Bybit Security Investigation Revealed: SAFE Frontend Cloud Service Attacked, How to Secure Trillions Held in Multisig Wallets
TechFlow Selected TechFlow Selected
Bybit Security Investigation Revealed: SAFE Frontend Cloud Service Attacked, How to Secure Trillions Held in Multisig Wallets
On February 27, Bybit released a hacker forensic report directly linking the stolen funds to vulnerabilities in Safe's infrastructure, but Safe appears unwilling to accept this accusation
Navigating Web3 tides with focused insightsAuthor: Frank, PANews
On February 21, 2025, cryptocurrency exchange Bybit suffered a historic hack, with $1.46 billion in assets stolen by the North Korean hacking group Lazarus. While recovering the assets is critical, it's even more important to identify the attack vector to prevent future incidents. On February 27, Bybit released a forensic report directly attributing the theft to vulnerabilities in Safe's infrastructure. However, Safe appears unwilling to accept this accusation. In its statement, Safe acknowledged that a developer was compromised but attributed the main cause to the sophistication of North Korean hackers and operational errors by Bybit. This "Rashomon"-like dispute over responsibility has triggered a major industry debate on infrastructure trust, security paradigms, and human factors.
Attack Originated from Compromise of Safe{Wallet} Frontend Cloud Service
According to two investigation reports published by Bybit (the Preliminary Report and Interim Investigation Report), further analysis of Safe{Wallet} resources revealed two JavaScript snapshots taken on February 19, 2025. Examination showed that the first snapshot contained the original, legitimate Safe{Wallet} code, while the second included resources embedded with malicious JavaScript code. This indicates that the malicious code used to create fraudulent transactions originated directly from Safe{Wallet}'s AWS infrastructure.
The report concludes: Based on findings from the investigation of Bybit’s signer machines and the cached malicious JavaScript payload discovered in the Wayback Archive, we strongly conclude that Safe.Global's AWS S3 or CloudFront account/API keys may have been compromised.
In simple terms, the initial source of this attack was hackers compromising Safe{Wallet} developers’ devices, altering frontend JavaScript files in the AWS S3 bucket, and injecting targeted malicious code aimed at Bybit’s cold wallet addresses. Previously, Safe had issued a brief investigation report stating no code vulnerabilities or malicious dependencies (i.e., supply chain attacks) were found. Subsequently, Safe conducted a comprehensive review and suspended Safe{Wallet} functionality. These new findings appear to overturn Safe’s earlier conclusions.
Safe’s Evasive Statement Sparks Further Skepticism
Bybit has not yet commented on what responsibility Safe should bear in this incident. However, following the release of the report, social media discussions began focusing on Safe’s security flaws, with some voices arguing that Safe should be held accountable and provide compensation.
Safe clearly does not accept the report’s implications. In its official statement, Safe divided responsibility into three levels: Technically, it emphasized that smart contracts were not attacked and stressed product security. Operationally, it admitted developer devices were breached leading to AWS key leaks but blamed state-level attacks by North Korean hacking groups. For users, it advised being “cautious when signing transactions,” implying Bybit failed to adequately verify transaction data.
However, this response appears evasive. According to the report’s findings, Safe failed in several aspects during this process:
1. Privilege Mismanagement: Attackers gained AWS access through compromised developer devices, exposing Safe’s failure to implement the principle of least privilege. For example, a single developer could directly modify production code without any code change monitoring mechanisms.
2. Frontend Security Negligence: Basic protections such as SRI (Subresource Integrity) were not enabled.
3. Supply Chain Risk: The attack path (developer device → AWS → frontend code) demonstrates Safe’s overreliance on centralized cloud services, conflicting with blockchain’s decentralized security principles.
Moreover, the industry has raised numerous questions about Safe’s statement. Binance founder CZ posed five technical challenges (e.g., specifics of how developer devices were breached, reasons for privilege escalation), directly criticizing Safe’s lack of transparency. Safe has not disclosed details of the attack chain, leaving the industry unable to implement targeted defenses.
Token Surges Amidst Nearly 70% Drop in Daily Active Users
Another major controversy within the community concerns whether Safe should compensate Bybit for losses in this incident. Some users believe Safe’s infrastructure vulnerability caused the attack and thus Safe should be liable for damages. Others go further, suggesting Gnosis—the predecessor company of Safe—should share liability. Safe was originally developed in 2017 by the Gnosis team as Gnosis Safe and later spun off independently in 2022. Gnosis raised 250,000 ETH in an ICO in 2017 and still holds around 150,000 ETH in its treasury, making it a major ETH whale.
Others argue primary responsibility lies with Bybit itself. First, managing a cold wallet holding billions warrants investing in R&D to build proprietary security infrastructure. Second, Bybit reportedly used Safe’s free service without paying subscription fees, meaning Safe arguably has no obligation to assume liability.
Notably, Bybit has not demanded financial compensation from Safe after releasing the investigation report.
While the industry debates responsibility, capital markets have played out an absurd drama. Safe’s native token received unexpected attention: on February 27, the SAFE token逆势 rose from $0.44 to $0.69, surging approximately 58% within 10 hours. Yet logically, this event should have primarily damaged Safe’s brand reputation; the price increase may reflect only short-term market sentiment.
Data from February 27 shows Safe manages over $100 billion in total assets. Its silence on vulnerability details is now eroding its credibility as a foundational industry infrastructure.
Daily active user metrics clearly show significant impact on Safe post-incident. Compared to 1,200 daily active addresses on February 12, the number dropped to 379 on February 27—a nearly 70% decline.
Following exposure of frontend centralization risks, the community has renewed focus on frontend security mechanisms. ICP founder Dominic Williams noted that the recent successful theft of $1.5 billion from Bybit by North Korean hackers exploited Web interface vulnerabilities in Safe{Wallet}, which is hosted on the cloud rather than running on-chain via smart contracts. Williams criticized certain Web3 projects for operating only "pseudo-onchain," creating security risks, and recommended using ICP (Internet Computer) for on-chain computation, data storage, and user experience validation to enhance security. He proposed that Safe{Wallet} migrate to ICP and adopt cryptographic authentication and multi-party consensus governance (e.g., SNS DAO) to strengthen security.
Looking back at the entire incident, while it may seem like an isolated event orchestrated by North Korean hackers, it still exposes existing security flaws in Safe’s current multisig wallet regarding permission design and supply chain management. From a brand development perspective, attempts to preserve a myth of invincibility by hastily shifting blame have backfired, triggering greater public skepticism. Perhaps acknowledging mistakes promptly and introducing corresponding corrective measures would better reflect the attitude expected of a leader in crypto security. Additionally, disclosing vulnerability details sooner would help the broader industry conduct self-audits and improve defenses against similar threats.
Join TechFlow official community to stay tuned
Telegram:https://t.me/TechFlowDaily
X (Twitter):https://x.com/TechFlowPost
X (Twitter) EN:https://x.com/BlockFlow_News
PANews
