[ad_1]
Cryptocurrency exchange Bybit, which recently suffered a major security breach, has released a detailed investigation report into the incident. The findings, compiled by cybersecurity firms Sygnia and Verichains, suggest that the attack was caused by a compromise of Safe{Wallet}’s infrastructure rather than Bybit’s own systems.
The unauthorized activity was first detected on February 21, 2025, when Bybit noticed suspicious transactions involving one of its Ethereum (ETH) cold wallets. According to the report, the attack occurred during a multisig transaction from a cold wallet to a hot wallet via Safe{Wallet}. A malicious actor was able to intercept the transaction, manipulate the transaction, and take control of the cold wallet’s assets, which were then transferred to an external wallet under their control.
Sygnia, commissioned by Bybit to investigate the attack, revealed the following key points:
- Malicious JavaScript code was injected into a resource hosted in Safe{Wallet}’s AWS S3 bucket.
- Change timestamps and public web history archives indicate that the malicious code was injected directly into Safe{Wallet}’s AWS S3 infrastructure.
- JavaScript injection was designed to manipulate transaction data during the signing process and change transaction details without being detected.
- The code included an activation trigger that only fired when transactions originated from Bybit’s contract address or another unidentified contract address, likely controlled by the attacker.
- Just two minutes after the attack was executed and publicly disclosed, new versions of the compromised JavaScript files were uploaded to Safe{Wallet}’s AWS S3 bucket and the malicious code was removed.
- Bybit said its own infrastructure was not compromised, but the attack highlighted vulnerabilities in third-party wallet solutions.
*This is not investment advice.
[ad_2]
