Bybit's $1.4B Ethereum Heist: Lazarus Strikes, Safe's Response

Bybit, a Dubai-based cryptocurrency exchange, recently fell victim to a significant security breach, resulting in the theft of over 400,000 Ethereum (ETH), valued at approximately $1.4 billion. The incident, which occurred on February 21, targeted Bybit's Ethereum cold wallet, raising concerns about the exchange's security measures.

An independent audit conducted by Sygnia Labs and Verichain revealed that the North Korean hacker group Lazarus was behind the attack. The forensic analysis found that Bybit's security integrity remained intact, despite the successful infiltration of its Ethereum cold wallet. The root cause of the breach was traced back to a compromised Safe developer machine, which was exploited by Lazarus to hot swap the Gnosis Safe UI with malicious JavaScript code targeting Bybit's cold wallet.

Bybit acknowledged the findings of the audit and confirmed that the attack vector was successfully eliminated following a thorough investigation and infrastructure rebuild by the Safe team. The exchange's security remained intact throughout the incident, and no vulnerabilities were found in the Safe smart contracts or source code.

The Safe team, in response to the incident, conducted a comprehensive investigation and restored the Safe wallet on the Ethereum mainnet with a phased rollout. The team fully rebuilt and reconfigured all infrastructure, ensuring the elimination of the attack vector. Martin Koeppelmann, co-founder of Gnosis, the team behind Safe, thanked Bybit CEO Ben Zhou for his leadership during the crisis and emphasized the need for additional security layers and reducing reliance on web2 technology to prevent similar incidents in the future.