(Photo by Jaque Silva/NurPhoto via Getty Images)
The suspected North Korean hackers who stole $1.4 billion in cryptocurrency from Bybit pulled off the heist by infiltrating a digital wallet provider and tampering with its software.
The hackers targeted Safe{Wallet}, a provider of secure cryptocurrency wallets, including for Bybit. The attackers did so by first compromising the credentials of a Safe Developer, and then injecting malicious Javascript code a Safe{Wallet} system, according to Bybit.
“This allowed the attacker to gain unauthorized access to the Safe(Wallet) infrastructure and totally deceive signers into approving a malicious transaction,” the cryptocurrency exchange said in a statement.
The findings partly come from two cybersecurity agencies that Bybit hired to investigate the attack, which has been linked to the North Korean hacking group Lazarus. On Wednesday, Bybit’s CEO Ben Zhou published the two preliminary forensic reports after announcing $140 million in bounty rewards to help it trace and freeze the stolen funds.
The hackers were able to steal the funds from an offline “cold wallet” carrying the cryptocurrency, even though the same wallet required multiple private keys to execute a transaction. The forensic investigation found traces of the hack by examining the computers for the three Bybit employees that signed the fraudulent transaction. A closer look at the Chrome browsers’ cache files indicated the existence of the malicious Javascript code coming from Safe{Wallet}’s IT infrastructure over the app.safe.global domain.
The hackers seem to have deployed their attack last Tuesday and Wednesday. The malicious Javascript code could secretly modify the “executeTransaction and signTransaction call” for a cryptocurrency transaction, sending the funds to the attacker’s desired address.
“After the transaction has been executed or signed, the original transaction data is restored, either by updating the result (in the sign-transaction case) or the transaction object (in both cases), ensuring the tampering remains hidden from subsequent processing,” says the forensic report from Verichains, a financial security firm.
“The payload was designed to activate only when certain conditions were met. This selective execution ensured that the backdoor remained undetected by regular users while compromising high-value targets,” Verichains added.
The hackers were also quick to delete the malicious Javascript code from Safe{Wallet} system after stealing the cryptocurrency. “The investigation determined that the JavaScript resources were modified in the AWS S3 bucket on February 21, 2025, at 14:15:13 and 14:15:32 UTC - approximately two minutes after the malicious transaction was executed,” the forensic report from the cybersecurity provider Sygnia said.
(CFOTO/Future Publishing via Getty Images)It’s unclear how the hackers breached Safe{Wallet}. For now, the cryptocurrency wallet provider reports the attackers were able to compromise a “Safe{Wallet} developer machine which affected an account operated by Bybit.”
“The Safe{Wallet} team has fully rebuilt, reconfigured all infrastructure, and rotated all credentials, ensuring the attack vector is fully eliminated,” it added. “The forensic review of external security researchers did NOT indicate any vulnerabilities in the Safe smart contracts or source code of the frontend and services.”
Meanwhile, Bybit said it “moved the majority of funds” out of its Safe{Wallet} administered addresses on the day of the hack. The company has also received a huge loan to help it recover from the $1.4 billion lost in Ethereum.