Bybit Releases Forensic Report

Bybit Releases Forensic Report

By cryptogod-1 | CryptoGod-1 : Crypto & Blockchain | 27 Feb 2025

Good day everyone,

I hope you are all having a good day, welcome to CryptoGod-1's blog on all things crypto. In this post I will be looking at the recent report released by Bybit which links the $1.5 Billion Hack to Safe Wallet compromise.

 

 

Bybit Releases Forensic Report

The largest crypto heist took place last week when Bybit had over $1.5 Billion taken from their exchange. The cryptocurrency exchange in collaboration with security firm Sygnia have released a forensic report which showed the critical vulnerabilities in centralised exchanges which allowed this hack to take place. The attacker in the hack targeted the exchanges Ethereum multisignature cold wallet and it has been revealed that a vulnerability in Safe{Wallet}’s infrastructure allowed this to happen. 

An investigation was launched as soon as the unauthorised transactions were detected back on the 21st of February, and it was revealed that the breach was enabled through malicious JavaScript code injected into Safe{Wallet}’s AWS S3 bucket. This meant that the transaction details were altered at the moment of signing, and it indicates that the hacker manipulated a transaction. This resulted in funds which were being moved from a Bybit cold wallet to a warm wallet instead being intercepted and sent to an external address instead. The compromised cold wallet was drained with all of the funds being dispersed across multiple addresses. This in turn made any recovery efforts extremely challenging.

241edd62ed4a49f93a4c0082667bbb9bb6ef5cfcf1ec63c8862180f4e6c38e71.jpg

https://x.com/benbybit/status/1894768736084885929

 

The investigators discovered that every host involved in signing the multisignature transaction had cached JavaScript resources from Safe{Wallet} that contained malicious modifications. These cache files showed that these JavaScript resources had been altered two days before the attack, back on the 19th of February, and it indicated a premeditated attack.

The script was designed to specifically trigger only once transactions originated from specific addresses, which included Bybit’s multisig contract and another unidentified address. This second address is believed to belong to the hacker. Further investigation from the forensic team discovered internet archives of Safe{Wallet}’s JavaScript resources. This revealed that a legitimate version of the script had been replaced with the compromised one on the same day.

Within two minutes of the attack being successfully executed the wallet was completely drained, and Safe{Wallet}’s AWS S3 bucket was updated again. This time it restored the original JavaScript file. The quickness of this shows there was an attempt to cover the tracks of the attack and increase the difficulty for pinpoint when and how the attack took place.

The forensic analysis of Chrome browser artifacts across all three signers’ machines helped to provide the evidence of the malicious JavaScript file and how it was present during the attack. More analysis of blockchain records showed that the attack had been planned days in advance. Back on the 18th of February the hacker deployed a malicious contract containing code specifically designed to facilitate unauthorised withdrawals. Another contract was deployed later that day which created a backdoor function which would be used to exploit Bybit’s multi-signature wallet.

Both of these contracts were then left dormant until the hacker managed to manipulate the signing process and in the process changed Bybit's contract and diverted the funds from its transaction. The exploit allowed the hacker to drain 401,347 Ether and substantial amounts of wrapped and staked Ethereum assets.

The stolen funds have since been laundered through a number of wallet addresses, which not only makes them difficult to track but are also believed to belong to the hacker. Blockchain forensics traced initial movements through these addresses, and the ongoing nature of the investigation means the full extent of asset dispersion remains unclear.

Bybit’s security infrastructure itself showed no signs of direct compromise, further solidifying the conclusion that the vulnerability may lie within Safe{Wallet}. Ben Zhou, co-founder and CEO of Bybit released the following statement:

 

"Bybit remains steadfast in our commitment to security and transparency. The preliminary forensic review finds that our system was not compromised. While this incident underscores the evolving threats in the crypto space, we are taking proactive steps to reinforce security and ensure the highest level of protection for our users."

 

SAFE also released a statement on the attack, which can be found on 'X' here: https://x.com/safe/status/1894768522720350673 

 

Have a great day.

Peace. CryptoGod-1.

 

Referral Links and Follow Me:

Linktree

Resources

  1. https://cryptonews.com/news/bybit-releases-forensic-report-linking-1-5b-hack-to-safe-wallet-compromise/
  2. https://www.chaincatcher.com/en/article/2169721
  3. https://docsend.com/view/s/rmdi832mpt8u93s7
  4. https://pbs.twimg.com/profile_images/1643941027898613760/gyhYEOCE_400x400.jpg
  5. https://images.seeklogo.com/logo-png/49/2/bybit-logo-png_seeklogo-490318.png
  6. https://vcdn1-english.vnecdn.net/2025/02/24/bybit-1740167501-7213-17401678-3725-2270-1740382542.jpg
  7. https://mms.businesswire.com/media/20240502688902/en/2117003/22/Sygnia_Logo.jpg
  8. https://static.vecteezy.com/system/resources/thumbnails/043/560/860/small/hacker-or-a-man-in-hoodie-using-laptop-on-isolated-transparent-background-png.png
  9. https://www.prnewswire.com/in/news-releases/bybit-confirms-security-integrity-amid-safe-wallet-incident--no-compromise-in-infrastructure-302386304.html
Cryptocurrency Crypto Blockchain Ethereum (ETH) Crypto News

How do you rate this article?

41
cryptogod-1
cryptogod-1

Writer, designer, creator, and life enthusiast. I love to read and write and enjoy sharing my passion for crypto, sports, literature and everything and anything I can enjoy in life.

CryptoGod-1 : Crypto & Blockchain
CryptoGod-1 : Crypto & Blockchain

Enthusiast here looking to share my ideas, thoughts, analysis, and experience when it comes to all things crypto

Send a $0.01 microtip in crypto to the author, and earn yourself as you read!

20% to author / 80% to me.
We pay the tips from our rewards pool.
The DAILY SNAP Zone 026 - Ms. Marvel The DAILY SNAP Zone 026 - Ms. Marvel
Seven-NATE-Nine

Seven-NATE-Nine

10 hours ago
9 minute read

The Clarity Act Has a Deadline. And It's Closer Than You Think. The Clarity Act Has a Deadline. And It's Closer Than You Think.
Mohammad Ali Kamran Jalali

Mohammad Ali Kamran Jalali

7 hours ago
4 minute read

Ethereum below 2k Ethereum below 2k
okalok1

okalok1

3 hours ago
1 minute read