TLDR
- On February 21st, Bybit was hacked. Nearly $1.5 billion was lost.
- The perpetrators of the heist were none other than the Lazarus Group.
- The hack involved compromising a developer’s laptop during a 12-hour operating window.
- The attackers were then allowed to bypass the security features in place, steal funds, and dropped in their own malware to essentially hide their escape.
On February 21, 2025, the crypto community was shaken by a massive $1.4 billion hack targeting Bybit, a leading centralized exchange. Bybit used SafeWallet to house funds. And it was that wallet that was compromised.
Now, thanks to a detailed post-mortem report from SafeWallet, we have a clearer picture of what went wrong.
The report confirmed that North Korea’s Lazarus Group is behind the attack and used their own sophisticated malware called TraderTraitor to make it happen. But that’s not all. Let’s get after it.
Understanding the Attack
According to the forensic analysis conducted by SafeWallet and cybersecurity powerhouse Mandiant, the attack was carried out by the Lazarus Group. The group has made headlines before for its crypto heists, but the Bybit hack marks a new level of complexity.
This is how they pulled it off step by step:
- Compromising Developer Access – The attackers gained entry by compromising the laptop of a SafeWallet developer. This wasn’t some random breach. The developer held high-level access and was one of the few with such privileges.
- Hijacking AWS Session Tokens – The hackers hijacked Amazon Web Services (AWS) session tokens using the compromised laptop. It allowed them to bypass SafeWallet’s multi-factor authentication (MFA) controls, gaining entrance into critical infrastructure.
- Advanced Evasion Tactics – To cover their tracks, the attackers deployed malware and cleared the Bash history, making it challenging for investigators to piece together the full sequence of events.
Simply put, the attackers outsmarted layers of defenses by exploiting a single weak point.
Why Weren’t Existing Defenses Enough?
You might be wondering, “Did SafeWallet even have any security in place?” They did. And not just the basics. Before the attack, SafeWallet had established strict protocols to protect its infrastructure, including:
- Restricted Access: Privileged access was limited only to essential developers.
- Peer Reviews: Any changes to production required multiple peer approvals.
- Continuous Security Audits: Independent third-party audits to catch vulnerabilities.
- Malicious Transaction Monitoring: Detection systems to flag suspicious activity.
Despite these precautions, LG hackers found a way in, showing us that even the best security defenses can have blind spots, and attackers are methodical about finding them.
SafeWallet Responds with Beefed-Up Security
After the attack, SafeWallet wasted no time implementing sweeping changes to protect its users and rebuild trust. Here’s what they’ve done so far to secure their systems and prevent future exploits:
1. Full Infrastructure Reset
- Rotated credentials, keys, and secrets.
- Completely updated and redeployed clusters, developer machines, and container images.
2. Locking Down External Access
- Restricted the Transaction Service to internal communications only.
- Enhanced firewall rules to limit vulnerabilities.
3. Smarter Threat Detection
- Partnered with Blockaid to upgrade malicious transaction detection.
- Added extra layers of scrutiny to flag unexpected account changes or upgrades.
4. Enhanced Monitoring
- Improved real-time logging and threat detection across their entire stack.
5. Cleaning the Queue
- Reset all pending transactions to remove any lingering threats or human errors.
6. Disabling Certain Features Temporarily
- Suspended native hardware wallet signing due to dependency concerns, though it remains accessible via WalletConnect.
7. UI Upgrades
- Added a community-developed verification tool, “Safe Utils,” to provide additional safeguards for transaction hashes.
- Began work on offering users a version of SafeWallet fully hosted on IPFS for added security.
Their message is clear: the SafeWallet team isn’t just reacting; they’re building back stronger. .
What Can You Learn as a Crypto User?
Whether you’re a new crypto enthusiast or a blockchain beginner, here are immediate takeaways to protect yourself in the evolving digital landscape:
- Use Multi-Factor Authentication (MFA): MFA is a must, even though it’s not foolproof in advanced attacks like this one.
- Stay Alert for Suspicious Activity: Monitor your wallets, transactions, and email accounts tied to crypto platforms regularly.
- Consider Decentralized Wallets: While platforms like SafeWallet are improving security, explore decentralized wallets where you control the private keys.
- Choose Reputable Platforms: Opt for exchanges and wallets with a proven track record of handling security incidents transparently.
SafeWallet’s Commitment
Despite the challenges, SafeWallet assures users that their smart contracts remain unaffected, and services are steadily being restored with enhanced security measures. They’ve emphasized a renewed focus on rebuilding trust and reinforcing robust security infrastructure.
SafeWallet’s transparency in releasing this detailed post-mortem report is a step in the right direction. They’ve highlighted the weaknesses and outlined the actionable measures they’ve taken to ensure this doesn’t happen again.
A Final Word on Security
The Bybit hack serves as a wake-up call to the entire crypto community. Cybersecurity is not a one-time setup. It’s an evolving process of staying one step ahead of attackers.
For SafeWallet and ByBit users, it’s a reminder of the importance of vigilance and collaboration. For the broader community, it’s a call to invest more in securing the backbone of the crypto revolution.
Stay safe out there. Don’t leave room for vulnerabilities in your digital wallet. While no system is perfect. You, as a user, are the first line of defense. Make it count.
