Exchange Bybit, a cryptocurrency that has suffered a recent major security breaches, has released a detailed investigation report on the incident. Findings compiled by cybersecurity firms Sygnia and Verichains suggest that the attack was caused by compromises in the infrastructure of Safe {Wallet}, rather than Bybit’s own system.
Unauthorized activity was first detected on February 21, 2025. This is when BYBIT notices a suspicious transaction that includes one of the Ethereum (ETH) cold wallets. According to the report, the attack occurred during a multisig transaction from cold wallet to hot wallet via safe wallet. The malicious actor intercepted transactions, manipulated transactions, controlled the assets of the cold wallet, and was then transferred to an external wallet under control.
Sygnia was asked by Bybit to investigate the attack, revealing the following key points:
- Malicious JavaScript code was injected into a resource hosted in an AWS S3 bucket in Safe {Wallet}.
- Changes to timestamps and public web history archives indicate that malicious code was injected directly into the AWS S3 infrastructure in Safe {Wallet}.
- JavaScript injection was designed to manipulate transaction data during the signing process and modify transaction details without discovering it.
- The code contained an activation trigger that was fired only if the transaction originated from a BYBIT contract address or another unclear contract address that was likely to be managed by an attacker.
- Just two minutes after the attack was executed and published, a new version of the compromised JavaScript file was uploaded to an AWS S3 bucket in Safe {Wallet}, and the malicious code was removed.
- Bybit said its own infrastructure has not been compromised, but the attack highlighted vulnerabilities in third-party wallet solutions.
*This is not investment advice.
Discover more from Earlybirds Invest
Subscribe to get the latest posts sent to your email.
