Cryptocurrency exchange Bybit has released a report on a major security incident. The investigation found that the attack resulted from vulnerabilities in Safe{Wallet}'s infrastructure.
Incident Details
Unauthorized activity was detected on February 21, 2025, when Bybit noticed suspicious transactions involving one of their Ethereum (ETH) cold wallets. According to the report, the breach took place during a multisig transaction from cold wallet to hot wallet via Safe{Wallet}.
Investigation Results
Sygnia and Verichains conducted the investigation and revealed several key points: malicious JavaScript was injected into the resource hosted on Safe{Wallet}'s AWS S3 bucket. Timestamp changes and public web history archives indicated a deliberate intervention.
Implications and Conclusions
Just two minutes after the attack was executed and publicly disclosed, new versions of compromised JavaScript files were uploaded to Safe{Wallet}'s infrastructure, removing the malicious code. Bybit stated that its own infrastructure was not compromised, but the incident highlighted vulnerabilities in third-party wallet solutions.
The case with Bybit underscores the importance of securing third-party crypto solutions. All identified vulnerabilities have been reported to minimize the risk of similar incidents.
