks, and recommended using ICP (Internet Computer) for on-chain computing, data storage and user experience verification to improve security. He proposed that Safe{Wallet} be moved to ICP and adopt cryptographic authentication mechanisms and multi-party consensus governance (such as SNS DAO) to enhance security.

Looking back at the entire incident, it seems to be an isolated incident carefully planned by North Korean hackers, but behind it is still exposed the security vulnerabilities in the permission design and supply chain of Safe's current multi-signed wallets. From the perspective of brand development, the practice of eagerness to clear the relationship in order to deliberately maintain the safety myth is counterproductive, which has caused more public doubts. Perhaps, Safe can promptly acknowledge the mistakes and introduce corresponding measures to better reflect the attitude of the giants in the field of crypto security. At the same time, publishing the details of the vulnerability as soon as possible can further help the industry strengthen self-inspection and prevention of similar vulnerabilities.

---