Bybit incident explained

On February 21, 2025, Bybit, one of the leading cryptocurrency trading platforms, experienced a security breach that resulted in the theft of approximately 401,000 ETH (~$1.4 billion USD), marking it as the largest cryptocurrency theft at the time.

Following an investigation alongside blockchain forensic experts, Bybit, Safe and partners concluded that the attack was a sophisticated multi-stage operation carried out by a state-sponsored hacker group. The breach originated from a compromised machine belonging to a Safe Wallet developer - a well-known provider of multisignature wallet smart contracts and interface.

Shortly after the attack and in the weeks after, the parties and their investigation partners have published various statements and findings to help the community understand the root cause and work toward preventing similar attacks in the future. In this article, we will break down and explain these findings in detail.

Event breakdown

Compromising a developer’s machine

According to Safe’s forensic investigation, some of the earliest malicious activity was traced back to February 2, when a designated domain was registered. Shortly after, on February 4, a Safe Wallet developer’s machine was compromised when their Docker project communicated with this domain and associated IP address.

Docker is a popular open-source software tool used for developing and deploying applications. Many software projects and developers provide Docker templates as a quick way to set up and test projects with built-in functionality. However, as with all third-party software, such templates pose risks of exposure to unknown or malicious code. In this case, the attacker leveraged this vulnerability.

This attack method has previously been linked to the same hacker group. While the project was no longer available on the system at the time of analysis, some files remained in the download directory, leading investigators to suspect that social engineering played a role in convincing the developer to run this code.

Gaining access to Safe’s infrastructure

Once the attackers gained access to the compromised device, they obtained the developer’s AWS active session tokens. This allowed them to bypass multi-factor authentication and infiltrate Safe’s AWS account. The unauthorized access spanned at least from February 5 to February 21.

AWS is a major cloud computing platform provided by Amazon, offering services related to computing power, data storage, networking, and other resources. One of the Safe’s uses for AWS is hosting JavaScript files for the Safe Wallet user interface, enabling convenient interaction with their multisignature smart contracts.

Injecting malicious code into Safe Wallet

With the access to Safe’s AWS, the attackers modified the scripts loaded by users when visiting and using Safe Wallet. The JavaScript resources were last modified on February 19, two days before the malicious transaction. Snapshots of these modified files were later found in public web archives.

Since the attack specifically targeted Bybit, the malicious code activated only under certain conditions to remain undetected by other users. The trigger condition was met when a transaction involved either Bybit’s multisig contract address or an unidentified contract address (likely controlled by the attackers).

Once triggered, the malicious script tampered with the transaction details, altering the data to transfer Bybit’s assets to the attackers’ wallet. Additionally, after the transaction was executed, the script restored the original transaction data, concealing the tampering from subsequent review. A detailed breakdown of the modified code can be found in Verichains’ preliminary report.

Tampering Bybit’s transaction

On Februrary 21, signers of Bybit’s multisig cold wallet unknowingly approved a malicious transaction while attempting to process a routine funds transfer. The compromised JavaScript code in Safe Wallet’s interface allowed attackers to modify the payload, replacing it with a delegate call to a malicious smart contract that has been deployed in advance on February 19.

This contract contained functions that enabled the attackers to transfer funds without requiring multisig approval. The delegate call mechanism allows contracts to execute logic from external smart contracts while maintaining the context of the original contract. This feature, commonly used in modular and upgradable smart contract systems, was exploited to drain Bybit’s wallet.

As a result, more than 400,000 ETH and other tokens were transferred from Bybit’s cold wallet to the attackers’ wallet. The stolen assets were later distributed to multiple other wallets using coin mixers, a service that obscures transation origins and destinations.

Moving forward

Following the breach, Safe temporarily locked down its services and, along with its investigation partners, published reports to ensure transparency and help prevent future incidents. While this was a highly targeted and sophisticated attack, Safe noted that signing a transaction remains the last line of defense, effective only if users fully understand what they are signing.

In response, the community rushed in with various external interfaces and tools for interacting with Safe smart contracts. Safe also later introduced a more detailed transaction review screen and a step-by-step guide on verifying transactions. If you use a Safe wallet, these updates are worth exploring.

Nonetheless, the complexity of technical details and a lack of education continue to be major weaknesses in the web3 ecosystem. To help address this, Multisight’s knowledge base provides a foundational guidance on the responsible management and operation of multisignature wallets. Explore our resources, stay informed, and contribute to strengthening security in the space by sharing insights or collaborating on future content.