We Now Know How Bybit Was Hacked for $1.4 Billion in Ethereum

Multiple independent audits have now pointed the finger at the cause of last week’s historic $1.4 billion Bybit hack—billed as the largest crypto hack of all time based on the value of the assets—and it wasn’t the crypto exchange at fault.

Rather, analysts at Verichains and Sygnia Labs, two top cybersecurity firms, have determined that North Korean hackers managed to pull off the biggest hack in history by planting malicious code into the infrastructure of Safe—a crypto wallet provider used by Bybit, and one that has long marketed itself as impenetrable.

According to reports from both security firms, North Korean hackers injected malicious JavaScript code directly into Safe’s online infrastructure, which was hosted on Amazon Web Services. It is as of yet unclear how the hackers managed to infiltrate Safe’s code.

Perhaps to avoid detection, the code was also specially tailored: it was designed to only activate once it interacted with Bybit’s contract address. Once Bybit did indeed interact with Safe, two days later, the code worked its magic—and $1.4 billion worth of Ethereum and related tokens were drained from the crypto exchange. 

Just two minutes after the hack, North Korean hackers then updated Safe’s infrastructure to remove the malicious lines of code—and disappeared without a trace. 

In a statement shared with Decrypt, Bybit emphasized that initial forensics reports show the exchange’s infrastructure “was not compromised” by North Korean hackers. 

“Bybit is and remains 100% secure,” the company said.

The statement added that Bybit moved “the majority of funds” out of its Safe-administered wallets in the hours following Friday’s attack. The company declined to comment, though, when asked by Decrypt whether it intends to permanently sever ties with the wallet provider. 

As for Safe itself—it’s been a rough day for public relations so far. In a statement posted to X on Wednesday, the company acknowledged Verichains’ and Sygnia’s findings, saying the hack did stem from a “compromised Safe Wallet developer machine.” 

The company claimed, though, that the reports did not indicate any vulnerabilities in Safe’s smart contracts or front-end source code. Safe added that it has fully rebuilt and reconfigured its infrastructure and changed all its credentials, “ensuring the attack vector is fully eliminated.”

Safe did not immediately respond to Decrypt’s request for comment for this story. 

On Crypto Twitter, industry players reeled at the news and its potential implications for the numerous crypto users and projects that depend on Safe. 

“If it’s Safe, then we’re in a very bad spot,” Aurora co-founder Alex Shevcheko wrote in a now-deleted tweet.

“This… is scary,” pseudonymous crypto gaming founder Loopify added.

MetaMask’s Taylor Monahan, an on-chain sleuth and noted expert on North Korean crypto hacks, advised caution with regards to playing the blame game.

“I think it’s been presumptuous for us to assume it was Bybit the first five days,” she told Decrypt. “I think it’s presumptuous to flip 180 degrees and say it’s Safe’s fault on day six.”

Regardless of who, exactly, is to blame for the exploit, the Bybit hack only confirmed Monahan’s fear—which she has been vocal about, for years—that the crypto industry has not taken the threat of bad actors like North Korea nearly seriously enough.

“I have been screaming about this forever,” Monahan said. “It’s time to get really fucking serious about security. Bad guys will do insane things to get inside you because the reward for doing so is millions—billions!—of dollars.”

Edited by Andrew Hayward