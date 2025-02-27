Bybit security investigation reveals the truth: SAFE front-end cloud service was attacked, how to ensure the safety of hundreds of billions of assets carried by multi-signature wallets

By: PANews
2025/02/27 15:22
Cloud
CLOUD$0.13625-9.20%
Safe Token
SAFE$0.2735-6.04%
Multichain
MULTI$0.04444-3.37%

Author: Frank, PANews

On February 21, 2025, the cryptocurrency exchange Bybit suffered an epic hacker attack, and assets worth $1.46 billion were stolen by the North Korean hacker group Lazarus. In addition to recovering the assets, it is more important to identify the attack path to avoid new attacks. On February 27, Bybit released a hacker forensics report, and the investigation directly pointed out that the theft of funds was caused by a vulnerability in Safe's infrastructure. But it seems that Safe is unwilling to accept this accusation. In the statement, it admitted that the developer was hacked, but attributed the main reason to the clever methods of North Korean hackers and Bybit's operational errors. The "Rashomon" was staged in the discussion of who is more responsible, which also triggered a big debate in the industry on infrastructure trust, security paradigms and human nature.

The attack originated from the attack on Safe{Wallet} front-end cloud service

According to two investigation reports released by Bybit (Bybit Incident Preliminary Report and Bybit Interim Investigation Report), further analysis of Safe{Wallet} resources found two JavaScript resource snapshots taken on February 19, 2025. Review of these snapshots showed that the first snapshot contained the original, legitimate Safe{Wallet} code, while the second snapshot contained resources with malicious JavaScript code. This suggests that the malicious code that created the malicious transaction originated directly from Safe{Wallet}'s AWS infrastructure.

Bybit security investigation reveals the truth: SAFE front-end cloud service was attacked, how to ensure the safety of hundreds of billions of assets carried by multi-signature wallets

The report's conclusion reads: Based on our findings on Bybit's signer machines and the cached malicious JavaScript payloads found in the Wayback Archive, we strongly conclude that Safe.Global's AWS S3 or CloudFront account/API keys may have been compromised.

To summarize briefly, the initial source of this attack was that hackers attacked the Safe{Wallet} developer's device, tampered with the front-end JavaScript file in the AWS S3 bucket, and implanted targeted malicious code targeting the Bybit cold wallet address. Previously, Safe also released a simple investigation report, stating that no code vulnerabilities and malicious dependencies (i.e., supply chain attacks) were found. Safe then conducted a comprehensive review and suspended the Safe{Wallet} function. The results of this investigation seem to overturn Safe's previous investigation results.

Safe's evasive statement raises more questions

Bybit has not yet stated what responsibility Safe should bear in this incident, but after the report was released, people on social media began to discuss Safe's security vulnerability and some believed that Safe should be held responsible and make compensation.

Safe's official attitude towards this report is obviously not recognized. In its official statement, Safe divides the responsibility into three levels: in terms of technology, it emphasizes that the smart contract has not been attacked and emphasizes the security of the product. In terms of operation and maintenance, it admits that the developer's device was hacked and caused the AWS key to be leaked, but blames it on the national attack of the North Korean hacker organization. In terms of users, it recommends users to "be vigilant when signing transactions", implying that Bybit did not fully verify the transaction data.

Bybit security investigation reveals the truth: SAFE front-end cloud service was attacked, how to ensure the safety of hundreds of billions of assets carried by multi-signature wallets

However, this response seems to be evasive. According to the process shown in the report, Safe has the following negligence in this process:

1. Loss of control over permissions: Attackers gained AWS permissions by hacking into developers’ devices, exposing that the Safe team did not implement the principle of least privilege. For example, a developer could directly modify the production environment code without a code change monitoring mechanism.

2. Front-end security failure: basic protection measures such as SRI (subresource integrity verification) were not enabled.

3. Supply chain dependency risk: The attack path (developer device → AWS → front-end code) proves that Safe is overly dependent on centralized cloud services, which conflicts with the decentralized security concept of blockchain.

In addition, the industry has also raised many questions about Safe's statement. Binance founder CZ has raised five technical questions in a row (such as the specific way the developer's device was hacked, the reason for the loss of control of permissions, etc.), directly pointing out the information opacity of Safe's statement. Safe did not disclose the details of the attack chain, resulting in the industry being unable to take targeted defenses.

Tokens rose strangely, and daily activity dropped by nearly 70%

Another major point of contention in the community is whether Safe should compensate Bybit for the losses in this incident. Some users believe that the attack was caused by a vulnerability in Safe's infrastructure, and Safe should be responsible for compensation. What's more, it is proposed that Gnosis, the predecessor of Safe, bear joint and several liability for compensation. Safe was originally developed as a multi-signature agreement by the Gnosis team in 2017 as Gnosis Safe, and was spun off from the Gnosis ecosystem in 2022 to operate independently. Gnosis completed an ICO financing of 250,000 ETH in 2017, and currently has 150,000 ETH in its treasury, which belongs to the ETH whale.

However, some people believe that the main responsibility for this incident lies with Bybit itself. On the one hand, it is necessary to invest in research and development to develop a series of security infrastructures in order to manage cold wallets with more than one billion assets. On the other hand, Bybit seems to use the free Safe service and does not pay a subscription fee, so Safe has no obligation to bear responsibility from this perspective.

After publishing the investigation report, Bybit did not ask Safe for financial compensation.

While the industry is still arguing about who should be held responsible, the capital market is playing out an absurd drama. Safe's official token seems to have received special attention because of this incident. On February 27, the SAFE token rose against the trend from $0.44 to $0.69, with a maximum increase of about 58% in 10 hours. However, from an investment logic perspective, the incident has mainly had a negative impact on Safe's brand, and the rise may only be due to short-term market sentiment.

Data on February 27 showed that Safe's total managed assets exceeded US$100 billion, and its silence on the details of the vulnerability is shaking its credibility as industry infrastructure.

Bybit security investigation reveals the truth: SAFE front-end cloud service was attacked, how to ensure the safety of hundreds of billions of assets carried by multi-signature wallets

From the daily active user data, it can be clearly seen that Safe suffered a considerable impact after this incident. Compared with the 1,200 daily active addresses on February 12, the data dropped to 379 daily active addresses on February 27, a decrease of nearly 70%.

Bybit security investigation reveals the truth: SAFE front-end cloud service was attacked, how to ensure the safety of hundreds of billions of assets carried by multi-signature wallets In addition, after the centralization risk of the front-end was exposed, the community once again paid attention to the security mechanism of the front-end. Dominic Williams, founder of ICP, said that the North Korean hacker group recently successfully stole $1.5 billion in funds from Bybit, mainly by exploiting the web-side vulnerability of Safe{Wallet}, which is hosted on the cloud rather than on smart contracts. Williams criticized some Web3 projects for running only on a "fake onchain", which leads to security risks, and suggested using ICP (Internet Computer) for on-chain computing, data storage, and user experience verification to improve security. He proposed that Safe{Wallet} be migrated to ICP and adopt encrypted authentication mechanisms and multi-party consensus governance (such as SNS DAO) to enhance security.

Looking back at the entire incident, it seems to be an isolated incident carefully planned by North Korean hackers, but it still exposes the security loopholes in the permission design and supply chain of Safe's current multi-signature wallet. From the perspective of brand development, the practice of rushing to distance oneself from the issue in order to deliberately maintain the safety myth is counterproductive and has instead triggered more doubts from the public. Perhaps, Safe's timely admission of mistakes and the introduction of corresponding measures can better reflect the attitude of a giant in the field of cryptographic security. At the same time, publishing the details of the vulnerability as soon as possible can also further help the industry strengthen self-inspection and prevention of similar vulnerabilities.

Disclaimer: The articles reposted on this site are sourced from public platforms and are provided for informational purposes only. They do not necessarily reflect the views of MEXC. All rights remain with the original authors. If you believe any content infringes on third-party rights, please contact service@support.mexc.com for removal. MEXC makes no guarantees regarding the accuracy, completeness, or timeliness of the content and is not responsible for any actions taken based on the information provided. The content does not constitute financial, legal, or other professional advice, nor should it be considered a recommendation or endorsement by MEXC.

You May Also Like

Ripple (XRP) CEO Brad Garlinghouse Heavily Criticizes Wall Street – “Now They Are Coming to Us”

Ripple (XRP) CEO Brad Garlinghouse Heavily Criticizes Wall Street – “Now They Are Coming to Us”

The post Ripple (XRP) CEO Brad Garlinghouse Heavily Criticizes Wall Street – “Now They Are Coming to Us” appeared on BitcoinEthereumNews.com. Ripple Labs CEO Brad Garlinghouse has slammed Wall Street banks for opposing crypto companies’ more direct access to the Federal Reserve system. Garlinghouse specifically said that resistance to crypto firms obtaining a “Fed master account” is “hypocritical and anti-competitive.” Speaking at the DC Fintech Week event, Garlinghouse stated that the crypto sector “should be held to the same standards” as traditional financial institutions when it comes to combating money laundering and illicit finance, adding, “If we’re talking about the same standards, then we should also have access to the same infrastructure. It’s inconsistent to say one thing and oppose the other.” The Fed’s “master account” system allows institutions to directly integrate into the U.S. financial system and access central bank systems. However, many cryptocurrency companies have struggled due to the Fed’s reluctance to approve such accounts or uncertainty about how the process will work. Ripple recently applied for a “master account” through its subsidiary, Standard Custody & Trust Co. The company also sought a federal bank license from the U.S. Office of the Comptroller of the Currency (OCC) in July. Garlinghouse stated that they have recently held more constructive discussions with banks regarding Ripple’s stablecoin project, RLUSD: “I had meetings yesterday in New York with banks that refused to talk to us three years ago. Now they’re asking, ‘How can we collaborate on this?’” Ripple’s CEO argued that granting crypto firms a master account would provide greater stability, oversight, and risk management in the financial system. “It’s really disappointing that some traditional banks are lobbying against this,” he said. *This is not investment advice. Follow our Telegram and Twitter account now for exclusive news, analytics and on-chain data! Source: https://en.bitcoinsistemi.com/ripple-xrp-ceo-brad-garlinghouse-heavily-criticizes-wall-street-now-they-are-coming-to-us/
XRP
XRP$2.4121-3.49%
Nowchain
NOW$0.00456+7.54%
BRC20.COM
COM$0.013049-17.89%
Share
BitcoinEthereumNews2025/10/16 06:53
Share
White House Predicts More Than 10,000 Job Cuts

White House Predicts More Than 10,000 Job Cuts

The post White House Predicts More Than 10,000 Job Cuts appeared on BitcoinEthereumNews.com. Topline The White House could permanently cut more than 10,000 federal workers amid the government shutdown, budget director Russ Vought said Wednesday, just before a federal judge paused the layoffs of federal employees for at least two weeks. The government shutdown stretched on into a thirteenth day Monday. AFP via Getty Images Timeline Wednesday, Oct. 15A federal judge blocked firings the Trump administration has carried out during the shutdown for at least two more weeks, granting a request for a restraining order filed by federal employee unions. Wednesday, Oct. 15Vought said the Trump administration wants “to be very aggressive where we can be in shuttering bureaucracy, not just the funding,” during an appearance on “The Charlie Kirk Show” broadcast from the White House, adding he wants to close the Consumer Financial Protection Bureau within “the next two, three months,” alleging overburdensome regulations on financial institutions. Wednesday, Oct. 15Treasury Secretary Scott Bessent said the shutdown could cost the federal government $15 billion in output daily, warning it was beginning to “cut into muscle” of the U.S. government, he said while speaking at CNBC’s Invest in America Forum, calling on Democrats to “break away” and vote with Republicans to reopen the government. Tuesday, Oct. 14The Senate voted 49-45 in favor of a Republican-backed bill to reopen the government, which needed 60 votes to clear the filibuster. Sens. Catherine Cortez Masto, D-Nev., and Sen. Angus King, I-Maine, voted alongside Republicans, while Sen. John Fetterman, D-Pa., who had supported the measure in the past, was not present and Sen. Rand Paul, R-Ky., was the GOP’s lone “no” vote. Tuesday, Oct. 14The White House budget office said in a post on X it will “continue the RIFs [reductions in force], and wait,” blaming “the Democrats’ intransigence” for the shutdown. The Office of Management and Budget…
Whiterock
WHITE$0.0002169+1.78%
Housecoin
HOUSE$0.005773-2.49%
Moonveil
MORE$0.0235-3.37%
Share
BitcoinEthereumNews2025/10/16 07:34
Share
Fed’s Miran calls for urgent rate cut amid trade tensions

Fed’s Miran calls for urgent rate cut amid trade tensions

The post Fed’s Miran calls for urgent rate cut amid trade tensions appeared on BitcoinEthereumNews.com. Federal Reserve Governor Stephen Miran is calling for more and higher interest rate cuts, noting that urgency is key as trade-war tensions between the United States and China ramp up. Summary Fed Governor Stephen Miran says there’s need for urgent interest rate cuts. He told CNBC that the latest flare in trade tension between the U.S. and China brings new risks to the economic outlook. Miran is calling for a further 1.25 percentage points cut in 2025, with the Fed having cut by 25 basis points in September Miran’s comments come ahead of an anticipated Federal Reserve policy meeting this October, with the Fed having signaled more rate cuts before the U.S. government shutdown rocked markets. A fresh focus on the U.S. economy has emerged amid the data blackout and the recent flare in U.S.-China trade tensions. Miran, who shared his remarks during an interview with CNBC’s Invest in America Forum,  highlighted an urgency in rate cuts as one of the main policy outlook factors amid growing uncertainty.  In his view, the market currently faces increased downside risks, and it’s incumbent upon policymakers to be alive to this fact. The same needs to be reflected in policy action, he noted. “I had been operating under the assumption that the uncertainty had dissipated, and therefore I felt more sanguine about some aspects of the growth outlook. Now, potentially, this is back because the Chinese are reneging on deals that were already made,” he told CNBC. Miran calls for Fed to cut by 1.25% Notably, Miran is vouching for an additional 1.25 percentage points cut in coming months. That’s on top of the 25 basis points cut the central bank announced following its Federal Open Market Committee meeting in September. The FOMC’s next meeting is set for Oct. 28–29, with the market…
Polytrade
TRADE$0.07238-4.06%
BRC20.COM
COM$0.013049-17.89%
Moonveil
MORE$0.0235-3.37%
Share
BitcoinEthereumNews2025/10/16 07:12
Share

Trending News

More

Ripple (XRP) CEO Brad Garlinghouse Heavily Criticizes Wall Street – “Now They Are Coming to Us”

White House Predicts More Than 10,000 Job Cuts

Fed’s Miran calls for urgent rate cut amid trade tensions

AI Defense: Unleashing Revolutionary Next-Gen Tech at Bitcoin World Disrupt 2025

Perplexity AI Predicts the Price of XRP, Dogecoin, PEPE by the End of 2025