Was $1.4B Bybit Hack Due to Negligence?

The recent Bybit hack, which led to the theft of over $1.4 billion in Ether, has sparked controversy, with former Binance CEO Changpeng Zhao (CZ) criticizing the post-mortem report released by Safe{Wallet}. CZ labeled the report as vague and incomplete, stating that it failed to provide clear answers regarding how the breach occurred.

The Lazarus Group, a notorious North Korean hacking collective, is believed to have orchestrated the attack by compromising a Safe developer’s machine. The hackers inserted malicious JavaScript code into SafeWallet’s Amazon Web Services (AWS) infrastructure, deceiving Bybit’s signers into approving a fraudulent transaction.

Safe’s Findings: What the Report Says

Safe’s forensic report concluded that the hack was executed through a compromised developer machine, allowing the attackers to submit a malicious transaction proposal. However, the report stated that the attack was not due to vulnerabilities in Safe’s smart contracts or frontend services.

Key Takeaways from Safe’s Report:

• The attack targeted Bybit’s Safe Wallet via a compromised Safe developer machine.
• A malicious transaction was submitted, draining funds from Bybit’s wallet.
• External audits found no flaws in Safe’s smart contracts or source code.
• Safe has reconfigured its infrastructure, rotated credentials, and enhanced security.
• Users are urged to exercise caution when signing transactions.

Despite these measures, CZ was not convinced and raised multiple concerns about Safe’s explanation.

CZ’s Criticism: More Questions Than Answers

CZ openly criticized the report, claiming it brushed over key details and left many critical questions unanswered. In a detailed response, he pointed out several gaps in the report’s findings:

• What does “compromising a Safe developer machine” mean?

  CZ questioned how the hackers gained access to this machine—was it social engineering, malware, or a different exploit?

• How did a developer’s machine have access to Bybit’s account?

  Was code deployed from the compromised machine to production?

• How did the hackers bypass the Ledger verification step at multiple signers?

  Were the signers blind-signing transactions, or was Ledger’s security bypassed?

• Why was the Bybit wallet specifically targeted?

  If Bybit’s wallet held $1.4 billion, why didn’t the hackers target other wallets?

• What lessons can other self-custody multi-signature wallet providers learn?

  CZ called for greater transparency and stronger security protocols to prevent similar attacks.

Safe Co-Founder Responds

In response to CZ’s criticism, Martin Köppelmann, co-founder of the Gnosis blockchain network (which developed Safe), attempted to clarify the attack. He explained:

• The interface was compromised, not the Safe code itself.

• Hackers modified the interface to trick Bybit into signing a fraudulent transaction.

• The malicious attack was specifically designed to target Bybit’s Safe Wallet.

To prevent future incidents, Köppelmann proposed improvements, including:

• Enhancing transaction verification on hardware devices.

• Introducing SafeNet, a professional co-signing service to add an extra layer of security.

• Encouraging the use of multiple Safe interfaces to reduce reliance on a single access point.

Sygnia and Verichains: What Their Investigations Revealed

To get an independent forensic analysis, Bybit hired Sygnia and Verichains, two leading blockchain security firms. Their investigation concluded that the root cause was a malicious JavaScript injection in Safe’s infrastructure.

Key Findings from Sygnia and Verichains:

• The malicious JavaScript file was introduced on February 19.

• The code specifically targeted Bybit’s Ethereum Multisig Cold Wallet.

• The attackers used social engineering to gain access to SafeWallet’s AWS infrastructure.

• Both firms recommended further investigations to confirm the full extent of the breach.

Bybit’s Response: Quick Action to Protect Users

Despite the massive loss, Bybit replenished user funds and continued operations with minimal downtime. To meet withdrawal demands, Bybit borrowed 40,000 ETH from Bitget, which has since been repaid.

The Bybit hack is now one of the largest exploits in crypto history, surpassing the 2022 Ronin Network hack and the 2021 Poly Network attack. The Lazarus Group has previously stolen billions from various crypto platforms, often using memecoins to launder stolen funds.

This incident highlights the ongoing vulnerabilities in crypto security, especially in self-custody and multi-signature wallets. As CZ pointed out, the industry must learn from these failures and implement stronger security measures to prevent future attacks.

Meanwhile, other crypto platforms remain under attack. Recently, Hong Kong-based crypto entrepreneur Joe Zhou reported a Binance-related scam attempt, where hackers tried to trick him into transferring funds to a fraudulent wallet.