Author: 23pds & Thinking Editor: Liz

Background

On the evening of February 26, Bybit and Safe simultaneously issued a security investigation announcement on the previous cryptocurrency theft worth nearly 1.5 billion US dollars.

Safe said:

Lazarus Group's forensic analysis of targeted attacks on Bybit shows that the attacker submitted a malicious transaction proposal by hacking into the Safe{Wallet} developer machine and induced Bybit's Safe wallet Owner to sign a malicious transaction to achieve an attack on Bybit Safe wallet.

Forensic analysis by external security researchers did not find any vulnerabilities in the source code of Safe smart contracts, front-ends, or related services. After the incident, the Safe{Wallet} team conducted a thorough investigation and restored the Safe{Wallet} on the Ethereum main network in stages. The Safe{Wallet} team has completely rebuilt, reconfigured all infrastructure, and rotated all credentials to ensure that the attack vector is completely eliminated. After the final results of the investigation are released, the Safe{Wallet} team will release a complete post-event analysis.

Safe{Wallet} front-end is still running and additional security measures have been taken. However, users need to be extra careful and alert when signing transactions.

Bybit said:

Attack time: The malicious code was injected into the AWS S3 bucket of Safe{Wallet} on February 19, 2025, and was triggered when Bybit performed a multisig transaction on February 21, 2025, resulting in the stolen funds.

Attack method: The attacker tampers with the front end of Safe{Wallet} by tampering with the JavaScript file, inject malicious code, modify Bybit's multisig transactions, and redirect funds to the attacker's address.

Attack target: The malicious code specifically targets the multisig cold wallet address and a test address of Bybit, and is activated only under specific conditions.

After attack operation: About two minutes after the malicious transaction was executed, the attacker removed the malicious code from the AWS S3 bucket to cover up the traces.

Investigation Conclusion: The attack originated from Safe{Wallet}'s AWS infrastructure (probably a leak or hacked S3 CloudFront account/API Key), and Bybit's own infrastructure was not attacked.

The FBI issued an announcement confirming that North Korean hacker group "TraderTraitor" (also known as Lazarus Group) was behind the hacker attack on the Bybit exchange on February 21, which resulted in the theft of $1.5 billion in crypto assets.

Review and analysis

Slow fog As an external third-party security agency, although it did not directly intervene in the analysis, we continue to pay attention to the progress of the matter.

On the morning of February 26, when the Slow Fog Security Team reviewed the attack, Slow Fog CISO 23pds discovered that since the attack occurred on February 21, Safe began to modify the front-end and other codes in various ways. So 23pds released part of the analysis on X and immediately notified the head of the Slow Fog Security Team Thinking to follow:

https://app.safe.global/_next/static/chunks/pages/_app-52c9031bfa03da47.js

This JavaScript Historical changes to the code:

We first used urlscan to grab the changes in app.safe.global in recent months, and found that the only file "_app-52c9031bfa03da47.js" has changed:

So, we analyzed the changes in this file through archive:

left;">https://web.archive.org/web/20250219172905js_/https://app.safe.global/_next/static/chunks/pages/_app-52c9031bfa03da47.js

As shown in the figure,

Match the malicious implementation contract address used by the attacker of this hacked incident: 0xbdd077f651ebe7f7b3ce16fe5f2b025be2969516.

The "_app-52c9031bfa03da47.js" JavaScript code analysis is as follows:

(Image source: ScamSniffer)

Overall attack flowchart

Coincidence, during the analysis, Safe and Bybit The investigation report happened to be released last night, and finally the matter was concluded, which is undoubtedly a good thing. At this point, it can be confirmed that the stolen cryptocurrency of Bybit, worth nearly $1.5 billion, is a targeted attack planned by the attacker. This incident revealed the hackers' precise attacks on the development environment and supply chain, and highlighted the importance of front-end code control. The attacker first obtains app.safe.Control of global's front-end code and then conducts precision attacks on Bybit's Safe{Wallet} wallet. When the Bybit multi-signature Owner uses app.safe.global to sign, the Safe{Wallet} interface shows the normal address. In fact, when the transaction is initiated, the transaction content has been replaced with malicious data to be signed, thus tricking the Owner into signing the modified malicious data to be signed. In the end, the attacker successfully took over the contract control of Bybit's multi-signed wallet and implemented theft of coins.