Bybit’s Forensic Review on $1.5 Billion Hack

Cryptocurrency exchange Bybit has published a forensic review regarding last week’s $1.5 billion hack. The review reveals that Bybit’s systems were not infiltrated; instead, the issue originated from compromised Safe wallet infrastructure.

Bybit concluded that “the credentials of a Safe developer were compromised,” enabling the Lazarus hacking group to gain unauthorized access to the Safe wallet. This also led to Bybit staff being deceived into signing a malicious transaction.

A source told CoinDesk that despite the wallet’s infrastructure being compromised through social engineering, the hack could not have occurred if Bybit had not “blind signed” the transaction. Blind signing refers to a mechanism where a smart contract transaction is approved without a comprehensive understanding of its contents.

Safe issued a statement indicating that “Safe smart contracts [were] unaffected. An attack was conducted by compromising a Safe Wallet developer machine, which affected an account operated by Bybit.” Safe highlighted that an external security researchers’ forensic review did not reveal any vulnerabilities within the Safe smart contracts or the source code of the frontend and services.

The ongoing disputes between Bybit and Safe resemble the earlier back-and-forth between WazirX and Liminal Custody, who blamed each other after a $230 million exploit last July.

On-chain data analyzed by ZachXBT indicates that Lazarus is attempting to launder the stolen funds, with 920 wallets currently linked to the ill-gotten gains. Notably, these funds have inadvertently been mixed with stolen assets from hacks targeting Phemex and Poloniex, further connecting Lazarus Group to all three incidents.