Israeli cyber firm Sygnia cracks Bybit hack, revealing flaw behind $1.5B theft
Forensic investigation finds hackers exploited Safe(Wallet)’s cloud system to manipulate transactions.
Bybit CEO Ben Zhou shared an update on X on Wednesday, detailing new findings from an investigation led by Israeli cybersecurity firm Sygnia into the recent $1.5 billion hack.
According to Sygnia’s forensic analysis, the attack did not stem from a breach of Bybit’s own infrastructure. Instead, hackers, believed to be belonging to North Korea’s Lazarus Group. exploited a vulnerability in Safe(Wallet), a crypto infrastructure provider used by Bybit. Investigators found that attackers infiltrated a Safe developer’s machine, injecting malicious JavaScript into the system. This code manipulated transaction details during the signing process, allowing funds to be redirected without detection.
The breach occurred when Bybit’s multi-signature signers attempted to move funds. Hackers intercepted the process, exploiting Safe(Wallet)’s cloud-based storage on Amazon Web Services (AWS). Once the malicious transaction was executed, the attackers quickly erased traces of their code to cover their tracks.
In response, Safe has reconfigured its infrastructure and rotated all credentials, though concerns remain about whether other users are at risk. Bybit has secured emergency funds to cover losses and launched a bounty program to recover stolen assets. So far, the exchange has reclaimed an estimated $100 million, while the investigation continues.
