Safe recently released a preliminary report on March 6 detailing the Bybit hack, attributing it to a compromised developer laptop. This breach allowed hackers to inject malware, circumvent multi-factor authentication (MFA), and modify Bybit’s Safe multi-signature wallet interface. As a result, the exchange sent approximately $1.5 billion worth of Ethereum (ETH) to a fraudulent address, making it the largest hack in history.
The breach stemmed from a compromised macOS workstation belonging to a Safe developer, referred to as “Developer1.” On February 4, a contaminated Docker project connected with a malicious domain called “getstockprice[.]com,” possibly through social engineering tactics. This led to the compromise of Developer1’s laptop. The domain was later identified as a known indicator of compromise (IOC) associated with the Democratic People’s Republic of Korea (DPRK).
The attackers accessed Developer1’s AWS account using a User-Agent string titled “distrib#kali.2024,” commonly used by offensive security practitioners. The report also revealed that the attackers utilized ExpressVPN to conceal their identities and resembled previous incidents involving UNC4899, a threat actor linked to TraderTraitor, a criminal group allegedly tied to DPRK.
Despite the breach, Safe has implemented significant security enhancements. The team has restructured its infrastructure, reinforced security measures, and ensured that its smart contracts remain unaffected. These measures include restricting privileged infrastructure access, enforcing separation between development source code and infrastructure management, and conducting multiple peer reviews before implementing production changes.
Additionally, Safe has committed to maintaining monitoring systems to detect external threats, conducting independent security audits, and utilizing third-party services to identify malicious transactions. These proactive steps aim to safeguard against future breaches and protect user funds on the platform.