Bybit Hack Linked to Compromised SafeWallet Credentials: $1.4 Billion Stolen

Bybit Breach Traced to SafeWallet Credential Compromise

A forensic investigation into the $1.4 billion Bybit hack has revealed that the attack originated from compromised SafeWallet developer credentials. This security breach enabled North Korea’s notorious Lazarus Group to gain unauthorized access and execute a malicious transaction, leading to one of the largest crypto heists in history.

How the Bybit Hack Happened

Bybit confirmed reports from cybersecurity firms Sygnia and Verichains, which identified the primary attack vector as a malicious JavaScript code injection into SafeWallet’s Amazon Web Services (AWS) infrastructure. This breach facilitated the theft of digital assets, including liquid-staked Ether (stETH) and Mantle Staked ETH (mETH).

Following the breach, SafeWallet took immediate action by rebuilding its infrastructure, rotating developer credentials, and implementing enhanced security measures to prevent future attacks. Bybit reassured users that its core infrastructure remained intact, preventing further damage.

Bybit’s Response and Recovery Efforts

To restore user funds and maintain liquidity, Bybit secured reserves through asset purchases, large deposits from whales, and a loan of 40,000 ETH from Bitget, which has since been fully repaid. Despite the breach, Bybit has continued processing withdrawals normally, ensuring platform stability.

Lazarus Group Moves Stolen Funds

Blockchain analytics indicate that the hacker responsible for the $1.4 billion Bybit exploit has moved over 135,000 ETH—valued at $335 million—through various laundering operations. In the past 24 hours alone, 45,900 ETH worth $113 million was transferred. Analysts predict that at this rate, the remaining 363,900 ETH (approximately $900 million) could be laundered within a week.

Ongoing Investigation and Industry Impact

Blockchain security experts, including Arkham Intelligence, have linked the Lazarus Group to the Bybit hack. This attack, which took place on February 21, surpassed previous record-breaking crypto breaches such as the Ronin Network attack in 2022 and the Poly Network exploit in 2021.

Bybit CEO Ben Zhou has declared a “war” on the Lazarus Group, offering bounties for intercepted funds. Blockchain analytics firm Elliptic has flagged over 11,000 wallet addresses connected to the hack, with more expected to be identified as investigations progress.

With over half of the $2.3 billion lost in crypto-related hacks in 2024 attributed to this single incident, the Bybit breach underscores the urgent need for heightened security in the cryptocurrency industry. The attack remains a major challenge for exchanges, highlighting the growing sophistication of cybercriminals targeting the digital asset sector.

Key Takeaways

• The $1.4 billion Bybit hack stemmed from compromised SafeWallet developer credentials.
• North Korea’s Lazarus Group executed the attack, injecting malicious JavaScript into AWS infrastructure.
• Bybit secured liquidity through asset purchases, whale deposits, and loans, ensuring smooth withdrawals.
• The hacker has moved 135,000 ETH ($335 million) so far, with laundering efforts ongoing.
• Over 11,000 wallet addresses linked to the hack have been flagged, with more expected to surface.
• The attack highlights the urgent need for enhanced cybersecurity measures in the crypto industry.

As the investigation unfolds, the industry remains on high alert for further developments related to one of the largest crypto security breaches to date