USDSafeWallet Blamed for Bybit’s $1.4 Billion Hack Amid FBI Warnings and THORChain Fallout
SafeWallet’s Breach Uncovered as Forensic Investigation Concludes
Bybit’s historic $1.4 billion hack, traced to North Korea’s Lazarus Group, has sent shockwaves through the crypto industry, exposing critical security flaws in third-party custody solutions. What initially appeared to be an internal compromise at Bybit was later linked to a vulnerability in SafeWallet, a third-party custody provider.
Forensic investigations by Sygnia and Verichains confirmed that the breach originated from a compromised SafeWallet developer’s credentials rather than Bybit’s own infrastructure. Attackers exploited these credentials to infiltrate SafeWallet’s multi-signature system, manipulating signers into approving malicious transactions.
Further analysis revealed that the breach was executed through a malicious JavaScript payload injected into SafeWallet’s Amazon Web Services (AWS) infrastructure. This rogue code intercepted and modified transactions in real-time, enabling unauthorized fund transfers.
In response, SafeWallet undertook a complete security overhaul, revoking all compromised credentials and rebuilding its infrastructure. While new security measures have been introduced, the company has withheld specific details to prevent further exploitation.
A dispute between Bybit and SafeWallet has intensified, with Bybit placing full responsibility on SafeWallet for the security lapse. The exchange insists that its internal infrastructure remained uncompromised and has pledged to reimburse affected users using reserves, loans, and investor deposits.
Former Binance CEO Changpeng Zhao criticized Safe Wallet's post-mortem update on the Bybit hack, calling it “not that great” and expressing concerns over how attackers tricked multiple signers. Despite Safe confirming no vulnerabilities in its smart contracts, CZ questioned the vagueness of the update, asking for clarity on the attack method, including potential social engineering, and how the developer machine accessed Bybit accounts.
Additionally, Bybit has announced a $140 million bounty for the recovery of stolen funds. SafeWallet, while acknowledging the breach, argues that Bybit’s operational policies contributed to the scale of the attack, suggesting that better risk management could have mitigated losses.
The FBI officially confirmed on February 26 that the attack was orchestrated by Lazarus Group, also known as TraderTraitor. A formal advisory released by the agency detailed the rapid laundering process of the stolen assets, with blockchain intelligence firm TRM Labs reporting that $400 million had already been moved within days. The stolen Ether was swiftly converted into Bitcoin and dispersed across thousands of blockchain addresses, making recovery efforts increasingly difficult.
The FBI warned that the funds would likely be laundered further through crypto mixers, OTC trading desks, and underground banking networks before being converted into fiat currency. A list of wallet addresses associated with the hack was publicly released, urging crypto businesses to block transactions linked to the stolen funds.
Decentralized finance protocols have also found themselves entangled in the aftermath of the Bybit hack. A significant portion of the stolen funds flowed through THORChain, a cross-chain liquidity platform known for its lack of KYC and AML measures. The hacker utilized THORChain to obscure the origin of the stolen assets by swapping them across multiple blockchains, making it challenging for authorities to track the transactions.
Frustrated by the protocol’s inability to prevent illicit fund movements, a THORChain developer resigned in protest, citing security shortcomings that enabled the laundering process. Their resignation has reignited a broader debate on DeFi’s role in financial crimes, as THORChain’s decentralized structure prioritizes censorship resistance over transaction monitoring.
The Bybit hack has laid bare the vulnerabilities within the crypto ecosystem, raising urgent questions about the security of third-party custody providers and the role of DeFi in enabling illicit financial activity. While Bybit, SafeWallet, and law enforcement agencies scramble to contain the fallout, the incident serves as yet another reminder of the evolving threats facing the industry.
This article has been refined and enhanced by ChatGPT.
