News 
February 26, 2025 
3 min. 
The investigation into the alleged attack on bybit revealed that the cryptocurrency broker was not compromised. The incident occurred due to malicious code inserted in the Safe (Wallet) infrastructure, impacting the Ethereum Multisig Cold Wallet portfolio from Bybit. The attack explored a vulnerability of Safe and was activated during a transaction on February 21, 2025.
The technical report identified that a benign javascript file of Safe was replaced by malicious code on February 19. Forensic analysis also suggests that SWS S3 or Cloudfront account credentials from Safe.Global may have been compromised. The investigation is still in progress to confirm the findings and evaluate the extent of the incident.
BYBIT IRRIBIT: PROBLEM WAS CAUSED BY SAFE COMMITMENT
Forensic analysis confirmed that Bybit‘s infrastructure remained safe throughout the incident. The attack was caused by the change of a JavaScript script on the app.safe.global site, becoming a targeted exploration vector. This code was modified on February 19, 2025, with the objective of being activated in the next movement of the affected portfolio, which occurred two days later.
Experts also pointed out that Wayback Archive’s cache history helped validate the existence of malicious code. Google Search’s integration with Wayback Machine, implemented in September 2024, was essential to confirm the authenticity of the compromised file.
Researchers analyze possible leakage at Safe
The investigation strongly suggests that SAFE.Global API (Application Programming Interface) credentials have leaked or have been compromised, allowing hackers to change the JavaScript file. This means that invaders may have had unauthorized access to services hosted by Safe.global, making it possible to manipulate critical files without the administrators.
Bybit, in turn, has reinforced its commitment to protecting customer backgrounds. The broker assured that there was no impact on its security infrastructure and continues to monitor any suspicious activity. Security teams continue to collaborate to understand the total reach of the incident and avoid further attacks.
Conclusion: Investigation continues
Despite the initial discoveries, researchers still seek definitive confirmation on how Safe infrastructure commitment occurred. Experts recommend that users and companies review their digital safety practices to mitigate similar risks.
The case emphasizes the importance of constant audits in cyber security systems and the adoption of mechanisms to detect improper changes in critical codes. The investigation is still ongoing to identify guardians and avoid future attacks on the crypto ecosystem.
