Bybit was not hacked: Investigation points to fault in Safe

The investigation into the alleged attack on bybit revealed that the cryptocurrency broker was not compromised. The incident occurred due to malicious code inserted in the Safe (Wallet) infrastructure, impacting the Ethereum Multisig Cold Wallet portfolio from Bybit. The attack explored a vulnerability of Safe and was activated during a transaction on February 21, 2025.

The technical report identified that a benign javascript file of Safe was replaced by malicious code on February 19. Forensic analysis also suggests that SWS S3 or Cloudfront account credentials from Safe.Global may have been compromised. The investigation is still in progress to confirm the findings and evaluate the extent of the incident.

Contents show

BYBIT IRRIBIT: PROBLEM WAS CAUSED BY SAFE COMMITMENT

Forensic analysis confirmed that Bybit‘s infrastructure remained safe throughout the incident. The attack was caused by the change of a JavaScript script on the app.safe.global site, becoming a targeted exploration vector. This code was modified on February 19, 2025, with the objective of being activated in the next movement of the affected portfolio, which occurred two days later.

Bybit Hack Forensics Report
As promised, here are the preliminary reports of the hack conducted by @sygnia_labs and @Verichains
Screenshotted the conclusion and here is the link to the full report: https://t.co/3hcqkXLN5U pic.twitter.com/tlZK2B3jIW
— Ben Zhou (@benbybit) February 26, 2025

Experts also pointed out that Wayback Archive’s cache history helped validate the existence of malicious code. Google Search’s integration with Wayback Machine, implemented in September 2024, was essential to confirm the authenticity of the compromised file.

Researchers analyze possible leakage at Safe

The investigation strongly suggests that SAFE.Global API (Application Programming Interface) credentials have leaked or have been compromised, allowing hackers to change the JavaScript file. This means that invaders may have had unauthorized access to services hosted by Safe.global, making it possible to manipulate critical files without the administrators.

Bybit, in turn, has reinforced its commitment to protecting customer backgrounds. The broker assured that there was no impact on its security infrastructure and continues to monitor any suspicious activity. Security teams continue to collaborate to understand the total reach of the incident and avoid further attacks.

Conclusion: Investigation continues

Despite the initial discoveries, researchers still seek definitive confirmation on how Safe infrastructure commitment occurred. Experts recommend that users and companies review their digital safety practices to mitigate similar risks.

The case emphasizes the importance of constant audits in cyber security systems and the adoption of mechanisms to detect improper changes in critical codes. The investigation is still ongoing to identify guardians and avoid future attacks on the crypto ecosystem.

Thiago Barboza

Thiago Barboza has a degree in Communication with an emphasis on creative writing from the Federal University of Bahia (UFBA). In 2019, he learned about cryptocurrencies and blockchain, but it was in 2020 that he decided to dive headfirst into the crypto universe. In 2021, he joined the BeInCrypto team, and over the course of 3 years, he has published more than 1,500 articles covering the most diverse sectors of the cryptocurrency, blockchain, and Web3 markets.

Disclaimer

The information provided in this article is for informational purposes only and reflects the author’s opinion. It should not be construed as financial, legal, or investment advice. The cryptocurrency market is volatile and carries risks. Please conduct your own research before making any decisions.

Share this post