Bybit Security Breach Report

Cryptocurrency exchange Bybit, recently hit by a significant security breach, has published a detailed investigation report on the incident. This report, compiled by cybersecurity firms Sygnia and Verichains, indicates that the attack resulted from a compromise in Safe{Wallet}‘s infrastructure, not Bybit’s own systems.

Timeline of Events

The unauthorized activity was first detected on February 21, 2025, when Bybit identified suspicious transactions involving one of its Ethereum (ETH) cold wallets. The report explains that the attack occurred during a multisig transaction transferring assets from a cold wallet to a hot wallet via Safe{Wallet}. A malicious actor managed to intercept and manipulate this transaction, gaining control over the cold wallet’s assets, which were subsequently transferred to an external wallet.

Key Findings from Sygnia’s Investigation

Sygnia’s report outlines several critical points:

• Malicious JavaScript code was injected into a resource hosted in Safe{Wallet}’s AWS S3 bucket.
• Change timestamps and public web history archives suggest the code was inserted directly into Safe{Wallet}’s AWS S3 infrastructure.
• The JavaScript injection was crafted to manipulate transaction data during the signing process, altering transaction details undetected.
• The malicious code contained an activation trigger that functioned only for transactions originating from Bybit’s contract address or another suspected contract address controlled by the attacker.
• Just two minutes post-attack and public disclosure, new versions of the compromised JavaScript files were uploaded to Safe{Wallet}’s AWS S3 bucket, removing the malicious code.

Bybit confirmed that its own infrastructure remained uncompromised; however, the attack underscored vulnerabilities in third-party wallet solutions.

> Disclaimer: This is not investment advice.