{"id":21551,"date":"2025-02-26T19:09:16","date_gmt":"2025-02-26T17:09:16","guid":{"rendered":"https:\/\/forklog.com\/en\/safe-infrastructure-vulnerability-blamed-for-bybit-breach\/"},"modified":"2025-02-26T19:09:16","modified_gmt":"2025-02-26T17:09:16","slug":"safe-infrastructure-vulnerability-blamed-for-bybit-breach","status":"publish","type":"post","link":"https:\/\/u1f987.com\/en\/safe-infrastructure-vulnerability-blamed-for-bybit-breach\/","title":{"rendered":"Safe Infrastructure Vulnerability Blamed for Bybit Breach"},"content":{"rendered":"<p><a href=\"%D0%91%D0%B8%D1%80%D0%B6%D0%B0%20Bybit%20%D0%BF%D0%BE%D1%82%D0%B5%D1%80%D1%8F%D0%BB%D0%B0%20$1,46%20%D0%BC%D0%BB%D1%80%D0%B4%20%D0%B2%20%D1%80%D0%B5%D0%B7%D1%83%D0%BB%D1%8C%D1%82%D0%B0%D1%82%D0%B5%20%D0%B2%D0%B7%D0%BB%D0%BE%D0%BC%D0%B0\">The attack on Bybit<\/a> was executed through the Safe (Wallet) infrastructure, rather than the trading platform&#8217;s own systems, according to a preliminary incident report. <\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">Bybit Hack Forensics Report<br \/>As promised, here are the preliminary reports of the hack conducted by <a href=\"https:\/\/twitter.com\/sygnia_labs?ref_src=twsrc%5Etfw\">@sygnia_labs<\/a> and <a href=\"https:\/\/twitter.com\/Verichains?ref_src=twsrc%5Etfw\">@Verichains<\/a> <br \/>Screenshotted the conclusion and here is the link to the full report: <a href=\"https:\/\/t.co\/3hcqkXLN5U\">https:\/\/t.co\/3hcqkXLN5U<\/a> <a href=\"https:\/\/t.co\/tlZK2B3jIW\">pic.twitter.com\/tlZK2B3jIW<\/a><\/p>\n<p>\u2014 Ben Zhou (@benbybit) <a href=\"https:\/\/twitter.com\/benbybit\/status\/1894768736084885929?ref_src=twsrc%5Etfw\">February 26, 2025<\/a><\/p><\/blockquote>\n<p> <script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>According to an investigation by analysts at Sygnia, the perpetrator injected malicious JavaScript code into Safe (Wallet) resources stored in the AWS S3 cloud. <\/p>\n<p>The criminals&#8217; script was activated only during transactions involving Bybit&#8217;s contract addresses and an unknown test address, indicating the targeted nature of the attack. <\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/u1f987.com\/wp-content\/uploads\/Snimok-ekrana-2025-02-26-v-18.51.38.webp\" alt=\"Snimok-ekrana-2025-02-26-v-18.51.38\" class=\"wp-image-252826\"\/><figcaption class=\"wp-element-caption\">Fragment of the malicious code. Source: Sygnia report.<\/figcaption><\/figure>\n<p>Two minutes after the asset theft, the hacker replaced the modified files with the original versions to cover their tracks. <\/p>\n<p>Cached files with changes made on February 19 were found on the devices of three participants who signed the fake transaction. The code manipulated data at the time of approval, substituting the recipient&#8217;s address. <\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/u1f987.com\/wp-content\/uploads\/Snimok-ekrana-2025-02-26-v-18.45.59.webp\" alt=\"Snimok-ekrana-2025-02-26-v-18.45.59\" class=\"wp-image-252827\"\/><figcaption class=\"wp-element-caption\">Malicious files in the Chrome browser cache of signatories. Source: Sygnia report.<\/figcaption><\/figure>\n<p>Web archives like WaybackMachine also recorded changes to the Safe (Wallet) infrastructure code. <\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/u1f987.com\/wp-content\/uploads\/Snimok-ekrana-2025-02-26-v-18.54.43.webp\" alt=\"Snimok-ekrana-2025-02-26-v-18.54.43\" class=\"wp-image-252828\"\/><figcaption class=\"wp-element-caption\">Fragment of the malicious code captured in a WaybackMachine snapshot from February 19. Source: Sygnia report.<\/figcaption><\/figure>\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>\u201cThe forensic investigation results from the hosts of the three signatories indicate that the root cause of the attack is the malicious code originating from the Safe (Wallet) infrastructure. No signs of compromise were found in Bybit&#8217;s infrastructure. The investigation continues for final confirmation of the findings,\u201d the conclusion states. <\/p>\n<\/blockquote>\n<p>Previously, cypherpunk Adam Back cited the \u201cflawed EVM design\u201d as the reason for the <a href=\"https:\/\/u1f987.com\/en\/news\/adam-back-attributes-bybit-hack-to-evm-flaws\">incident<\/a>.<\/p>\n<p>By February 26, hackers had <a href=\"https:\/\/u1f987.com\/en\/news\/bybit-hackers-launder-113-million-in-a-day\">laundered<\/a> 135,000 ETH (~$335 million). Responsibility for the attack was <a href=\"https:\/\/u1f987.com\/en\/news\/bybit-blocks-meme-token-linked-to-lazarus-group\">attributed<\/a> to the North Korean group Lazarus. <\/p>\n","protected":false},"excerpt":{"rendered":"<p>The attack on Bybit was executed through the Safe (Wallet) infrastructure, rather than the trading platform&#8217;s own systems, according to a preliminary incident report. Bybit Hack Forensics ReportAs promised, here are the preliminary reports of the hack conducted by @sygnia_labs and @Verichains Screenshotted the conclusion and here is the link to the full report: https:\/\/t.co\/3hcqkXLN5U [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":21550,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"select":"","news_style_id":"","cryptorium_level":"","_short_excerpt_text":"","creation_source":"","_metatest_mainpost_news_update":false,"footnotes":""},"categories":[3],"tags":[1151,44,1323],"class_list":["post-21551","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news-and-analysis","tag-bybit","tag-cybercrime","tag-investigations"],"aioseo_notices":[],"amp_enabled":true,"views":"40","promo_type":"","layout_type":"","short_excerpt":"","is_update":"","_links":{"self":[{"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/posts\/21551","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/comments?post=21551"}],"version-history":[{"count":0,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/posts\/21551\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/media\/21550"}],"wp:attachment":[{"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/media?parent=21551"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/categories?post=21551"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/tags?post=21551"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}