Lazarus hacked Bybit via a breached Safe{Wallet} developer machine

​Forensic investigators have found that North Korean Lazarus hackers stole $1.5 billion from Bybit after hacking a developer's device at the multisig wallet platform Safe{Wallet}. Bybit CEO Ben Zhou shared the conclusions of two investigations by Sygnia and Verichains, which both found that the attack originated from Safe{Wallet} 's infrastructure. "The benign JavaScript file of app.safe.global appears to have been replaced with malicious code on February 19, 2025, at 15:29:25 UTC, specifically targeting Ethereum Multisig Cold Wallet of Bybit," Verichains said. "Based on the investigation results from the machines of Bybit's Signers and the cached malicious JavaScript payload found on the Wayback Archive, we strongly conclude that AWS S3 or CloudFront account/API Key of Safe. Global was likely leaked or compromised." Sygnia also said that no evidence of compromise was discovered during a forensic investigation of Bybit's infrastructure following the attack. Their conclusions were ... Read full article.