TechFlow news — On March 6, Safe released a new investigation report in collaboration with Mandiant, Google's cybersecurity firm, into the security incident that occurred on February 21. Preliminary findings indicate this was a highly sophisticated, nation-state-backed attack.
The report confirms that the U.S. Federal Bureau of Investigation (FBI) has attributed the attack to TraderTraitor, a North Korea-linked threat group (tracked by Mandiant as UNC4899). The attackers successfully compromised a Safe{Wallet} developer’s laptop and hijacked AWS session tokens to bypass multi-factor authentication (MFA) controls.
The Safe{Wallet} team has implemented multiple security enhancements, including a complete infrastructure reset, restricted external access, upgraded malicious transaction detection systems, enhanced monitoring, clearing all pending transactions, and temporarily disabling native hardware wallet signing functionality.
The report emphasizes that Safe’s smart contracts were not affected by this incident, and the team is actively working to restore all networks and services. Safe{Wallet} also calls on the industry to take collective action to improve transaction validation mechanisms and strengthen Web3 security.




