An investigation by cyber security firm Sygnia has traced the cause of Bybit’s $1.4 billion hack to the popular multi-signature wallet provider Safe Wallet.
The investigation “suggests the root cause of the attack is malicious code originating from Safe Wallet’s infrastructure,” Sygnia’s report, viewed by DL News, said. “Thus far, the forensics investigation did not find any compromise of Bybit’s infrastructure.”
Safe Wallet confirmed the findings in an X post and reassured users that their funds were safe.
“The Safe Wallet team has fully rebuilt, reconfigured all infrastructure, and rotated all credentials, ensuring the attack vector is fully eliminated.” Safe said, adding that Sygnia’s report did not find any vulnerabilities in the Safe smart contracts or source code.
On Friday, crypto exchange Bybit suffered a $1.4 billion hack, rocking the industry. Security researchers quickly connected the attack to the Lazarus Group, a state-sponsored North Korean hacking group.
An independent investigation by security firm Verichains came to the same conclusions as Sygnia.
How it worked
Sygnia’s findings reveal a complex, targeted attack against Bybit.
The hack started with Lazarus compromising one of Safe Wallet’s developer machines at an unknown time before the theft, Sygnia’s report said.
It’s not known whether access to Safe Wallet’s systems was leaked or if Lazarus gained access through other means.
Lazarus has previously hacked into crypto firms using social engineering techniques. This often involves tricking employees into unknowingly downloading malicious software or clicking on malicious links.
Once Lazarus had access, it injected code into the data served by Safe Wallet’s cloud data provider, Amazon Web Services, impacting the wallet provider’s website. The malicious code was designed to only activate when Bybit’s wallet requested to make a transaction.
That code activated when Bybit attempted to transfer funds from the targeted wallet on Friday.
On the surface, nothing appeared out of the ordinary for the three Bybit employees who signed the transaction. But under the hood, the content of the transaction had been edited by the malicious code to transfer the ability to execute transactions from Bybit to Lazarus.
As soon as the transaction was signed, Lazarus gained the ability to move the $1.4 billion worth of Ether and staked Ether tokens out of Bybit’s wallet.
“This only further emphasises what many security researchers have already been saying, that sensitive transaction payloads should be verified independently of the front-end interface,” Michael Lewellen, head of solutions engineering at Blockaid, told DL News.
Lazarus covers its tracks
Even after Lazarus had executed its attack, it wasn’t finished.
Just two minutes after the malicious transaction was executed, Lazarus removed the malicious code from Safe Wallet’s infrastructure, covering its tracks.
Sygnia said it confirmed that Lazarus had injected then removed the malicious code by looking at timed snapshots on public web archives.
Lazarus’ attempt to cover its tracks indicates it wanted to potentially use the same attack method again.
Several high profile crypto firms and DeFi protocols use Safe Wallets, including oracle provider Chainlink, $32 billion lending protocol Aave, and Ethereum layer 2 Starknet, per the Safe Wallet website.
“The hack could have been far worse if the hackers attempted to compromise other high-value multi-sigs and not just Bybit’s,” Lewellen said.
Sygnia said its investigation into the hack is still ongoing.
Tim Craig is DL News’ Edinburgh-based DeFi Correspondent. Reach out with tips at tim@dlnews.com.
Aleks Gilbert is DL News’ New York-based DeFi correspondent. You can reach him at aleks@dlnews.com.