Bybit, the victim of the largest single-day hack to date, has released an "interim investigation” report disclosing what the exchange knows so far as it continues to track the $1.5 billion in funds drained by North Korean hacking collective Lazarus Group on Friday.
As previously reported, the attack occurred during a relatively benign operation, where Bybit multi-sig holders coordinated to rotate funds from a cold wallet to a “warm wallet” using a Safe(Wallet) interface when “a threat actor intervened and manipulated the transaction.”
“The threat actor managed to gain control of the affected cold wallet and transferred its holdings to a wallet under their control,” Tel Aviv-based crypto cybersecurity firm Sygnia writes in a report.
According to its forensic investigation of the modified systems and web archives meant “to identify the source and scope of the compromise,” Sygnia found that Lazarus was able to inject malicious JavaScript code into “a resource served from Safe(Wallet)'s AWS S3 bucket.”
Moreover, Sygnia found this code on all the multisig hosts used to initiate and sign the compromised transaction.
This confirms some research speedily conducted by the Ethereum security community in the hours after the exploit, which found that Lazarus used an increasingly popular strategy of infecting the signing devices used to move funds and “blind signatures” to trick signers into unknowingly interacting with an unfamiliar address controlled by the attackers by masking the UI, as The Block previously reported.
However, Syngia’s research does help to understand better how Lazarus was able to take control of the Bybit multisig holder’s signing operation.
“The highlighted initial findings suggest the attack originated from Safe(Wallet)'s AWS infrastructure,” Syngia reports. “Thus far, the forensics investigation did not identify any compromise of Bybit's infrastructure.”
The findings suggest that the unauthorized activity stemmed from a targeted attack on Safe(Wallet)’s cloud-based system, namely its Amazon Web Services (AWS) S3 bucket, a flexible system typically used for storing and retrieving static files (like scripts or HTML code) for web applications. The signers’ browsers then loaded the compromised JavaScript from the S3 bucket (cached locally, as found in Chrome artifacts reviewed by Sygnia), which then executed an altered transaction when Bybit went to move its funds.
In other words, as SEAL 911 co-founder pcaversaccio explains, a developer’s computer, known as a dev machine, which is used to write and manage code, was hacked.
"This allowed access to AWS and their S3 bucket. A malicious JavaScript was pushed to the bucket and eventually distributed," he told The Block. "The malicious JS code targeted specifically the Bybit contract address. The JS code changes the content of the transaction during the signing process."
For its part, Safe — a team spun out of Gnosis — confirmed that the attack “was achieved through a compromised Safe{Wallet} developer machine resulting in the proposal of a disguised malicious transaction” but did not compromise Safe’s frontend, source code or smart contracts.
That said, it’s unclear how that dev machine was breached or whether other Safe users are at risk. Lazarus could have gained the ability to modify files in Safe{Wallet}’s AWS S3 bucket either by compromising credentials — like stealing an employee’s or third party’s AWS access keys via phishing or malware — or a more sophisticated exploit.
Safe noted it has “fully rebuilt, reconfigured all infrastructure, and rotated all credentials, ensuring the attack vector is fully eliminated,” though it still expresses caution when signing transactions.
Once inside, however, the attacker can upload or alter files — like injecting malicious code that gave them control over a critical piece of Bybit’s security system.
Sygnia found the code was highly targeted because it would activate “only when the transaction source matched one of two contract addresses: Bybit's contract address and an unidentified contract address, likely associated with the threat actor.” Moreover, it appears Lazarus cached the file two days before the attack.
Two minutes after the malicious transaction was executed, Lazarus uploaded new, unadulterated versions of the Javascript resources to Safe(Wallet)'s AWS S3 bucket to cover their tracks.
For its part, Bybit has been working hard to keep the public informed as it looks to retrieve its funds. In the days following the exploit, the exchange told users they would not be impacted as it had secured a bridge loan to close a shortfall in reserves. It also launched bug bounty programs — offering 10% to anyone who can retrieve the funds and 5% to exchanges and mixers that work to freeze them.
Some Ethereum researchers estimate the exchange has been able to recover upwards of $100 million so far, including $43 million mETH.
"The investigation is still ongoing to further confirm the findings," Sygnia writes.
Disclaimer: The Block is an independent media outlet that delivers news, research, and data. As of November 2023, Foresight Ventures is a majority investor of The Block. Foresight Ventures invests in other companies in the crypto space. Crypto exchange Bitget is an anchor LP for Foresight Ventures. The Block continues to operate independently to deliver objective, impactful, and timely information about the crypto industry. Here are our current financial disclosures.
© 2025 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.
免责声明:本文章仅代表作者个人观点,不代表本平台的立场和观点。本文章仅供信息分享,不构成对任何人的任何投资建议。用户与作者之间的任何争议,与本平台无关。如网页中刊载的文章或图片涉及侵权,请提供相关的权利证明和身份证明发送邮件到support@aicoin.com,本平台相关工作人员将会进行核查。
