Safe{Wallet} Releases Statement on Bybit Targeted Attack

Safe{Wallet} has released a statement regarding Bybit’s recent targeted attack. The forensic report left former Binance CEO Changpeng Zhao with more questions than answers, and he criticized the report for its vague language.

According to Safe’s investigation report, the forensic review concluded that the attack by the Lazarus Group targeted Bybit’s Safe through a compromised developer machine. This hack led to a disguised malicious transaction that allowed hackers to draw funds from Bybit’s wallet.

The forensic audit indicated that there were no shortcomings in the Safe smart contracts or frontend source code. The Safe team conducted a thorough investigation and has reinstated Safe on the Ethereum mainnet with a phased rollout. The entire infrastructure has been rebuilt, reconfigured, and all credentials rotated to eliminate the attack vector.

The Safe frontend remains operational with enhanced security measures. However, users are cautioned to exercise extreme caution and vigilance when signing transactions.

CZ Criticizes Safe’s Forensics Report for Lack of Detail

> “I usually try not to criticize other industry players, but I do it once in a while. 😂 This update from Safe is not that great. It uses vague language to brush over the issues. I have more questions than answers after reading it.”
> — CZ 🔶 BNB (@cz_binance) February 26, 2025

CZ has heavily criticized the report for being insufficiently detailed, posing numerous questions regarding how hackers compromised a developer machine and accessed an exchange account. He raised concerns about how a developer machine could affect the production code and bypass ledger verification steps.

Bybit also began a deep forensic investigation by engaging blockchain security firms Sygnia and Verichains, mainly focusing on the signers’ hosts to further investigate the $1.4 billion hack. Sygnia concluded that the malicious code stemmed from Safe’s infrastructure while Verichains noted a benign JavaScript file had been replaced with malicious code on a specific date, targeting Bybit’s Ethereum Multisig Cold Wallet.

Lazarus Group Launders Bybit Funds via Meme Coins

The UAE-based Bybit exchange lost $1.5 billion due to hackers last week, with funds drawn from one of the cold multisig wallets. Onchain data suggests that the North Korean hacking group Lazarus Group was behind this attack, reportedly using meme coins to launder the stolen assets.

Binance also faced recent cyber threats, as crypto entrepreneur Joe Zhou reported that scammers had accessed his account through the usual Binance verification channels, misleading him into sending funds to a different wallet. Zhou quickly acted to recover most of his funds before the hackers could cash out.