Bybit Hack Post-Mortem Report 

by

|

Published

TLDR

  • On February 21st, Bybit was hacked. Nearly $1.5 billion was lost.
  • The perpetrators of the heist were none other than the Lazarus Group.
  • The hack involved compromising a developer’s laptop during a 12-hour operating window.
  • The attackers were then allowed to bypass the security features in place, steal funds, and dropped in their own malware to essentially hide their escape.

On February 21, 2025, the crypto community was shaken by a massive $1.4 billion hack targeting Bybit, a leading centralized exchange. Bybit used SafeWallet to house funds. And it was that wallet that was compromised.

Now, thanks to a detailed post-mortem report from SafeWallet, we have a clearer picture of what went wrong. 

The report confirmed that North Korea’s Lazarus Group is behind the attack and used their own sophisticated malware called TraderTraitor to make it happen. But that’s not all. Let’s get after it.

Understanding the Attack 

According to the forensic analysis conducted by SafeWallet and cybersecurity powerhouse Mandiant, the attack was carried out by the Lazarus Group. The group has made headlines before for its crypto heists, but the Bybit hack marks a new level of complexity. 

This is how they pulled it off step by step: 

  1. Compromising Developer Access – The attackers gained entry by compromising the laptop of a SafeWallet developer. This wasn’t some random breach. The developer held high-level access and was one of the few with such privileges. 
  2. Hijacking AWS Session Tokens – The hackers hijacked Amazon Web Services (AWS) session tokens using the compromised laptop. It allowed them to bypass SafeWallet’s multi-factor authentication (MFA) controls, gaining entrance into critical infrastructure. 
  3. Advanced Evasion Tactics – To cover their tracks, the attackers deployed malware and cleared the Bash history, making it challenging for investigators to piece together the full sequence of events. 

Simply put, the attackers outsmarted layers of defenses by exploiting a single weak point. 

Why Weren’t Existing Defenses Enough? 

You might be wondering, “Did SafeWallet even have any security in place?” They did. And not just the basics. Before the attack, SafeWallet had established strict protocols to protect its infrastructure, including: 

  • Restricted Access: Privileged access was limited only to essential developers. 
  • Peer Reviews: Any changes to production required multiple peer approvals. 
  • Continuous Security Audits: Independent third-party audits to catch vulnerabilities. 
  • Malicious Transaction Monitoring: Detection systems to flag suspicious activity. 

Despite these precautions, LG hackers found a way in, showing us that even the best security defenses can have blind spots, and attackers are methodical about finding them. 

SafeWallet Responds with Beefed-Up Security 

After the attack, SafeWallet wasted no time implementing sweeping changes to protect its users and rebuild trust. Here’s what they’ve done so far to secure their systems and prevent future exploits: 

1. Full Infrastructure Reset 

  • Rotated credentials, keys, and secrets. 
  • Completely updated and redeployed clusters, developer machines, and container images. 

2. Locking Down External Access 

  • Restricted the Transaction Service to internal communications only. 
  • Enhanced firewall rules to limit vulnerabilities. 

3. Smarter Threat Detection 

  • Partnered with Blockaid to upgrade malicious transaction detection. 
  • Added extra layers of scrutiny to flag unexpected account changes or upgrades. 

4. Enhanced Monitoring 

  • Improved real-time logging and threat detection across their entire stack. 

5. Cleaning the Queue 

  • Reset all pending transactions to remove any lingering threats or human errors. 

6. Disabling Certain Features Temporarily 

  • Suspended native hardware wallet signing due to dependency concerns, though it remains accessible via WalletConnect. 

7. UI Upgrades 

  • Added a community-developed verification tool, “Safe Utils,” to provide additional safeguards for transaction hashes. 
  • Began work on offering users a version of SafeWallet fully hosted on IPFS for added security. 

Their message is clear: the SafeWallet team isn’t just reacting; they’re building back stronger. . 

What Can You Learn as a Crypto User? 

Whether you’re a new crypto enthusiast or a blockchain beginner, here are immediate takeaways to protect yourself in the evolving digital landscape: 

  • Use Multi-Factor Authentication (MFA): MFA is a must, even though it’s not foolproof in advanced attacks like this one. 
  • Stay Alert for Suspicious Activity: Monitor your wallets, transactions, and email accounts tied to crypto platforms regularly. 
  • Consider Decentralized Wallets: While platforms like SafeWallet are improving security, explore decentralized wallets where you control the private keys. 
  • Choose Reputable Platforms: Opt for exchanges and wallets with a proven track record of handling security incidents transparently. 

SafeWallet’s Commitment 

Despite the challenges, SafeWallet assures users that their smart contracts remain unaffected, and services are steadily being restored with enhanced security measures. They’ve emphasized a renewed focus on rebuilding trust and reinforcing robust security infrastructure. 

SafeWallet’s transparency in releasing this detailed post-mortem report is a step in the right direction. They’ve highlighted the weaknesses and outlined the actionable measures they’ve taken to ensure this doesn’t happen again. 

A Final Word on Security 

The Bybit hack serves as a wake-up call to the entire crypto community. Cybersecurity is not a one-time setup. It’s an evolving process of staying one step ahead of attackers. 

For SafeWallet and ByBit users, it’s a reminder of the importance of vigilance and collaboration. For the broader community, it’s a call to invest more in securing the backbone of the crypto revolution. 

Stay safe out there. Don’t leave room for vulnerabilities in your digital wallet. While no system is perfect. You, as a user, are the first line of defense. Make it count.

About the Author

Leaderboard

Only Top 10 users qualify for monthly $100 drawing.

RankPoints
Trophy1
Jillianne R.
Diamonds119
Trophy2
Phillip W.
Diamonds119
Trophy3
Baffa O.
Diamonds119
Trophy4
James C.
Diamonds119
Trophy5
Male T.
Diamonds119
Trophy6
Ron B.
Diamonds119
Trophy7
Moses O.
Diamonds119
Trophy8
Saifu A.
Diamonds119
Trophy9
Lidya I.
Diamonds119
Trophy10
Kofi K.
Diamonds119
Trophy11
Mustafe O.
Diamonds119
Trophy12
Musa S.
Diamonds118
Trophy13
Dany T.
Diamonds118
Trophy14
Lalisa F.
Diamonds118
Trophy15
Ernest L.
Diamonds118
Trophy16
Eric A.
Diamonds118
Trophy17
John P.
Diamonds118
Trophy18
David D.
Diamonds118
Trophy19
Barry S.
Diamonds118
Trophy20
Genuine C.
Diamonds118
Trophy21
Dan B.
Diamonds118
Trophy22
James A.
Diamonds118
Trophy23
Menelik G.
Diamonds117
Trophy24
Kyakonye S.
Diamonds117
Trophy25
Asfaw I.
Diamonds117
Trophy26
Khaleeq A.
Diamonds117
Trophy27
Wayne C.
Diamonds117
Trophy28
Mohamed N.
Diamonds117
Trophy29
Hamza K.
Diamonds117
Trophy30
ALIYU Y.
Diamonds117
Trophy31
Soly N.
Diamonds117
Trophy32
David B.
Diamonds116
Trophy33
Nathan H.
Diamonds116
Trophy34
Nour E.
Diamonds116
Trophy35
Bello U.
Diamonds116
Trophy36
Nazeeh K.
Diamonds116
Trophy37
Anselme D.
Diamonds116
Trophy38
Muhammmad H.
Diamonds116
Trophy39
Sherry D.
Diamonds116
Trophy40
Abubeker A.
Diamonds116
Trophy41
Kenneth J.
Diamonds115
Trophy42
Carlos M.
Diamonds106
Trophy43
William M.
Diamonds105
Trophy44
Okello A.
Diamonds105
Trophy45
Obey T.
Diamonds101
Trophy46
Michael R.
Diamonds101
Trophy47
Lucy A.
Diamonds99
Trophy48
David C.
Diamonds98
Trophy49
Hilik T.
Diamonds98
Trophy50
Gabrielle G.
Diamonds97
Trophy51
Kimberley S.
Diamonds95
Trophy52
Mich O.
Diamonds94
Trophy53
Oyetunji S.
Diamonds93
Trophy54
Latrice S.
Diamonds92
Trophy55
THEOBALD S.
Diamonds92
Trophy56
hanad A.
Diamonds84
Trophy57
Pavan C.
Diamonds84
Trophy58
Kyarugaba S.
Diamonds83
Trophy59
Michael M.
Diamonds82
Trophy60
Rosalio S.
Diamonds82
Trophy61
Tha H.
Diamonds82
Trophy62
Hossana E.
Diamonds82
Trophy63
John H.
Diamonds82
Trophy64
PaulShultis S.
Diamonds64
Trophy65
Gashaw N.
Diamonds63
Trophy66
Jeremiah A.
Diamonds63
Trophy67
Alam Z.
Diamonds62
Trophy68
FRANK I.
Diamonds61
Trophy69
Melkamu A.
Diamonds61
Trophy70
Akeem A.
Diamonds58
Trophy71
OSAMEDE O.
Diamonds56
Trophy72
Isaac O.
Diamonds56
Trophy73
Olorunwa M.
Diamonds56
Trophy74
Yashin S.
Diamonds55
Trophy75
Erbs M.
Diamonds55
Trophy76
John S.
Diamonds55
Trophy77
Shiferaw T.
Diamonds54
Trophy78
Richard P.
Diamonds54
Trophy79
Mbongiseni S.
Diamonds54
Trophy80
Christian C.
Diamonds54
Trophy81
james_bolinda
Diamonds54
Trophy82
Ronald H.
Diamonds53
Trophy83
Sean S.
Diamonds43
Trophy84
Kenneth B.
Diamonds42
Trophy85
Aimee B.
Diamonds40
Trophy86
Jamil B.
Diamonds40
Trophy87
Muhammad I.
Diamonds37
Trophy88
Expert E.
Diamonds36
Trophy89
Raz E.
Diamonds36
Trophy90
Juma G.
Diamonds35
Trophy91
Shom S.
Diamonds35
Trophy92
Somadina O.
Diamonds35
Trophy93
Carlos P.
Diamonds35
Trophy94
Kenneth J.
Diamonds35
Trophy95
Ade N.
Diamonds35
Trophy96
jtcraw
Diamonds35
Trophy97
Bekele W.
Diamonds32
Trophy98
Glen M.
Diamonds32
Trophy99
DAVISON P.
Diamonds31
Trophy100
Martins M.
Diamonds31
Silver Trophy
Diamonds0

Countdown to next draw

days

hours

minutes

seconds