Author: 23pds & Thinking Editor: Liz
Background
On the evening of February 26, Bybit and Safe simultaneously issued a security investigation announcement regarding the theft of nearly US$1.5 billion in cryptocurrency from Bybit.
Safe said:
Lazarus Group's forensic analysis of the targeted attack on Bybit showed that the attacker hacked into the Safe{Wallet} developer machine, submitted a disguised malicious transaction proposal, and induced Bybit's Safe wallet Owner to sign a malicious transaction to attack the Bybit Safe wallet.
Forensic analysis by external security researchers did not find any vulnerabilities in the source code of Safe smart contracts, front-ends, or related services. After the incident, the Safe{Wallet} team conducted a thorough investigation and restored Safe{Wallet} on the Ethereum mainnet in stages. The Safe{Wallet} team has completely rebuilt, reconfigured all infrastructure, and rotated all credentials to ensure that the attack vector is completely eliminated. The Safe{Wallet} team will publish a full post-mortem once the final results of the investigation are available.
The Safe{Wallet} front end is still running and has taken additional security measures. However, users need to be extra careful and vigilant when signing transactions.
Bybit said:
Attack time: The malicious code was injected into the AWS S3 bucket of Safe{Wallet} on February 19, 2025, and was triggered when Bybit executed a multisig transaction on February 21, 2025, resulting in the theft of funds.
Attack method:The attacker tampered with the front-end JavaScript file of Safe{Wallet}, injected malicious code, modified Bybit's multisig transactions, and redirected funds to the attacker's address.
Attack target:The malicious code specifically targeted Bybit's multisig cold wallet address and a test address, and was only activated under specific conditions.
Post-attack operation:About two minutes after the malicious transaction was executed, the attacker removed the malicious code from the AWS S3 bucket to cover up the traces.
Investigation conclusion:The attack originated from Safe{Wallet}'s AWS infrastructure (probably the S3 CloudFront account/API Key was leaked or hacked), and Bybit's own infrastructure was not attacked.
The US Federal Bureau of Investigation (FBI) issued an announcement confirming that the North Korean hacker group "TraderTraitor" (also known as Lazarus Group) was behind the hacker attack on Bybit Exchange on February 21, which resulted in the theft of crypto assets worth $1.5 billion.
Review and Analysis
As an external third-party security agency, SlowMist did not directly intervene in the analysis, but we also continue to pay attention to the progress of the matter.
On the morning of February 26, when the SlowMist security team was reviewing the attack internally, SlowMist CISO 23pds found that since the attack on February 21, Safe began to modify the front-end code in various ways. So 23pds published part of the analysis on X and immediately notified the head of the SlowMist security team Thinking to pay attention:
https://app.safe.global/_next/static/chunks/pages/_app-52c9031bfa03da47.js
The historical changes of this JavaScript code:
We first use urlscan to crawl app.safe.global In recent months, we found that only the file "_app-52c9031bfa03da47.js" has changed: So, we analyzed the changes of this file through archive: https://web.archive.org/web/20250219172905js_/https://app.safe.global/_next/static/chunks/pages/_app-52c9031bfa03da47.js As shown in the figure: style="text-align: left;">Matched to the malicious implementation contract address used by the attacker in this hacking incident: 0xbdd077f651ebe7f7b3ce16fe5f2b025be2969516.
The analysis of the involved “_app-52c9031bfa03da47.js” JavaScript code is as follows:
(Image source: ScamSniffer)
Overall attack flow chart
Coincidentally, while we were analyzing, Safe and Bybit just released their investigation reports last night, and finally the matter was concluded, which is undoubtedly a good thing. At this point, it can be confirmed that the theft of nearly $1.5 billion worth of cryptocurrency from Bybit was a targeted attack carefully planned by the attacker. This incident revealed the hacker's ability to accurately strike the development environment and supply chain, and highlighted the importance of front-end code control. The attacker first gained control of the front-end code of app.safe.global, and then carried out a precise attack on Bybit's Safe{Wallet} wallet. When Bybit's multi-signature Owner used app.safe.global to sign, the Safe{Wallet} interface displayed a normal address. In fact, when the transaction was initiated, the transaction content was replaced with malicious data to be signed, thereby deceiving the Owner to sign the modified malicious data to be signed. In the end, the attacker successfully took over the contract control of Bybit's multi-signature wallet and stole the currency.
Nubank, the largest digital bank in Brazil in which Buffett holds a stake, announced that it would stop trading its cryptocurrency Nucoin, and customers would have 90 days to exchange it for Bitcoin or USDC stablecoin.
WeiliangX Empire is introducing pre-market trading using custom NFT vouchers for its upcoming token, allowing players to trade these vouchers on the Getgems marketplace before the official token launch. The game offers complex gameplay and minting options, with NFT vouchers costing around $36 and a 20% royalty supporting token liquidity.
AnaisEuropean regulators are investigating Google's AI model, PaLM2, for potentially violating strict data privacy laws in the EU. Ireland's Data Protection Commission is focusing on whether Google properly assessed the risks of processing personal data with its AI.
WeatherlyOpenAI is seeking $11.5 billion in funding, aiming for a $150 billion valuation, with key investments from Thrive Capital, Microsoft, Apple, and Nvidia. This funding will support its growing AI operations and maintain its competitive edge in the rapidly evolving AI industry.p it competitive in a growing tech landscape.
AnaisDonald Trump’s digital trading cards have become a target for cybercriminals, who are using fake websites and phishing emails to steal personal and financial information.
WeatherlyFred Thiel, CEO of Marathon Digital, a U.S. cryptocurrency mining company, said that Bitcoin mining is a national security issue. Russia has mined 54,000 bitcoins under U.S. sanctions, and the Putin government has received huge tax revenue.
AlexThe British government has submitted a bill to Parliament hoping to classify cryptocurrency assets as a new form of property, which could generate £34 billion in revenue each year.
MiyukiCryptoQuant analysis shows that Bitcoin's trend is decoupled from gold, investors seem to favor gold, and cryptocurrencies continue to be in a bearish phase.
WeiliangPope Francis addressed Singapore’s leaders, urging the nation to use its global position for peace and unity. He emphasized that while technological advancements like AI should promote human connection, they should not lead to isolation or diminish genuine relationships.
WeatherlyPeople familiar with the matter revealed that Hong Kong is studying whether to allow the Hong Kong Securities and Futures Commission and the Customs to jointly participate in the supervision of over-the-counter virtual asset trading services.
Alex